Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Gy53Tq6BdK.exe

Overview

General Information

Sample name:Gy53Tq6BdK.exe
renamed because original name is a hash value
Original sample name:49fc187b211896a8d43fb7f54686b072.exe
Analysis ID:1579674
MD5:49fc187b211896a8d43fb7f54686b072
SHA1:202fbb9b53023f6c3c101a871e716a35ee06f69d
SHA256:529c63741b376355bc8cd10c2d28279719e2167474d02272fb365d3f1f536129
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

  • System is w10x64
  • Gy53Tq6BdK.exe (PID: 2832 cmdline: "C:\Users\user\Desktop\Gy53Tq6BdK.exe" MD5: 49FC187B211896A8D43FB7F54686B072)
    • WerFault.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1152 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Gy53Tq6BdK.exeAvira: detected
Source: Gy53Tq6BdK.exeReversingLabs: Detection: 65%
Source: Gy53Tq6BdK.exeVirustotal: Detection: 66%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: Gy53Tq6BdK.exeJoe Sandbox ML: detected
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_16594163-9
Source: Gy53Tq6BdK.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5ht.top
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: Gy53Tq6BdK.exe, 00000000.00000002.1653315673.00000000016FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPR
Source: Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: Gy53Tq6BdK.exe, 00000000.00000002.1653315673.000000000164E000.00000004.00000020.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: Gy53Tq6BdK.exe, 00000000.00000002.1653315673.000000000164E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv173457985135a1
Source: Gy53Tq6BdK.exe, 00000000.00000002.1653315673.00000000016C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851PX
Source: Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
Source: Gy53Tq6BdK.exeStatic PE information: section name:
Source: Gy53Tq6BdK.exeStatic PE information: section name: .idata
Source: Gy53Tq6BdK.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1152
Source: Gy53Tq6BdK.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Gy53Tq6BdK.exeStatic PE information: Section: pfkrromk ZLIB complexity 0.9940523481638418
Source: classification engineClassification label: mal100.evad.winEXE@2/5@14/1
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2832
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\acf31887-0897-4870-a2e5-b9bfc7c0f183Jump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Gy53Tq6BdK.exeReversingLabs: Detection: 65%
Source: Gy53Tq6BdK.exeVirustotal: Detection: 66%
Source: Gy53Tq6BdK.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\Gy53Tq6BdK.exe "C:\Users\user\Desktop\Gy53Tq6BdK.exe"
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1152
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSection loaded: winrnr.dllJump to behavior
Source: Gy53Tq6BdK.exeStatic file information: File size 4468736 > 1048576
Source: Gy53Tq6BdK.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x284c00
Source: Gy53Tq6BdK.exeStatic PE information: Raw size of pfkrromk is bigger than: 0x100000 < 0x1ba800

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeUnpacked PE file: 0.2.Gy53Tq6BdK.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pfkrromk:EW;hghjijlv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pfkrromk:EW;hghjijlv:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: Gy53Tq6BdK.exeStatic PE information: real checksum: 0x445664 should be: 0x4486a1
Source: Gy53Tq6BdK.exeStatic PE information: section name:
Source: Gy53Tq6BdK.exeStatic PE information: section name: .idata
Source: Gy53Tq6BdK.exeStatic PE information: section name:
Source: Gy53Tq6BdK.exeStatic PE information: section name: pfkrromk
Source: Gy53Tq6BdK.exeStatic PE information: section name: hghjijlv
Source: Gy53Tq6BdK.exeStatic PE information: section name: .taggant
Source: Gy53Tq6BdK.exeStatic PE information: section name: pfkrromk entropy: 7.954681489515957

Boot Survival

barindex
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF144A second address: CF144E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF144E second address: CF1454 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF1454 second address: CF1462 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD3F95E0CD8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF1462 second address: CF1466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF1466 second address: CF147D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF172B second address: CF1744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnc 00007FD3F95E0F76h 0x00000010 push eax 0x00000011 pop eax 0x00000012 jnc 00007FD3F95E0F76h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF18F9 second address: CF18FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF1A61 second address: CF1A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF1A65 second address: CF1A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF1A69 second address: CF1A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD3F95E0F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF1A75 second address: CF1A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF1C27 second address: CF1C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF36A5 second address: CF36EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jc 00007FD3F95E0CDCh 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007FD3F95E0CE9h 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jnl 00007FD3F95E0CD8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3819 second address: CF38AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD3F95E0F76h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FD3F95E0F80h 0x00000011 je 00007FD3F95E0F76h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edi 0x0000001b jmp 00007FD3F95E0F80h 0x00000020 pop edi 0x00000021 nop 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007FD3F95E0F78h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 0000001Bh 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c mov si, FC00h 0x00000040 push 00000000h 0x00000042 mov edi, dword ptr [ebp+12A23671h] 0x00000048 call 00007FD3F95E0F79h 0x0000004d jne 00007FD3F95E0F8Dh 0x00000053 push eax 0x00000054 push esi 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF38AC second address: CF38B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF38B0 second address: CF3903 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD3F95E0F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FD3F95E0F88h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 pushad 0x00000018 jmp 00007FD3F95E0F86h 0x0000001d push edi 0x0000001e pop edi 0x0000001f popad 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 js 00007FD3F95E0F97h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3903 second address: CF3966 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov ecx, esi 0x0000000c push 00000003h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FD3F95E0CD8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a push 00000003h 0x0000002c call 00007FD3F95E0CDEh 0x00000031 cmc 0x00000032 pop ecx 0x00000033 call 00007FD3F95E0CD9h 