Edit tour

Windows Analysis Report
F0qGTeCiiA.exe

Overview

General Information

Sample name:	F0qGTeCiiA.exe renamed because original name is a hash value
Original sample name:	1f6d33c70cd3b911b36e180895842126.exe
Analysis ID:	1604944
MD5:	1f6d33c70cd3b911b36e180895842126
SHA1:	2e6067cecdc6d7c2b00a7d7df9b23cacb62a0ace
SHA256:	15724aa9d7938d2f9c37e073698c4b05dc0c30b2b8699dea083652b2cf0d9768
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

F0qGTeCiiA.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\F0qGTeCiiA.exe" MD5: 1F6D33C70CD3B911B36E180895842126)

chrome.exe (PID: 3808 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2068,i,2525134581122787594,7886580695100849804,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7728 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7916 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1976,i,17277778439887522873,9680616898233364702,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://warlikedbeliev.org/api", "Build Version": "LOGS11--6969"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: F0qGTeCiiA.exe PID: 6504	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: F0qGTeCiiA.exe PID: 6504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: F0qGTeCiiA.exe PID: 6504	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: F0qGTeCiiA.exe PID: 6504	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:32.290463+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.18.116	443	TCP
2025-02-02T07:57:32.994563+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.18.116	443	TCP
2025-02-02T07:57:34.479367+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.18.116	443	TCP
2025-02-02T07:57:35.803899+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.18.116	443	TCP
2025-02-02T07:57:37.221477+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.18.116	443	TCP
2025-02-02T07:57:39.115526+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.18.116	443	TCP
2025-02-02T07:57:41.393239+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.18.116	443	TCP
2025-02-02T07:57:43.131139+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.18.116	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:32.476864+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.18.116	443	TCP
2025-02-02T07:57:33.764768+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.18.116	443	TCP
2025-02-02T07:57:43.949113+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	104.21.18.116	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:32.476864+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	104.21.18.116	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:33.764768+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	104.21.18.116	443	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:44.655129+0100	2019714	2	Potentially Bad Traffic	192.168.2.4	49739	185.215.113.16	80	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:39.818751+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49736	104.21.18.116	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:41.397749+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49737	104.21.18.116	443	TCP

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: F0qGTeCiiA.exe, 00000000.00000003.1883281131.00000000081E0000.00000004.00001000.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000002.1976399553.00000000060C2000.00000040.00000800.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49736 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49737 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.18.116:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://warlikedbeliev.org/api

Source: global traffic	TCP traffic: 192.168.2.4:54864 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.4:60279 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 02 Feb 2025 06:57:42 GMTContent-Type: application/octet-streamContent-Length: 2784768Last-Modified: Sun, 02 Feb 2025 06:11:35 GMTConnection: keep-aliveETag: "679f0c97-2a7e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 6c 80 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 78 76 68 61 6a 77 78 72 00 20 2a 00 00 a0 00 00 00 1e 2a 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 61 74 78 72 6c 6f 62 00 20 00 00 00 c0 2a 00 00 06 00 00 00 56 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 5c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16
Source: Joe Sandbox View	IP Address: 104.21.18.116 104.21.18.116

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49739 -> 185.215.113.16:80

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: global traffic

HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16

Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: </section>`}function Lce(e=ow,t=gp){return nl(R4,e,t)}function Rce(e=lw,t=iw){return nl(e4,e,t)}var _I=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(_I\|\|{}),ARe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function Nx(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(_I).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(nQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: </section>`}function Lce(e=ow,t=gp){return nl(R4,e,t)}function Rce(e=lw,t=iw){return nl(e4,e,t)}var _I=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(_I\|\|{}),ARe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function Nx(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(_I).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(nQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: </section>`}function Lce(e=ow,t=gp){return nl(R4,e,t)}function Rce(e=lw,t=iw){return nl(e4,e,t)}var _I=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(_I\|\|{}),ARe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function Nx(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(_I).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(nQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: warlikedbeliev.org
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 02 Feb 2025 06:57:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gt8RDbrWoGN0r8syADXM4fHp0Qc3gA5Pt9G0P4cXYarxDi8On4jh13agBsQ%2B7LPznJ71NGUSVEmJEWH9FQMgt2a5mWWKi%2BIVSYbPZTg2SJOrnS5rvmoE5AqY31uKNdpwgNTzUCU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b849a1abba4286-EWR

Source: F0qGTeCiiA.exe, 00000000.00000003.1883885852.0000000001229000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000002.1972505503.0000000001229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: F0qGTeCiiA.exe, 00000000.00000002.1972280037.0000000000BEB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeHr65tzaKWJ5oNQcOLVM-1738479452-0.0.1.1-/api119.0.0.0
Source: F0qGTeCiiA.exe, 00000000.00000003.1883885852.0000000001229000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000002.1972505503.0000000001229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeg
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_100.6.dr	String found in binary or memory: http://schema.org/Organization
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: F0qGTeCiiA.exe, 00000000.00000003.1744740378.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: F0qGTeCiiA.exe, 00000000.00000003.1718313489.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718391040.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718253061.00000000058AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_100.6.dr, chromecache_107.6.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_100.6.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_100.6.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_100.6.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: F0qGTeCiiA.exe, 00000000.00000003.1718313489.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718391040.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718253061.00000000058AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: F0qGTeCiiA.exe, 00000000.00000003.1718313489.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718391040.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718253061.00000000058AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: F0qGTeCiiA.exe, 00000000.00000003.1718313489.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718391040.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718253061.00000000058AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: F0qGTeCiiA.exe, 00000000.00000003.1718313489.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718391040.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718253061.00000000058AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: F0qGTeCiiA.exe, 00000000.00000003.1718313489.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718391040.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718253061.00000000058AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: F0qGTeCiiA.exe, 00000000.00000003.1718313489.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718391040.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718253061.00000000058AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_100.6.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_100.6.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_95.6.dr	String found in binary or memory: https://schema.org
Source: F0qGTeCiiA.exe, 00000000.00000003.1718692337.00000000058C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: F0qGTeCiiA.exe, 00000000.00000003.1745872597.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: F0qGTeCiiA.exe, 00000000.00000003.1745872597.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: F0qGTeCiiA.exe, 00000000.00000003.1718772977.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1731504488.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1731269691.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1731081580.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718692337.00000000058C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: F0qGTeCiiA.exe, 00000000.00000003.1718772977.0000000005895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: F0qGTeCiiA.exe, 00000000.00000003.1718772977.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1731504488.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1731269691.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1731081580.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718692337.00000000058C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: F0qGTeCiiA.exe, 00000000.00000003.1718772977.0000000005895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
Source: chromecache_95.6.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
Source: F0qGTeCiiA.exe, 00000000.00000003.1731165682.000000000587E000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1777168602.0000000001231000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1731328532.000000000587E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/
Source: F0qGTeCiiA.exe, 00000000.00000002.1975067667.0000000005860000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1805198578.0000000005866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/8
Source: F0qGTeCiiA.exe, 00000000.00000003.1793063429.0000000005881000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1780971809.0000000005881000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1777705033.0000000005881000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1731463159.000000000123E000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1762444708.000000000587A000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1883885852.0000000001229000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1805088002.0000000005881000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1765132130.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1777168602.0000000001231000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1762518627.000000000587E000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1777272972.0000000005866000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1762245020.000000000587A000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000002.1972505503.00000000011A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api
Source: F0qGTeCiiA.exe, 00000000.00000003.1804912043.0000000001231000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1777168602.0000000001231000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1783590744.0000000001231000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1780917274.0000000001231000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1793011987.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiR
Source: F0qGTeCiiA.exe, 00000000.00000003.1703763763.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiX
Source: F0qGTeCiiA.exe, 00000000.00000003.1703854568.00000000011A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/g8Ub
Source: F0qGTeCiiA.exe, 00000000.00000003.1703724947.000000000120C000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1703763763.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: F0qGTeCiiA.exe, 00000000.00000003.1703724947.000000000120C000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1703763763.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: F0qGTeCiiA.exe, 00000000.00000003.1718313489.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718391040.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718253061.00000000058AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: F0qGTeCiiA.exe, 00000000.00000003.1718313489.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718391040.00000000058AB000.00000004.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1718253061.00000000058AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_75.6.dr, chromecache_95.6.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: F0qGTeCiiA.exe, 00000000.00000003.1745872597.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: F0qGTeCiiA.exe, 00000000.00000003.1745872597.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: F0qGTeCiiA.exe, 00000000.00000003.1745872597.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: F0qGTeCiiA.exe, 00000000.00000003.1745872597.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: F0qGTeCiiA.exe, 00000000.00000003.1745872597.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60553
Source: unknown	Network traffic detected: HTTP traffic on port 60582 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60293 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60553 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60293
Source: unknown	Network traffic detected: HTTP traffic on port 60302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60582
Source: unknown	Network traffic detected: HTTP traffic on port 60589 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60589
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60302

Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.4:49738 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: F0qGTeCiiA.exe	Static PE information: section name:
Source: F0qGTeCiiA.exe	Static PE information: section name: .idata
Source: F0qGTeCiiA.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586E053	0_3_0586E053
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586E053	0_3_0586E053
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_01232508	0_3_01232508
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_01232508	0_3_01232508
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_01232508	0_3_01232508
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBBA	0_3_0122EBBA
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBBA	0_3_0122EBBA
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBDB	0_3_0122EBDB
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBDB	0_3_0122EBDB
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBD9	0_3_0122EBD9
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBD9	0_3_0122EBD9
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBBA	0_3_0122EBBA
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBBA	0_3_0122EBBA
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_01232508	0_3_01232508
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_01232508	0_3_01232508
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_01232508	0_3_01232508
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBDB	0_3_0122EBDB
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBDB	0_3_0122EBDB
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBD9	0_3_0122EBD9
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBD9	0_3_0122EBD9
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBBA	0_3_0122EBBA
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBBA	0_3_0122EBBA
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_01232508	0_3_01232508
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_01232508	0_3_01232508
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_01232508	0_3_01232508
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBDB	0_3_0122EBDB
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBDB	0_3_0122EBDB
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBD9	0_3_0122EBD9
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122EBD9	0_3_0122EBD9
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586E053	0_3_0586E053
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586E053	0_3_0586E053

Source: F0qGTeCiiA.exe, 00000000.00000002.1975994266.0000000005FB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs F0qGTeCiiA.exe
Source: F0qGTeCiiA.exe, 00000000.00000002.1976467700.000000000636B000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs F0qGTeCiiA.exe
Source: F0qGTeCiiA.exe, 00000000.00000002.1976438767.00000000060C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs F0qGTeCiiA.exe
Source: F0qGTeCiiA.exe, 00000000.00000002.1978753148.00000000081E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs F0qGTeCiiA.exe

Source: F0qGTeCiiA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: F0qGTeCiiA.exe	Static PE information: Section: ZLIB complexity 0.9983954326923077
Source: F0qGTeCiiA.exe	Static PE information: Section: iztaxtuc ZLIB complexity 0.9948432419450192

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/61@13/7

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F0qGTeCiiA.exe, 00000000.00000003.1718956041.0000000005865000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: F0qGTeCiiA.exe

Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

File read: C:\Users\user\Desktop\F0qGTeCiiA.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\F0qGTeCiiA.exe "C:\Users\user\Desktop\F0qGTeCiiA.exe"
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2068,i,2525134581122787594,7886580695100849804,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1976,i,17277778439887522873,9680616898233364702,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2068,i,2525134581122787594,7886580695100849804,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1976,i,17277778439887522873,9680616898233364702,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Section loaded: wkscli.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: F0qGTeCiiA.exe

Static file information: File size 1914368 > 1048576

Source: F0qGTeCiiA.exe

Static PE information: Raw size of iztaxtuc is bigger than: 0x100000 < 0x1a6e00

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

Unpacked PE file: 0.2.F0qGTeCiiA.exe.f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iztaxtuc:EW;ltlmjhtw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iztaxtuc:EW;ltlmjhtw:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: F0qGTeCiiA.exe

Static PE information: real checksum: 0x1d5c49 should be: 0x1e34a2

Source: F0qGTeCiiA.exe	Static PE information: section name:
Source: F0qGTeCiiA.exe	Static PE information: section name: .idata
Source: F0qGTeCiiA.exe	Static PE information: section name:
Source: F0qGTeCiiA.exe	Static PE information: section name: iztaxtuc
Source: F0qGTeCiiA.exe	Static PE information: section name: ltlmjhtw
Source: F0qGTeCiiA.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C34B push eax; ret	0_3_0586C351
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C34B push eax; ret	0_3_0586C351
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C34B push eax; ret	0_3_0586C351
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C34B push eax; ret	0_3_0586C351
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C35B pushad ; ret	0_3_0586C361
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C35B pushad ; ret	0_3_0586C361
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C35B pushad ; ret	0_3_0586C361
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C35B pushad ; ret	0_3_0586C361
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C363 push 680586C3h; ret	0_3_0586C36D
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C363 push 680586C3h; ret	0_3_0586C36D
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C363 push 680586C3h; ret	0_3_0586C36D
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C363 push 680586C3h; ret	0_3_0586C36D
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586FC0D push ebx; iretd	0_3_0586FC1A
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586FC0D push ebx; iretd	0_3_0586FC1A
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C34B push eax; ret	0_3_0586C351
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C34B push eax; ret	0_3_0586C351
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C34B push eax; ret	0_3_0586C351
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C34B push eax; ret	0_3_0586C351
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C35B pushad ; ret	0_3_0586C361
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C35B pushad ; ret	0_3_0586C361
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C35B pushad ; ret	0_3_0586C361
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C35B pushad ; ret	0_3_0586C361
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C363 push 680586C3h; ret	0_3_0586C36D
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C363 push 680586C3h; ret	0_3_0586C36D
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C363 push 680586C3h; ret	0_3_0586C36D
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0586C363 push 680586C3h; ret	0_3_0586C36D
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122D061 pushad ; iretd	0_3_0122D071
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122D061 pushad ; iretd	0_3_0122D071
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122D061 pushad ; iretd	0_3_0122D071
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122D061 pushad ; iretd	0_3_0122D071
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Code function: 0_3_0122D061 pushad ; iretd	0_3_0122D071