0x00000038 push edi 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3966 second address: CF3983 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FD3F95E0F7Bh 0x00000010 jp 00007FD3F95E0F76h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3983 second address: CF3A05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edx 0x0000000e jg 00007FD3F95E0CE8h 0x00000014 pop edx 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FD3F95E0CE3h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push ecx 0x00000021 jmp 00007FD3F95E0CDCh 0x00000026 pop ecx 0x00000027 pop eax 0x00000028 mov esi, dword ptr [ebp+12A235C5h] 0x0000002e lea ebx, dword ptr [ebp+12B9B4DDh] 0x00000034 stc 0x00000035 call 00007FD3F95E0CE4h 0x0000003a clc 0x0000003b pop edx 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3A4E second address: CF3AAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FD3F95E0F76h 0x00000009 jmp 00007FD3F95E0F86h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jns 00007FD3F95E0F82h 0x00000018 nop 0x00000019 add ecx, dword ptr [ebp+12A21ACCh] 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+12A21ABDh], ecx 0x00000027 call 00007FD3F95E0F79h 0x0000002c pushad 0x0000002d pushad 0x0000002e jno 00007FD3F95E0F76h 0x00000034 jnc 00007FD3F95E0F76h 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3AAE second address: CF3AC4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD3F95E0CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jbe 00007FD3F95E0CE0h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3AC4 second address: CF3AF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FD3F95E0F89h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FD3F95E0F78h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3AF3 second address: CF3AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3AF9 second address: CF3AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3AFD second address: CF3B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FD3F95E0CDCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3B17 second address: CF3B69 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 add ecx, 13EEECF0h 0x0000000f push 00000003h 0x00000011 mov dword ptr [ebp+12A231C9h], ebx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007FD3F95E0F78h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 mov dword ptr [ebp+12A23339h], edx 0x00000039 push 00000003h 0x0000003b xor dword ptr [ebp+12A21A8Dh], ebx 0x00000041 push BC370DF6h 0x00000046 push eax 0x00000047 push edx 0x00000048 push ecx 0x00000049 je 00007FD3F95E0F76h 0x0000004f pop ecx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3B69 second address: CF3B6E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3B6E second address: CF3B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 7C370DF6h 0x0000000e and edi, 634222F7h 0x00000014 lea ebx, dword ptr [ebp+12B9B4E8h] 0x0000001a mov dx, 7337h 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CF3B91 second address: CF3BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD3F95E0CE4h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D14780 second address: D14785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D14785 second address: D1479C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3F95E0CDEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CE3B73 second address: CE3B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CE3B7A second address: CE3BB6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 js 00007FD3F95E0CD6h 0x00000009 jc 00007FD3F95E0CD6h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD3F95E0CE9h 0x00000017 jmp 00007FD3F95E0CE1h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D12A74 second address: D12A7E instructions: 0x00000000 rdtsc 0x00000002 js 00007FD3F95E0F76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D12A7E second address: D12A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D12A87 second address: D12A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D13087 second address: D13098 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D13098 second address: D130A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D134CA second address: D134D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D07FA6 second address: D07FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3F95E0F7Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FD3F95E0F76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D07FBF second address: D07FD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CD7ECF second address: CD7ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD3F95E0F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CD7ED9 second address: CD7EE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FD3F95E0CDEh 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D138F1 second address: D1390F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3F95E0F88h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D1B31E second address: D1B322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D1C5D5 second address: D1C5DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D20352 second address: D20358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D204E9 second address: D204ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D204ED second address: D204F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D204F1 second address: D204FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D204FB second address: D2050D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jo 00007FD3F95E0CD6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2050D second address: D20512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2091B second address: D20921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D20921 second address: D2092B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D20A7F second address: D20A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD3F95E0CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D20A89 second address: D20A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D22CEB second address: D22D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007FD3F95E0CE1h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FD3F95E0CDFh 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007FD3F95E0CDFh 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D22D2F second address: D22D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D22EAE second address: D22EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D22EB4 second address: D22EB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2301D second address: D2302D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FD3F95E0CD8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23913 second address: D23937 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a sub dword ptr [ebp+12A233CEh], ecx 0x00000010 clc 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FD3F95E0F7Ch 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23A14 second address: D23A2B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007FD3F95E0CE2h 0x0000000f jp 00007FD3F95E0CDCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23B85 second address: D23B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23B89 second address: D23B8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23B8D second address: D23B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23DA4 second address: D23DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jnp 00007FD3F95E0CD6h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23E7B second address: D23E7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23E7F second address: D23E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jp 00007FD3F95E0CE4h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23E91 second address: D23E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23E95 second address: D23ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007FD3F95E0CD8h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 or di, 9001h 0x00000026 xchg eax, ebx 0x00000027 jg 00007FD3F95E0CE0h 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23ECF second address: D23EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23EDA second address: D23EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23EDE second address: D23EE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D23EE2 second address: D23EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D24DEB second address: D24DF5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD3F95E0F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D24C1E second address: D24C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D24C24 second address: D24C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D25E0C second address: D25E2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jbe 00007FD3F95E0CDCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D27200 second address: D27206 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D27206 second address: D272BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FD3F95E0CF2h 0x00000010 pushad 0x00000011 jmp 00007FD3F95E0CE8h 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 nop 0x0000001a movzx esi, di 0x0000001d stc 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007FD3F95E0CD8h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a jmp 00007FD3F95E0CE8h 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007FD3F95E0CD8h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 00000017h 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b sub dword ptr [ebp+12A22FE5h], ecx 0x00000061 xchg eax, ebx 0x00000062 push ecx 0x00000063 push eax 0x00000064 push edx 0x00000065 jp 00007FD3F95E0CD6h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D272BA second address: D272BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D272BE second address: D272D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jns 00007FD3F95E0CE0h 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D289DE second address: D289E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2B3C4 second address: D2B404 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD3F95E0CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jnc 00007FD3F95E0CE8h 0x00000012 jmp 00007FD3F95E0CE8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2B404 second address: D2B408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2CEBF second address: D2CEC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2D47F second address: D2D4A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007FD3F95E0F8Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD3F95E0F7Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2D4A8 second address: D2D4AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2E469 second address: D2E488 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD3F95E0F7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FD3F95E0F7Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2D5CB second address: D2D5D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2D6CE second address: D2D6D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D30626 second address: D30689 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FD3F95E0CD6h 0x0000000d jmp 00007FD3F95E0CDCh 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 jp 00007FD3F95E0CD7h 0x0000001b clc 0x0000001c cmc 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebx 0x00000022 call 00007FD3F95E0CD8h 0x00000027 pop ebx 0x00000028 mov dword ptr [esp+04h], ebx 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc ebx 0x00000035 push ebx 0x00000036 ret 0x00000037 pop ebx 0x00000038 ret 0x00000039 push 00000000h 0x0000003b jo 00007FD3F95E0CDCh 0x00000041 add dword ptr [ebp+12B9BCA7h], ebx 0x00000047 xchg eax, esi 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b jmp 00007FD3F95E0CDBh 0x00000050 pushad 0x00000051 popad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D32555 second address: D3255F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD3F95E0F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3175F second address: D31764 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3255F second address: D32576 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD3F95E0F7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D32576 second address: D3257C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3182A second address: D3182E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D33773 second address: D3378C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3F95E0CE4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D327C9 second address: D327F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3F95E0F83h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jo 00007FD3F95E0F76h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edi 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D348D0 second address: D34953 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD3F95E0CDBh 0x0000000f nop 0x00000010 je 00007FD3F95E0CD9h 0x00000016 movzx edi, ax 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FD3F95E0CD8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007FD3F95E0CD8h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 push esi 0x00000055 pop esi 0x00000056 pushad 0x00000057 popad 0x00000058 popad 0x00000059 jnp 00007FD3F95E0CDCh 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D34A2A second address: D34A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D34A2E second address: D34A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FD3F95E0CDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D369E8 second address: D369ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D369ED second address: D369F7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD3F95E0CDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D369F7 second address: D36A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 jng 00007FD3F95E0F7Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3898C second address: D389EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007FD3F95E0CD6h 0x00000010 popad 0x00000011 pop eax 0x00000012 nop 0x00000013 mov dword ptr [ebp+12A23089h], ecx 