Source: F0qGTeCiiA.exe	Static PE information: section name: entropy: 7.983051497680463
Source: F0qGTeCiiA.exe	Static PE information: section name: iztaxtuc entropy: 7.953825229948277

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D5586 second address: 2D558A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CCD66 second address: 2CCD6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CCD6A second address: 2CCD8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E136h 0x00000007 jp 00007F140948E126h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CCD8E second address: 2CCD92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CCD92 second address: 2CCD96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CCD96 second address: 2CCDA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F14094707E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CCDA8 second address: 2CCDAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CCDAC second address: 2CCDB9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CCDB9 second address: 2CCDD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F140948E135h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D46AF second address: 2D46B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D4812 second address: 2D4840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F140948E126h 0x0000000a jbe 00007F140948E126h 0x00000010 jp 00007F140948E126h 0x00000016 popad 0x00000017 jmp 00007F140948E137h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D4840 second address: 2D4852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F14094707E6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D4B55 second address: 2D4B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F140948E12Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D7D96 second address: 2D7D9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D7D9C second address: 2D7DEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F140948E126h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jnc 00007F140948E134h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jmp 00007F140948E131h 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F140948E133h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D7E6C second address: 2D7E70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D7E70 second address: 2D7E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D7E80 second address: 2D7F26 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F14094707E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F14094707E8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 or edx, dword ptr [ebp+122D38FAh] 0x0000002b jc 00007F14094707E9h 0x00000031 movzx edi, ax 0x00000034 mov ecx, 47A2E3F3h 0x00000039 push 00000000h 0x0000003b mov ecx, edi 0x0000003d call 00007F14094707E9h 0x00000042 jng 00007F14094707F6h 0x00000048 push eax 0x00000049 js 00007F14094707EAh 0x0000004f push edx 0x00000050 push esi 0x00000051 pop esi 0x00000052 pop edx 0x00000053 mov eax, dword ptr [esp+04h] 0x00000057 pushad 0x00000058 jmp 00007F14094707F5h 0x0000005d jmp 00007F14094707F1h 0x00000062 popad 0x00000063 mov eax, dword ptr [eax] 0x00000065 push edx 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D7F26 second address: 2D7F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F140948E126h 0x0000000a popad 0x0000000b pop edx 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007F140948E138h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D8038 second address: 2D803E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D803E second address: 2D8042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D80C2 second address: 2D80D0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D80D0 second address: 2D80D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D80D4 second address: 2D80E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D80E2 second address: 2D8126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E132h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jo 00007F140948E12Eh 0x00000013 jnl 00007F140948E128h 0x00000019 mov eax, dword ptr [eax] 0x0000001b jno 00007F140948E12Ch 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jg 00007F140948E128h 0x0000002d push eax 0x0000002e pop eax 0x0000002f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D8126 second address: 2D817F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F14094707ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jl 00007F14094707ECh 0x00000011 mov ecx, dword ptr [ebp+122D39B2h] 0x00000017 mov dword ptr [ebp+122D1BDBh], ecx 0x0000001d push 00000003h 0x0000001f sbb di, D423h 0x00000024 push 00000000h 0x00000026 movzx edi, di 0x00000029 push 00000003h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007F14094707E8h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 mov edx, eax 0x00000047 push C5DEA1D8h 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D8294 second address: 2D82BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F140948E12Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D82BC second address: 2D82C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D82C1 second address: 2D82D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D82D1 second address: 2D82EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14094707EDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D82EE second address: 2D838B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F140948E126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e ja 00007F140948E136h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 jc 00007F140948E12Eh 0x0000001f jne 00007F140948E128h 0x00000025 pop eax 0x00000026 mov edi, dword ptr [ebp+122D387Eh] 0x0000002c mov esi, dword ptr [ebp+122D1B2Eh] 0x00000032 push 00000003h 0x00000034 call 00007F140948E135h 0x00000039 mov di, 0827h 0x0000003d pop ecx 0x0000003e push ecx 0x0000003f jg 00007F140948E129h 0x00000045 pop esi 0x00000046 push 00000000h 0x00000048 mov dword ptr [ebp+122D1A6Ch], ecx 0x0000004e push 00000003h 0x00000050 mov dword ptr [ebp+122D2829h], ecx 0x00000056 call 00007F140948E129h 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F140948E136h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D838B second address: 2D838F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D838F second address: 2D83B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F140948E12Dh 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D83B7 second address: 2D83BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D83BB second address: 2D843D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F140948E12Bh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jnc 00007F140948E12Eh 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 jmp 00007F140948E132h 0x0000001d pop eax 0x0000001e push eax 0x0000001f cmc 0x00000020 pop edi 0x00000021 lea ebx, dword ptr [ebp+1245DCCEh] 0x00000027 call 00007F140948E133h 0x0000002c call 00007F140948E132h 0x00000031 mov cx, 6993h 0x00000035 pop edi 0x00000036 pop ecx 0x00000037 mov edx, dword ptr [ebp+122D1C00h] 0x0000003d xchg eax, ebx 0x0000003e push esi 0x0000003f push ebx 0x00000040 push ecx 0x00000041 pop ecx 0x00000042 pop ebx 0x00000043 pop esi 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 push edi 0x00000049 pop edi 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D843D second address: 2D8442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D8442 second address: 2D8447 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2D8447 second address: 2D844D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F946A second address: 2F946E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F946E second address: 2F9473 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F9473 second address: 2F94A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F140948E126h 0x0000000a jmp 00007F140948E130h 0x0000000f popad 0x00000010 jo 00007F140948E128h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jne 00007F140948E14Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007F140948E126h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F94A8 second address: 2F94AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F729F second address: 2F72D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F140948E126h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F140948E138h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F140948E12Eh 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F7453 second address: 2F745A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F745A second address: 2F748F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007F140948E132h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F140948E12Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F748F second address: 2F74AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F7D84 second address: 2F7D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F7D8C second address: 2F7D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F81D9 second address: 2F8228 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F140948E12Fh 0x0000000b ja 00007F140948E140h 0x00000011 jmp 00007F140948E138h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edi 0x0000001c pop edi 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pop eax 0x00000020 push eax 0x00000021 pushad 0x00000022 popad 0x00000023 je 00007F140948E126h 0x00000029 pop eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jns 00007F140948E126h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F8C69 second address: 2F8C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F8DB0 second address: 2F8DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F8EE3 second address: 2F8EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F14094707E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2F8EF2 second address: 2F8EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2FAA4E second address: 2FAA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2FAA58 second address: 2FAA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2FAA5C second address: 2FAA82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F4h 0x00000007 jp 00007F14094707E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F14094707E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2FAA82 second address: 2FAA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2C2BC2 second address: 2C2BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2C2BC6 second address: 2C2BE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E139h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3012CA second address: 3012CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3012CF second address: 3012D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3012D5 second address: 3012E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3003B7 second address: 3003BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3014BA second address: 3014DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F14094707EBh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 js 00007F1409470801h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2C6125 second address: 2C612F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F140948E126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 308298 second address: 3082A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F14094707E6h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30857E second address: 308582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 308582 second address: 308597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 308597 second address: 3085D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E12Dh 0x00000007 push edi 0x00000008 jmp 00007F140948E12Bh 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F140948E135h 0x0000001b jnp 00007F140948E126h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3085D6 second address: 3085F9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F14094707E6h 0x00000008 jmp 00007F14094707F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3085F9 second address: 3085FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3085FF second address: 308604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 308604 second address: 30860B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309507 second address: 309520 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309520 second address: 309526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309526 second address: 30952A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30952A second address: 30952E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309581 second address: 309585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309585 second address: 309592 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309592 second address: 309598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309598 second address: 30959C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30959C second address: 309626 instructions: 0x00000000 rdtsc 0x00000002 je 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jbe 00007F14094707EEh 0x00000016 mov eax, dword ptr [eax] 0x00000018 jp 00007F14094707EAh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 pushad 0x00000023 jo 00007F14094707F3h 0x00000029 jmp 00007F14094707EDh 0x0000002e jne 00007F14094707F0h 0x00000034 popad 0x00000035 pop eax 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F14094707E8h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 mov edi, esi 0x00000052 mov dword ptr [ebp+122D19DBh], edi 0x00000058 push 4096A7C6h 0x0000005d pushad 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309990 second address: 309994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309994 second address: 30999A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30999A second address: 3099A4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F140948E12Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 309B21 second address: 309B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30A04C second address: 30A069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a jg 00007F140948E128h 0x00000010 mov esi, edi 0x00000012 nop 0x00000013 push edx 0x00000014 pushad 0x00000015 ja 00007F140948E126h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30A069 second address: 30A086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F14094707F4h 0x0000000f jmp 00007F14094707EEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30A13E second address: 30A144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30A228 second address: 30A22E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30A590 second address: 30A595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30A693 second address: 30A698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30A698 second address: 30A69D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30ABC0 second address: 30AC32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F14094707F9h 0x0000000f jmp 00007F14094707F3h 0x00000014 popad 0x00000015 nop 0x00000016 mov edi, dword ptr [ebp+122D1C31h] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F14094707E8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 