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+12A23178h], ecx 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007FD3F95E0CD8h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 00000015h 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d movsx edi, ax 0x00000040 mov ebx, 5C016CE6h 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FD3F95E0CE4h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D39928 second address: D3992E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3A9B3 second address: D3A9BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3A9BA second address: D3A9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3A9CA second address: D3A9CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3AA67 second address: D3AA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3AA6B second address: D3AA75 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD3F95E0CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3AA75 second address: D3AA7A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3AA7A second address: D3AA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FD3F95E0CD8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D38AF9 second address: D38AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3CB72 second address: D3CB87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3BD01 second address: D3BD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007FD3F95E0F76h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3BD14 second address: D3BD1E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD3F95E0CDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3BD1E second address: D3BDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007FD3F95E0F7Ah 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FD3F95E0F78h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov edi, dword ptr [ebp+12A22A89h] 0x00000033 pushad 0x00000034 sbb edi, 6ED35827h 0x0000003a mov esi, dword ptr [ebp+12A21A69h] 0x00000040 popad 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 jmp 00007FD3F95E0F89h 0x0000004d mov eax, dword ptr [ebp+12A20CF1h] 0x00000053 mov ebx, dword ptr [ebp+12B987C0h] 0x00000059 push FFFFFFFFh 0x0000005b xor dword ptr [ebp+12BC5F29h], esi 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3F037 second address: D3F045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD3F95E0CD6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3BDA3 second address: D3BDA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D3F045 second address: D3F04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D456E2 second address: D456EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D456EB second address: D456F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD3F95E0CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D456F5 second address: D45711 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D45711 second address: D45717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D44FA5 second address: D44FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3F95E0F87h 0x00000009 popad 0x0000000a jmp 00007FD3F95E0F7Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D44FCC second address: D44FD7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007FD3F95E0CD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D452A1 second address: D452BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD3F95E0F83h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D493E4 second address: D493F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FD3F95E0CD6h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D4E154 second address: D4E171 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD3F95E0F78h 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007FD3F95E0F78h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 jo 00007FD3F95E0F7Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D4E171 second address: D4E17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD3F95E0CDCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CEC25B second address: CEC27C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FD3F95E0F7Ah 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D5030A second address: D50315 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FD3F95E0CD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D50315 second address: D50352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007FD3F95E0F80h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007FD3F95E0F8Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CE057C second address: CE0586 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD3F95E0CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CE0586 second address: CE058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CE058E second address: CE0594 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CE0594 second address: CE05C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FD3F95E0F7Eh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jne 00007FD3F95E0F76h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push ecx 0x00000017 jno 00007FD3F95E0F78h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD3F95E0F82h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D54C92 second address: D54CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3F95E0CE2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D55251 second address: D55265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F7Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D55265 second address: D5527E instructions: 0x00000000 rdtsc 0x00000002 je 00007FD3F95E0CD8h 0x00000008 pushad 0x00000009 jbe 00007FD3F95E0CD6h 0x0000000f jne 00007FD3F95E0CD6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D5527E second address: D5529F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD3F95E0F85h 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D5529F second address: D552A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D5552D second address: D55531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D559BD second address: D559CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007FD3F95E0CD6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D559CA second address: D559EA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD3F95E0F8Ah 0x00000008 jmp 00007FD3F95E0F84h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D559EA second address: D559EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D55B54 second address: D55B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D55B58 second address: D55B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD3F95E0CDEh 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D5BCAF second address: D5BCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D5BCB5 second address: D5BCC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 je 00007FD3F95E0CD6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D5BCC4 second address: D5BCCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D5BCCE second address: D5BCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D5BCD4 second address: D5BCD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CE5615 second address: CE561F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D21573 second address: D21577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D21577 second address: D215FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ecx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FD3F95E0CD8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov ch, E7h 0x0000002a lea eax, dword ptr [ebp+12BC92DAh] 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007FD3F95E0CD8h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov dword ptr [ebp+12A219AEh], esi 0x00000050 nop 0x00000051 pushad 0x00000052 pushad 0x00000053 jmp 00007FD3F95E0CE5h 0x00000058 jmp 00007FD3F95E0CDDh 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D215FA second address: D21610 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FD3F95E0F7Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D21610 second address: D07FA6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD3F95E0CE5h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+12A231D5h], ebx 0x00000012 call dword ptr [ebp+12A21B97h] 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007FD3F95E0CDDh 0x0000001f je 00007FD3F95E0CD6h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D217E4 second address: D217E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D21CC6 second address: D21CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, esi 0x00000006 movsx ecx, si 0x00000009 sub dword ptr [ebp+12A22C16h], edx 0x0000000f push eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007FD3F95E0CD6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D21DBE second address: D21DC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D21DC4 second address: D21DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3F95E0CE5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D21DDE second address: D21E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007FD3F95E0F81h 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D21E01 second address: D21E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007FD3F95E0CD8h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD3F95E0CE9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D21E2C second address: D21E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3F95E0F7Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D22608 second address: D2260D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2260D second address: D22613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D22613 second address: D22625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FD3F95E0CD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D22625 second address: D2263B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D22878 second address: D228B1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD3F95E0CEAh 0x00000008 jmp 00007FD3F95E0CE4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 js 00007FD3F95E0CE5h 0x00000017 jmp 00007FD3F95E0CDFh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D228B1 second address: D228B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D228B5 second address: D2291E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 pushad 0x00000009 sub dl, 00000052h 0x0000000c mov di, bx 0x0000000f popad 0x00000010 lea eax, dword ptr [ebp+12BC931Eh] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FD3F95E0CD8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 nop 0x00000031 jmp 00007FD3F95E0CE4h 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FD3F95E0CE6h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D2291E second address: D229E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD3F95E0F83h 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FD3F95E0F78h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a mov di, 5259h 0x0000002e lea eax, dword ptr [ebp+12BC92DAh] 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007FD3F95E0F78h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e mov di, bx 0x00000051 call 00007FD3F95E0F86h 0x00000056 mov dword ptr [ebp+12A22D4Fh], eax 0x0000005c pop ecx 0x0000005d nop 0x0000005e pushad 0x0000005f push eax 0x00000060 jmp 00007FD3F95E0F88h 0x00000065 pop eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jc 00007FD3F95E0F76h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D229E5 second address: D229E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D60E9F second address: D60EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD3F95E0F76h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D60EAA second address: D60EAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D612AE second address: D612B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D612B2 second address: D612D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push esi 0x0000000b push edx 0x0000000c jmp 00007FD3F95E0CDDh 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D617B9 second address: D617BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D61935 second address: D61939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D677CD second address: D677D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D677D3 second address: D677D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D677D7 second address: D677FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD3F95E0F84h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D677FE second address: D6781E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3F95E0CE9h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CDCFF3 second address: CDD013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F86h 0x00000007 jp 00007FD3F95E0F82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: CDD013 second address: CDD019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6615C second address: D6617E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F88h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D66360 second address: D66364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D66364 second address: D6636A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6636A second address: D66370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D66370 second address: D6637A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD3F95E0F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6691C second address: D66920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D66920 second address: D66924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D66924 second address: D66949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD3F95E0CE5h 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FD3F95E0CD6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D66949 second address: D6694F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D66ED1 second address: D66EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3F95E0CE7h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD3F95E0CDBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D66EFA second address: D66EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6702A second address: D67030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D67030 second address: D6703B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD3F95E0F76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6703B second address: D6704B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD3F95E0CE2h 0x00000008 jnc 00007FD3F95E0CD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6704B second address: D67052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D671A8 second address: D671C8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FD3F95E0CE1h 0x00000008 jg 00007FD3F95E0CD6h 0x0000000e pop edi 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D65E4C second address: D65E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6C159 second address: D6C15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6C15F second address: D6C175 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jns 00007FD3F95E0F76h 0x0000000f jns 00007FD3F95E0F76h 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6C175 second address: D6C1AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FD3F95E0CE7h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD3F95E0CDBh 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6C1AE second address: D6C1B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6C8DB second address: D6C8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6C8E0 second address: D6C8EA instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD3F95E0F7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6C8EA second address: D6C910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FD3F95E0CE5h 0x0000000b jmp 00007FD3F95E0CDBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6C910 second address: D6C914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6C914 second address: D6C923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6CC64 second address: D6CC68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6CF5E second address: D6CF64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6FD05 second address: D6FD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD3F95E0F82h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D6FD1E second address: D6FD33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D738CE second address: D738D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7A46F second address: D7A47C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D790C2 second address: D790C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D790C6 second address: D790ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FD3F95E0CEEh 0x0000000f push edi 0x00000010 jl 00007FD3F95E0CD6h 0x00000016 pop edi 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D790ED second address: D790F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D79219 second address: D79234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jng 00007FD3F95E0CD6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD3F95E0CDCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D79388 second address: D793AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007FD3F95E0F91h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FD3F95E0F89h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D793AE second address: D793B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FD3F95E0CD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D793B9 second address: D793D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FD3F95E0F86h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D79534 second address: D7953C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7953C second address: D79540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D79540 second address: D7954A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7954A second address: D79550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D79550 second address: D79554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7E2F7 second address: D7E2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7D5C1 second address: D7D5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3F95E0CE2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7D5D7 second address: D7D5FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F7Ch 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD3F95E0F7Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7D8BA second address: D7D8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007FD3F95E0CDCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7D8CB second address: D7D8D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FD3F95E0F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7DE0A second address: D7DE35 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 jmp 00007FD3F95E0CE9h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FD3F95E0CD6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7DE35 second address: D7DE4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F85h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D7DE4E second address: D7DE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD3F95E0CDCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D814DE second address: D814E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D814E4 second address: D814FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3F95E0CE2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D814FA second address: D814FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D81698 second address: D8169C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D8992C second address: D89940 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jp 00007FD3F95E0F76h 0x0000000b pop ecx 0x0000000c jo 00007FD3F95E0F7Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D8858E second address: D8859C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD3F95E0CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D8859C second address: D885A9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD3F95E0F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D885A9 second address: D885CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3F95E0CE1h 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD3F95E0CDCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D885CE second address: D885D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D885D4 second address: D885D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D88B50 second address: D88B56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D88B56 second address: D88B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FD3F95E0CDCh 0x0000000c jno 00007FD3F95E0CD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D890F3 second address: D890FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D89395 second address: D8939B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D8939B second address: D893AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jns 00007FD3F95E0F76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D893AD second address: D893DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007FD3F95E0CE5h 0x0000000e jmp 00007FD3F95E0CE2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D893DF