and si, 3A4Ch 0x0000003d mov esi, dword ptr [ebp+122D3826h] 0x00000043 push 00000000h 0x00000045 mov dword ptr [ebp+122D20E8h], edx 0x0000004b xchg eax, ebx 0x0000004c jng 00007F14094707F4h 0x00000052 push eax 0x00000053 push edx 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30DCE8 second address: 30DCEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30E5A7 second address: 30E5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F14094707E8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30E5B7 second address: 30E5BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30EFF8 second address: 30EFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 310D83 second address: 310D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30FB0C second address: 30FB12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30FB12 second address: 30FB24 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F140948E126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CE943 second address: 2CE955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14094707EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CE955 second address: 2CE977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F140948E137h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 311413 second address: 31147C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F14094707E8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F14094707E8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 mov dword ptr [ebp+12478037h], edi 0x00000048 push 00000000h 0x0000004a or esi, dword ptr [ebp+122D363Eh] 0x00000050 jne 00007F14094707E7h 0x00000056 push eax 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a jg 00007F14094707E6h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 311BE2 second address: 311C00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E133h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 316812 second address: 316818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 316818 second address: 31681D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3177AD second address: 3177C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F14094707ECh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 316988 second address: 3169B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F140948E135h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F140948E12Ch 0x00000016 jg 00007F140948E126h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3177C0 second address: 317831 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F14094707E8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 or dword ptr [ebp+1245DDD8h], esi 0x00000028 push 00000000h 0x0000002a xor ebx, dword ptr [ebp+122D1B74h] 0x00000030 sub dword ptr [ebp+122D257Eh], edx 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 jmp 00007F14094707F7h 0x0000003e pop edi 0x0000003f mov bx, cx 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 jmp 00007F14094707F4h 0x00000049 push eax 0x0000004a push edx 0x0000004b push edi 0x0000004c pop edi 0x0000004d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3169B4 second address: 3169B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3169B9 second address: 3169BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3169BF second address: 316A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, 7AC1BC91h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push edi 0x00000015 pop edi 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d jnl 00007F140948E13Ah 0x00000023 mov eax, dword ptr [ebp+122D018Dh] 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F140948E128h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D1C31h], ecx 0x00000049 push FFFFFFFFh 0x0000004b jmp 00007F140948E139h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jnl 00007F140948E12Ch 0x00000059 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 316A49 second address: 316A4E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31A8BA second address: 31A8C4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F140948E126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31B988 second address: 31B98D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31C91A second address: 31C920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31C920 second address: 31C924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31BAFA second address: 31BAFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31BAFE second address: 31BB04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31BBE3 second address: 31BBE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31CAE2 second address: 31CAE7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31CAE7 second address: 31CAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31CAF5 second address: 31CAF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31CAF9 second address: 31CAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31CBE9 second address: 31CBF3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31CBF3 second address: 31CBF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31F93C second address: 31F94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 pushad 0x0000000a jng 00007F14094707ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 321A79 second address: 321A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 321A87 second address: 321ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F14094707EDh 0x0000000a popad 0x0000000b pushad 0x0000000c jbe 00007F14094707E8h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007F14094707F6h 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 321ABE second address: 321AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3220F2 second address: 32213C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D38CEh] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F14094707E8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c sbb edi, 3E8CC141h 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F14094707F3h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 32463E second address: 324656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F140948E131h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 324656 second address: 32466C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F14094707ECh 0x00000010 jne 00007F14094707E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 32466C second address: 324671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3246FA second address: 324700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3222CB second address: 3222D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3267C8 second address: 3267D2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F14094707ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3267D2 second address: 3267F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F140948E13Bh 0x0000000f jmp 00007F140948E135h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 32E6A2 second address: 32E6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 32E6A7 second address: 32E6BA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F140948E12Eh 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 32E070 second address: 32E076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 32E1E4 second address: 32E1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 32E1EA second address: 32E1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 32E1EE second address: 32E20D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E139h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 33407B second address: 3340A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F14094707E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3340A1 second address: 3340AB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F140948E126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3340AB second address: 334102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F14094707F5h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F14094707F3h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jbe 00007F14094707ECh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 334300 second address: 33430A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F140948E126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 33430A second address: 334318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14094707EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 33920C second address: 339226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E130h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F140948E126h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 337EC0 second address: 337EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 337EC4 second address: 337EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F140948E12Eh 0x0000000d jnc 00007F140948E12Eh 0x00000013 popad 0x00000014 pushad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3384F8 second address: 3384FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3384FC second address: 338502 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 338502 second address: 338517 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F14094707F7h 0x00000008 jmp 00007F14094707EBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 33867F second address: 3386BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F140948E12Ah 0x0000000e pushad 0x0000000f jmp 00007F140948E138h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 338803 second address: 338808 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 33D40C second address: 33D410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 33D410 second address: 33D41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F14094707E8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312535 second address: 31253F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F140948E12Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312615 second address: 31261F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312A17 second address: 312A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E12Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 jmp 00007F140948E12Ch 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d jmp 00007F140948E131h 0x00000022 pop eax 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F140948E128h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 00000016h 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d jmp 00007F140948E135h 0x00000042 push 6CC961F6h 0x00000047 pushad 0x00000048 jbe 00007F140948E128h 0x0000004e push eax 0x0000004f pop eax 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312C0B second address: 312C75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jns 00007F1409470806h 0x00000011 xchg eax, esi 0x00000012 mov dword ptr [ebp+1245E0A5h], esi 0x00000018 or dword ptr [ebp+122D181Ah], eax 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F14094707F7h 0x00000027 push eax 0x00000028 pop eax 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312C75 second address: 312C9D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F140948E13Fh 0x00000008 jmp 00007F140948E139h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312C9D second address: 312CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312CA6 second address: 312CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312E02 second address: 312E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312F23 second address: 312F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312F27 second address: 312F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 stc 0x0000000a mov edi, ecx 0x0000000c push 00000004h 0x0000000e movzx edx, dx 0x00000011 jmp 00007F14094707EAh 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 313686 second address: 3136E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 add di, D295h 0x0000000c lea eax, dword ptr [ebp+124982B9h] 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F140948E128h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov ch, 9Bh 0x0000002e cld 0x0000002f nop 0x00000030 jmp 00007F140948E138h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push ecx 0x00000039 jmp 00007F140948E131h 0x0000003e pop ecx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3136E9 second address: 3136EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3136EF second address: 3136F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3136F3 second address: 2EE8D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F14094707E8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 jmp 00007F14094707F0h 0x00000028 lea eax, dword ptr [ebp+12498275h] 0x0000002e push esi 0x0000002f pop edi 0x00000030 push eax 0x00000031 pushad 0x00000032 jno 00007F14094707F8h 0x00000038 jmp 00007F14094707EDh 0x0000003d popad 0x0000003e mov dword ptr [esp], eax 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 call 00007F14094707E8h 0x00000049 pop edi 0x0000004a mov dword ptr [esp+04h], edi 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc edi 0x00000057 push edi 0x00000058 ret 0x00000059 pop edi 0x0000005a ret 0x0000005b jmp 00007F14094707EEh 0x00000060 sub edi, dword ptr [ebp+12461E85h] 0x00000066 call dword ptr [ebp+122D18AFh] 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F14094707F2h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2EE8D2 second address: 2EE8DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2EE8DB second address: 2EE8E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F14094707E6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CB192 second address: 2CB1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jns 00007F140948E126h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2CB1A1 second address: 2CB1F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F14094707F7h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d jmp 00007F14094707F4h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edi 0x00000015 jo 00007F1409470802h 0x0000001b jmp 00007F14094707F6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 312C2E second address: 312C75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E138h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a mov dword ptr [ebp+1245E0A5h], esi 0x00000010 or dword ptr [ebp+122D181Ah], eax 0x00000016 nop 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007F140948E137h 0x0000001f push eax 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 33CE3F second address: 33CE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 33CE45 second address: 33CE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 343A02 second address: 343A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 343A09 second address: 343A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2BA6A4 second address: 2BA6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14094707F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2BA6BA second address: 2BA6D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F140948E12Dh 0x0000000b jc 00007F140948E12Eh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2BA6D7 second address: 