second address: D893E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D893E7 second address: D893ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D893ED second address: D893FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FD3F95E0F76h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D91DF1 second address: D91DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D91DF6 second address: D91E3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FD3F95E0F81h 0x0000000f push edi 0x00000010 jo 00007FD3F95E0F76h 0x00000016 pop edi 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jne 00007FD3F95E0F76h 0x00000023 jns 00007FD3F95E0F76h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D90F39 second address: D90F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D91214 second address: D91218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D91218 second address: D91224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D91224 second address: D9122E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD3F95E0F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D9122E second address: D9124E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD3F95E0CD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007FD3F95E0CDAh 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007FD3F95E0CD6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D913A7 second address: D913B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD3F95E0F76h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D913B5 second address: D913BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D917C0 second address: D917C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D917C6 second address: D917D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FD3F95E0CD8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D917D8 second address: D917E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD3F95E0F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D91969 second address: D919A0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD3F95E0CD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD3F95E0CE4h 0x00000011 jbe 00007FD3F95E0CD8h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ebx 0x0000001b jng 00007FD3F95E0CD8h 0x00000021 pushad 0x00000022 popad 0x00000023 push ecx 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D9A61D second address: D9A623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D989E0 second address: D989E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D989E4 second address: D989EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D98C6F second address: D98C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D98C75 second address: D98C7B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D99094 second address: D99099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D9936E second address: D99372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D99645 second address: D99650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FD3F95E0CD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D99650 second address: D99656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: D99DE1 second address: D99DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ebx 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007FD3F95E0CDAh 0x00000010 jg 00007FD3F95E0CDCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DAE7F0 second address: DAE7F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DB87BE second address: DB87C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DB87C6 second address: DB87CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DC03B3 second address: DC03C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DC03C3 second address: DC03C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DC03C9 second address: DC03CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DC03CD second address: DC03D7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD3F95E0F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DC03D7 second address: DC03DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DC848E second address: DC84B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD3F95E0F88h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FD3F95E0F8Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DC789C second address: DC78A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DC78A1 second address: DC78BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3F95E0F7Eh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FD3F95E0F76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DCC884 second address: DCC8A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DCC8A2 second address: DCC8A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DCC8A8 second address: DCC8B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: DCC8B0 second address: DCC8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E0C83D second address: E0C843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E152B8 second address: E152C2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD3F95E0F7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E152C2 second address: E152CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E152CC second address: E152DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FD3F95E0F76h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E152DD second address: E152F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E0EB00 second address: E0EB04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E0EB04 second address: E0EB2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD3F95E0CE7h 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E2368C second address: E23690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E23690 second address: E23696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E23696 second address: E2369C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E2369C second address: E236A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E236A2 second address: E236A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E236A8 second address: E236BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E236BF second address: E236CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD3F95E0F76h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E236CA second address: E236F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3F95E0CE2h 0x00000008 jmp 00007FD3F95E0CE1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E236F2 second address: E2370D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD3F95E0F83h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E234D0 second address: E234D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E27335 second address: E2734F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD3F95E0F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FD3F95E0F7Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E27042 second address: E27054 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: E27054 second address: E2705E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEC226 second