2BA6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3422F2 second address: 3422F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3422F8 second address: 3422FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3422FC second address: 34232C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F140948E12Ah 0x0000000d jmp 00007F140948E12Eh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F140948E12Dh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3424A4 second address: 3424A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342A67 second address: 342A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push esi 0x00000008 jc 00007F140948E126h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342CEA second address: 342CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342CF0 second address: 342CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342CF4 second address: 342D21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F14094707F8h 0x0000000c jmp 00007F14094707EDh 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342D21 second address: 342D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F140948E12Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342D32 second address: 342D36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342D36 second address: 342D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342D45 second address: 342D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342EC3 second address: 342EDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F140948E132h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342EDD second address: 342EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342EE1 second address: 342EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jmp 00007F140948E132h 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34308C second address: 3430AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F14094707F9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3430AB second address: 3430BF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F140948E126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F140948E12Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3430BF second address: 3430D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F14094707EDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 343252 second address: 343257 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 343257 second address: 343260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 343260 second address: 343272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F140948E12Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 343272 second address: 34327E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F14094707E8h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34327E second address: 343285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3433F0 second address: 343403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707EFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 343403 second address: 34342B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F140948E142h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34342B second address: 343433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 343433 second address: 343437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 343437 second address: 34343B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 342081 second address: 342087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 347F7F second address: 347F8F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F14094707E6h 0x00000008 jc 00007F14094707E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 347F8F second address: 347FA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F140948E133h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3485B9 second address: 3485BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3485BF second address: 3485CF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F140948E126h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3485CF second address: 3485D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3485D3 second address: 3485D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3485D7 second address: 3485DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 348D24 second address: 348D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 349019 second address: 349025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F14094707E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 349025 second address: 34902A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34CC16 second address: 34CC1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34CC1C second address: 34CC4D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F140948E12Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F140948E126h 0x00000013 jmp 00007F140948E138h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34CC4D second address: 34CC53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34CC53 second address: 34CC59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34CC59 second address: 34CC65 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34CC65 second address: 34CC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34FF6C second address: 34FF7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007F14094707E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 34FF7D second address: 34FF8A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F140948E126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 355223 second address: 35522C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 35522C second address: 355243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F140948E130h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 355243 second address: 355247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 354ACB second address: 354ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 354ACF second address: 354AD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 354AD5 second address: 354ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 354ADB second address: 354B05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jno 00007F14094707E6h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F14094707F8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 354C7E second address: 354C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 354C84 second address: 354CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jo 00007F14094707F9h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F14094707F1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 354CA6 second address: 354CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 354CAC second address: 354CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14094707EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 354F3A second address: 354F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 358725 second address: 358795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jnl 00007F14094707E6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 jmp 00007F14094707F5h 0x0000001c popad 0x0000001d pushad 0x0000001e jmp 00007F14094707F9h 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F14094707F6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 358907 second address: 35890D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 35890D second address: 358919 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F14094707EEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 358BD4 second address: 358C42 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F140948E13Eh 0x00000008 jmp 00007F140948E130h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jne 00007F140948E126h 0x00000017 ja 00007F140948E126h 0x0000001d jmp 00007F140948E137h 0x00000022 jmp 00007F140948E133h 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 358C42 second address: 358C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2C112C second address: 2C1130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 35D02A second address: 35D030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 35D2E0 second address: 35D2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 35D424 second address: 35D432 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 35D432 second address: 35D441 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F140948E126h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 35D577 second address: 35D57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 35D57D second address: 35D5A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 push edi 0x00000011 jno 00007F140948E126h 0x00000017 push esi 0x00000018 pop esi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e js 00007F140948E126h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 36318D second address: 36319E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F14094707E6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 36319E second address: 3631A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 361A45 second address: 361A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 361A4C second address: 361A55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 361A55 second address: 361A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F14094707E6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F14094707E8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 362018 second address: 36201C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 36201C second address: 36202B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 313147 second address: 313153 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 313153 second address: 31315E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 31315E second address: 3131AB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F140948E126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F140948E128h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 sub dword ptr [ebp+1245DCC9h], ebx 0x0000002c push 00000004h 0x0000002e pushad 0x0000002f jc 00007F140948E12Ch 0x00000035 mov dword ptr [ebp+1245E3F6h], ebx 0x0000003b adc dh, FFFFFFCFh 0x0000003e popad 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 js 00007F140948E126h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3683E3 second address: 3683EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 368828 second address: 368832 instructions: 0x00000000 rdtsc 0x00000002 je 00007F140948E126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 368832 second address: 36884D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F14094707F2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 36884D second address: 368853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 368853 second address: 368857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 368857 second address: 368861 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F140948E126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 368861 second address: 36887E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F14094707EAh 0x0000000b pushad 0x0000000c jnc 00007F14094707E6h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 368B35 second address: 368B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 368B39 second address: 368B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14094707EEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F14094707F8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 36937A second address: 369383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 369383 second address: 369389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 369EB4 second address: 369EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3722F8 second address: 372310 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007F14094707E6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F14094707F9h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 372310 second address: 372321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F140948E12Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2BDBE5 second address: 2BDBEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2BDBEF second address: 2BDBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 2BDBF3 second address: 2BDC16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F9h 0x00000007 jno 00007F14094707E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 375481 second address: 375487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 375487 second address: 375492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 375618 second address: 37561D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 375D22 second address: 375D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 jmp 00007F14094707EBh 0x0000000d jmp 00007F14094707EFh 0x00000012 pop eax 0x00000013 jbe 00007F14094707E8h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37C76D second address: 37C789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F140948E131h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37CA8C second address: 37CA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37CA92 second address: 37CA9B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37CC0E second address: 37CC14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37CEB8 second address: 37CECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F140948E12Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37CECB second address: 37CED1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37CFFB second address: 37D01B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F140948E126h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F140948E134h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37D15E second address: 37D164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37D164 second address: 37D16C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37D16C second address: 37D170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37D2E0 second address: 37D2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37D2E4 second address: 37D2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F14094707F2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37DBBE second address: 37DBCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F140948E126h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37DBCD second address: 37DBD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37DBD1 second address: 37DBD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37E2A4 second address: 37E2B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F14094707E6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37E2B0 second address: 37E2CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F140948E12Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37C206 second address: 37C20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37C20A second address: 37C210 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37C210 second address: 37C21F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F14094707EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 37C21F second address: 37C240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 ja 00007F140948E13Fh 0x0000000d push eax 0x0000000e jmp 00007F140948E131h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 385DBC second address: 385DC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3857A0 second address: 3857C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F140948E12Ah 0x00000011 jmp 00007F140948E12Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3857C0 second address: 3857CB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3857CB second address: 3857E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F140948E136h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3857E7 second address: 3857ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 385A8C second address: 385A90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3A0744 second address: 3A0748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3A0748 second address: 3A074C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ABC20 second address: 3ABC2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F14094707E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ABC2A second address: 3ABC2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B18DD second address: 3B18E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B18E3 second address: 3B1905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F140948E12Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F140948E12Eh 0x00000012 pushad 0x00000013 popad 0x00000014 jo 00007F140948E126h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B1B4B second address: 3B1B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B1B4F second address: 3B1B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F140948E134h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B1CB0 second address: 3B1CD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F14094707F1h 0x0000000e push ecx 0x0000000f jbe 00007F14094707E6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B1CD3 second address: 3B1CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B1CD8 second address: 3B1CE2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F14094707ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B1CE2 second address: 3B1CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B1CEA second address: 3B1CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B2246 second address: 3B226A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F140948E126h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F140948E138h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B226A second address: 3B2270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B2270 second address: 3B2274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B2274 second address: 3B2280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B2280 second address: 3B2284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B2284 second address: 3B2288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B2C6B second address: 3B2C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B4689 second address: 3B4699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F14094707E8h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3B7C65 second address: 3B7C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F140948E126h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F140948E136h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3BBE83 second address: 3BBE8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F14094707E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3C57C4 second address: 3C57CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3CB319 second address: 3CB34E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14094707ECh 0x00000015 jmp 00007F14094707F9h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3CB34E second address: 3CB352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3CB352 second address: 3CB358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3CB18E second address: 3CB19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jbe 00007F140948E126h 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3CB19F second address: 3CB1A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3D8148 second address: 3D8171 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F140948E12Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F140948E12Ch 0x00000016 jmp 00007F140948E12Dh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3D8171 second address: 3D8176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3D8325 second address: 3D832D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3D832D second address: 3D8333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3D8333 second address: 3D833D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F140948E126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3D833D second address: 3D8346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ECACC second address: 3ECAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ECAD2 second address: 3ECAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14094707EEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ECAE5 second address: 3ECAED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ECAED second address: 3ECAF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ECAF1 second address: 3ECAF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ED024 second address: 3ED039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F14094707E6h 0x0000000a pop esi 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F14094707E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ED1FB second address: 3ED21F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E136h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3ED21F second address: 3ED223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F00CA second address: 3F00CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F00CE second address: 3F00DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F00DB second address: 3F00E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F00E0 second address: 3F00E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F0411 second address: 3F0417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F0417 second address: 3F0460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F14094707EEh 0x0000000c nop 0x0000000d mov dx, 71D6h 0x00000011 mov dword ptr [ebp+122D1B7Bh], eax 0x00000017 push 00000004h 0x00000019 mov edx, dword ptr [ebp+12488F78h] 0x0000001f call 00007F14094707E9h 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F14094707F6h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F0460 second address: 3F0466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F0466 second address: 3F0499 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007F14094707EEh 0x00000013 jnp 00007F14094707E8h 0x00000019 pushad 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F14094707F2h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F0499 second address: 3F04BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F140948E128h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F04BA second address: 3F04CB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F04CB second address: 3F04CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F36C7 second address: 3F36CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 3F329D second address: 3F32A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 30C3A2 second address: 30C3A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50811 second address: 4F5084B instructions: 0x00000000 rdtsc 0x00000002 call 00007F140948E12Ah 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov cx, di 0x0000000d popad 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F140948E12Dh 0x00000016 mov ebp, esp 0x00000018 jmp 00007F140948E12Eh 0x0000001d xchg eax, ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ch, 24h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F5084B second address: 4F5088D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushfd 0x0000000d jmp 00007F14094707ECh 0x00000012 xor cx, C8E8h 0x00000017 jmp 00007F14094707EBh 0x0000001c popfd 0x0000001d pop ecx 0x0000001e mov ecx, ebx 0x00000020 popad 0x00000021 xchg eax, ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F5088D second address: 4F50891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50891 second address: 4F50897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50897 second address: 4F508C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E12Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F140948E135h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F508C2 second address: 4F508F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F14094707F1h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F14094707EDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F508F9 second address: 4F50909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F140948E12Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50A04 second address: 4F50A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50A08 second address: 4F50A0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50A44 second address: 4F50A49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50A49 second address: 4F40033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 98h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov dx, 79DCh 0x00000011 pop ebx 0x00000012 pushfd 0x00000013 jmp 00007F140948E132h 0x00000018 add esi, 71CE42F8h 0x0000001e jmp 00007F140948E12Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop esi 0x00000026 jmp 00007F140948E136h 0x0000002b leave 0x0000002c jmp 00007F140948E130h 0x00000031 retn 0004h 0x00000034 nop 0x00000035 sub esp, 04h 0x00000038 xor ebx, ebx 0x0000003a cmp eax, 00000000h 0x0000003d je 00007F140948E32Dh 0x00000043 mov dword ptr [esp], 0000000Dh 0x0000004a call 00007F140E2A42A1h 0x0000004f mov edi, edi 0x00000051 jmp 00007F140948E12Eh 0x00000056 xchg eax, ebp 0x00000057 jmp 00007F140948E130h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F140948E12Dh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40033 second address: 4F40048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40048 second address: 4F4004E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F4004E second address: 4F40052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40052 second address: 4F400E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F140948E12Fh 0x0000000e mov ebp, esp 0x00000010 jmp 00007F140948E136h 0x00000015 sub esp, 2Ch 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F140948E12Eh 0x0000001f and ax, 2EC8h 0x00000024 jmp 00007F140948E12Bh 0x00000029 popfd 0x0000002a mov ch, 2Ch 0x0000002c popad 0x0000002d push edx 0x0000002e jmp 00007F140948E130h 0x00000033 mov dword ptr [esp], ebx 0x00000036 jmp 00007F140948E130h 0x0000003b xchg eax, edi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F140948E137h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F4018A second address: 4F40190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40190 second address: 4F401CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E12Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F140948E12Ch 0x00000013 xor ecx, 2E8981C8h 0x00000019 jmp 00007F140948E12Bh 0x0000001e popfd 0x0000001f popad 0x00000020 test al, al 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F401CD second address: 4F401D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F401D1 second address: 4F401D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F401D7 second address: 4F4022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F1409470A24h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007F14094707F3h 0x00000017 pop ecx 0x00000018 jmp 00007F14094707F9h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F4022B second address: 4F40252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F140948E12Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40252 second address: 4F40284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14094707F7h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-14h], edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14094707F0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F403B4 second address: 4F403BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F403BA second address: 4F403BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F403BE second address: 4F40400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F140948E192h 0x0000000e jmp 00007F140948E12Fh 0x00000013 cmp dword ptr [ebp-14h], edi 0x00000016 jmp 00007F140948E136h 0x0000001b jne 00007F147A16C1CDh 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40400 second address: 4F40404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40404 second address: 4F4040A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F4040A second address: 4F40419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14094707EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40419 second address: 4F40474 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E139h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [ebp+08h] 0x0000000e jmp 00007F140948E12Eh 0x00000013 lea eax, dword ptr [ebp-2Ch] 0x00000016 pushad 0x00000017 mov cl, DCh 0x00000019 call 00007F140948E133h 0x0000001e mov dx, ax 0x00000021 pop esi 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov bx, 8F70h 0x0000002b mov bx, 329Ch 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40474 second address: 4F4057F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d mov dl, ch 0x0000000f pushfd 0x00000010 jmp 00007F14094707F3h 0x00000015 and ecx, 48D4517Eh 0x0000001b jmp 00007F14094707F9h 0x00000020 popfd 0x00000021 popad 0x00000022 nop 0x00000023 jmp 00007F14094707EEh 0x00000028 push eax 0x00000029 pushad 0x0000002a mov ebx, 67990824h 0x0000002f mov di, 8290h 0x00000033 popad 0x00000034 nop 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F14094707F5h 0x0000003c sbb si, 0516h 0x00000041 jmp 00007F14094707F1h 0x00000046 popfd 0x00000047 popad 0x00000048 xchg eax, ebx 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007F14094707F8h 0x00000050 sub cx, A868h 0x00000055 jmp 00007F14094707EBh 0x0000005a popfd 0x0000005b pushad 0x0000005c call 00007F14094707F6h 0x00000061 pop eax 0x00000062 push edi 0x00000063 pop esi 0x00000064 popad 0x00000065 popad 0x00000066 push eax 0x00000067 jmp 00007F14094707ECh 0x0000006c xchg eax, ebx 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F14094707F7h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F405F4 second address: 4F405F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F405F8 second address: 4F405FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F30D88 second address: 4F30D8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F30E00 second address: 4F30E04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F30E04 second address: 4F30E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40B0F second address: 4F40B28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ecx, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e mov ax, dx 0x00000011 pop edi 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40B28 second address: 4F40B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40B2F second address: 4F40B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40B41 second address: 4F40B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40B45 second address: 4F40B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40B4B second address: 4F40B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F140948E132h 0x00000008 mov bl, al 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [75C7459Ch], 05h 0x00000014 jmp 00007F140948E12Dh 0x00000019 je 00007F147A15BFACh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F140948E12Dh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40B8E second address: 4F40BB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov ch, dh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F14094707F7h 0x00000014 mov dx, si 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40C03 second address: 4F40C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40C07 second address: 4F40C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40C0B second address: 4F40C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40C11 second address: 4F40C3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F147A14572Dh 0x0000000e push 75C12B70h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov eax, dword ptr [esp+10h] 0x0000001e mov dword ptr [esp+10h], ebp 0x00000022 lea ebp, dword ptr [esp+10h] 0x00000026 sub esp, eax 0x00000028 push ebx 0x00000029 push esi 0x0000002a push edi 0x0000002b mov eax, dword ptr [75C74538h] 0x00000030 xor dword ptr [ebp-04h], eax 0x00000033 xor eax, ebp 0x00000035 push eax 0x00000036 mov dword ptr [ebp-18h], esp 0x00000039 push dword ptr [ebp-08h] 0x0000003c mov eax, dword ptr [ebp-04h] 0x0000003f mov dword ptr [ebp-04h], FFFFFFFEh 0x00000046 mov dword ptr [ebp-08h], eax 0x00000049 lea eax, dword ptr [ebp-10h] 0x0000004c mov dword ptr fs:[00000000h], eax 0x00000052 ret 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F14094707EAh 0x0000005c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40C3E second address: 4F40C4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E12Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40C4D second address: 4F40C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40C53 second address: 4F40C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40C91 second address: 4F40CC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b pushad 0x0000000c movzx eax, di 0x0000000f mov al, bh 0x00000011 popad 0x00000012 je 00007F147A1344C2h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F14094707EFh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40CC0 second address: 4F40CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40CC6 second address: 4F40CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40CCA second address: 4F40CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40CCE second address: 4F40CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp+08h], 00002000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F14094707EAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40CE9 second address: 4F40CEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F40CEF second address: 4F40CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50B23 second address: 4F50B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E137h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx esi, di 0x0000000f mov ah, bh 0x00000011 popad 0x00000012 xchg eax, esi 0x00000013 pushad 0x00000014 mov eax, 6110B511h 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F140948E12Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50B5C second address: 4F50BBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F14094707F1h 0x00000009 xor esi, 5F4A67D6h 0x0000000f jmp 00007F14094707F1h 0x00000014 popfd 0x00000015 mov dh, al 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b jmp 00007F14094707F3h 0x00000020 mov esi, dword ptr [ebp+0Ch] 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007F14094707F2h 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50BBB second address: 4F50BCE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dl, 0Ah 0x00000008 popad 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop eax 0x00000010 mov esi, ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50BCE second address: 4F50BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50BD4 second address: 4F50BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50BD8 second address: 4F50BEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F147A12DFBDh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50BEC second address: 4F50BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50BF0 second address: 4F50BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50BF6 second address: 4F50C7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F140948E130h 0x00000009 add ch, 00000018h 0x0000000c jmp 00007F140948E12Bh 0x00000011 popfd 0x00000012 jmp 00007F140948E138h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a cmp dword ptr [75C7459Ch], 05h 0x00000021 jmp 00007F140948E130h 0x00000026 je 00007F147A163972h 0x0000002c jmp 00007F140948E130h 0x00000031 xchg eax, esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F140948E137h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50C7B second address: 4F50CBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F14094707F1h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F14094707EDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50CBA second address: 4F50CF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F140948E137h 0x00000009 and eax, 3633B40Eh 0x0000000f jmp 00007F140948E139h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50D8D second address: 4F50D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50D91 second address: 4F50D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 4F50D97 second address: 4F50D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6244BEF second address: 6244BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F140948E126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6244BF9 second address: 6244C03 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6245059 second address: 6245070 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E133h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6245070 second address: 624507A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 624507A second address: 624507E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 624507E second address: 6245084 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6248CCF second address: 6248D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F140948E139h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F140948E12Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6248D05 second address: 6248D0B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6248D0B second address: 6248D35 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F140948E130h 0x00000008 jmp 00007F140948E12Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 push ebx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 je 00007F140948E126h 0x0000001b popad 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push esi 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6248FAC second address: 6248FC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F14094707E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6248FC7 second address: 6248FCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6248FCB second address: 6248FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jo 00007F1409470807h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F14094707F5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6248FF3 second address: 6248FF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6248FF7 second address: 62490AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jp 00007F14094707ECh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007F14094707F4h 0x00000017 pop eax 0x00000018 jnc 00007F14094707ECh 0x0000001e push 00000003h 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007F14094707E8h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a mov dword ptr [ebp+122D2870h], edi 0x00000040 push 00000000h 0x00000042 mov cl, F3h 0x00000044 push 00000003h 0x00000046 clc 0x00000047 push 9A802FE2h 0x0000004c push ecx 0x0000004d jmp 00007F14094707F8h 0x00000052 pop ecx 0x00000053 xor dword ptr [esp], 5A802FE2h 0x0000005a and edx, dword ptr [ebp+122D2E8Ah] 0x00000060 lea ebx, dword ptr [ebp+1244EC29h] 0x00000066 xchg eax, ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 push ecx 0x0000006a jmp 00007F14094707F5h 0x0000006f pop ecx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 62490AA second address: 62490BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jne 00007F140948E126h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 62490BD second address: 62490C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 623B1A9 second address: 623B1AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6267DB3 second address: 6267DB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6267DB9 second address: 6267DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F140948E126h 0x0000000a jmp 00007F140948E137h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6267DDA second address: 6267DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6267DDE second address: 6267DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6267F4D second address: 6267F67 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F14094707F3h 0x00000008 jmp 00007F14094707EBh 0x0000000d push eax 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 626821F second address: 6268237 instructions: 0x00000000 rdtsc 0x00000002 je 00007F140948E126h 0x00000008 jl 00007F140948E126h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F140948E126h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6268237 second address: 6268258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14094707F4h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6268258 second address: 6268262 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F140948E126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6268262 second address: 6268268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 62683A9 second address: 62683AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 62683AE second address: 62683D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14094707F2h 0x00000009 jmp 00007F14094707F3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6268686 second address: 626868D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6268ED1 second address: 6268ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6268ED5 second address: 6268EEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E12Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 625FDA8 second address: 625FDAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 625FDAE second address: 625FDBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F140948E126h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6239626 second address: 6239641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6239641 second address: 6239645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6239645 second address: 623965B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 623965B second address: 6239661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6268FF4 second address: 6268FFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6268FFA second address: 6269004 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F140948E126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6269626 second address: 626962E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 626962E second address: 6269639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6269639 second address: 6269658 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6269658 second address: 626965E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 626965E second address: 62696A8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F14094707E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F14094707F6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 jbe 00007F14094707E6h 0x0000001c jmp 00007F14094707F9h 0x00000021 popad 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6269AC5 second address: 6269AE6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F140948E139h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 626B552 second address: 626B558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 626B558 second address: 626B569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F140948E12Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 626B569 second address: 626B56D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 626D1E2 second address: 626D1FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F140948E132h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 626D1FD second address: 626D214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007F14094707E6h 0x0000000e jg 00007F14094707E6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6271B5E second address: 6271B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 62722F0 second address: 62722F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 62770E2 second address: 62770FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F140948E12Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 62770FD second address: 6277114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14094707F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6277114 second address: 6277119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6277119 second address: 6277139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 push esi 0x00000011 jno 00007F14094707E6h 0x00000017 pop esi 0x00000018 popad 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 6277139 second address: 627713D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	RDTSC instruction interceptor: First address: 627713D second address: 6277159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F14094707ECh 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Special instruction interceptor: First address: 14DA58 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Special instruction interceptor: First address: 301375 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Special instruction interceptor: First address: 328B87 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Special instruction interceptor: First address: 3126D1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Special instruction interceptor: First address: 387EF2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Special instruction interceptor: First address: 60CDC98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Special instruction interceptor: First address: 6271CB2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Special instruction interceptor: First address: 627082A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Special instruction interceptor: First address: 6307DD5 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe TID: 6984

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: F0qGTeCiiA.exe, 00000000.00000002.1976467700.000000000624C000.00000040.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000002.1971724493.00000000002E0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: F0qGTeCiiA.exe, 00000000.00000002.1972505503.0000000001188000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: F0qGTeCiiA.exe, 00000000.00000002.1975067667.000000000587A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: F0qGTeCiiA.exe, 00000000.00000002.1972505503.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1703763763.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnD
Source: F0qGTeCiiA.exe, 00000000.00000002.1972505503.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000003.1703763763.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: F0qGTeCiiA.exe, 00000000.00000002.1976467700.000000000624C000.00000040.00000800.00020000.00000000.sdmp, F0qGTeCiiA.exe, 00000000.00000002.1971724493.00000000002E0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: NTICE
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: SICE
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Source: F0qGTeCiiA.exe, 00000000.00000002.1971724493.00000000002E0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: =Program Manager
Source: F0qGTeCiiA.exe, 00000000.00000002.1976467700.000000000624C000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: #%Program Manager

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: F0qGTeCiiA.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: F0qGTeCiiA.exe, 00000000.00000003.1765132130.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: F0qGTeCiiA.exe, 00000000.00000003.1765132130.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: F0qGTeCiiA.exe, 00000000.00000003.1765116955.000000000121F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: F0qGTeCiiA.exe, 00000000.00000003.1765132130.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: F0qGTeCiiA.exe, 00000000.00000003.1765132130.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: F0qGTeCiiA.exe, 00000000.00000003.1765116955.000000000121F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: F0qGTeCiiA.exe, 00000000.00000003.1765132130.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: F0qGTeCiiA.exe, 00000000.00000003.1765116955.000000000121F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: F0qGTeCiiA.exe, 00000000.00000003.1765116955.000000000121F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\F0qGTeCiiA.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Yara match

File source: Process Memory Space: F0qGTeCiiA.exe PID: 6504, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: F0qGTeCiiA.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	44 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Process Injection	LSASS Memory	841 Security Software Discovery	Remote Desktop Protocol	4 Data from Local System	13 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	44 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	223 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: https://warlikedbeliev.org/8	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/apiX	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/apiR	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/g8Ub	Avira URL Cloud: Label: malware

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=F0qGTeCiiA.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F0qGTeCiiA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
F0qGTeCiiA.exe