address: EEC22A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEB181 second address: EEB1A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c jp 00007FD3F95E0F76h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEB1A6 second address: EEB1B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jo 00007FD3F95E0CD6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEB1B3 second address: EEB1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FD3F95E0F76h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEB1C0 second address: EEB1D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FD3F95E0CFCh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEB1D8 second address: EEB1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEB332 second address: EEB347 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FD3F95E0CDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEB4B7 second address: EEB4CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD3F95E0F7Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEB4CF second address: EEB4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEBA1E second address: EEBA24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEBDCE second address: EEBDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEBDD7 second address: EEBDDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEBDDB second address: EEBDE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEBDE1 second address: EEBDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FD3F95E0F82h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EEBDFD second address: EEBE0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EF1922 second address: EF192C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FD3F95E0F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: EF192C second address: EF1930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720000A second address: 7200010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200010 second address: 7200014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200014 second address: 7200067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edx, 205A47E0h 0x00000014 pushfd 0x00000015 jmp 00007FD3F95E0F89h 0x0000001a sbb al, FFFFFFE6h 0x0000001d jmp 00007FD3F95E0F81h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200067 second address: 7200086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD3F95E0CE1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200086 second address: 720009B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720009B second address: 7200113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3F95E0CE7h 0x00000009 xor ecx, 0EE7362Eh 0x0000000f jmp 00007FD3F95E0CE9h 0x00000014 popfd 0x00000015 jmp 00007FD3F95E0CE0h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FD3F95E0CDDh 0x00000027 add ch, 00000016h 0x0000002a jmp 00007FD3F95E0CE1h 0x0000002f popfd 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200113 second address: 7200189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FD3F95E0F86h 0x00000010 mov eax, dword ptr fs:[00000030h] 0x00000016 jmp 00007FD3F95E0F80h 0x0000001b sub esp, 18h 0x0000001e jmp 00007FD3F95E0F80h 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FD3F95E0F87h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200189 second address: 72001C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 pushfd 0x00000007 jmp 00007FD3F95E0CE0h 0x0000000c jmp 00007FD3F95E0CE5h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72001C0 second address: 72001C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72001C4 second address: 72001DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72001DE second address: 72002E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3F95E0F81h 0x00000009 jmp 00007FD3F95E0F7Bh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FD3F95E0F88h 0x00000015 sbb ecx, 38C906A8h 0x0000001b jmp 00007FD3F95E0F7Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 xchg eax, ebx 0x00000025 jmp 00007FD3F95E0F86h 0x0000002a mov ebx, dword ptr [eax+10h] 0x0000002d pushad 0x0000002e mov ebx, ecx 0x00000030 pushfd 0x00000031 jmp 00007FD3F95E0F7Ah 0x00000036 adc ah, 00000038h 0x00000039 jmp 00007FD3F95E0F7Bh 0x0000003e popfd 0x0000003f popad 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 mov ax, 6E8Bh 0x00000046 movzx eax, di 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c call 00007FD3F95E0F88h 0x00000051 push ecx 0x00000052 pop edi 0x00000053 pop ecx 0x00000054 jmp 00007FD3F95E0F87h 0x00000059 popad 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e mov cx, di 0x00000061 pushfd 0x00000062 jmp 00007FD3F95E0F87h 0x00000067 adc eax, 1D44C16Eh 0x0000006d jmp 00007FD3F95E0F89h 0x00000072 popfd 0x00000073 popad 0x00000074 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72002E4 second address: 72002EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72002EA second address: 72002EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72002EE second address: 720036D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [756006ECh] 0x0000000e jmp 00007FD3F95E0CDFh 0x00000013 test esi, esi 0x00000015 jmp 00007FD3F95E0CE6h 0x0000001a jne 00007FD3F95E1B95h 0x00000020 pushad 0x00000021 pushad 0x00000022 jmp 00007FD3F95E0CDCh 0x00000027 mov cx, 2D51h 0x0000002b popad 0x0000002c popad 0x0000002d push eax 0x0000002e jmp 00007FD3F95E0CE8h 0x00000033 mov dword ptr [esp], edi 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jmp 00007FD3F95E0CDDh 0x0000003e movzx esi, di 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720036D second address: 72003C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3F95E0F84h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call dword ptr [755D0B60h] 0x00000011 mov eax, 7696E5E0h 0x00000016 ret 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FD3F95E0F7Eh 0x0000001e or ax, 4198h 0x00000023 jmp 00007FD3F95E0F7Bh 0x00000028 popfd 0x00000029 movzx eax, di 0x0000002c popad 0x0000002d push 00000044h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FD3F95E0F7Eh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72003C4 second address: 72003CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72003CA second address: 72003CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72003CE second address: 72003F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD3F95E0CDDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72003F1 second address: 7200427 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FD3F95E0F7Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD3F95E0F7Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200427 second address: 720043C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720043C second address: 7200442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200442 second address: 7200446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200446 second address: 7200463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD3F95E0F82h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200463 second address: 7200488 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD3F95E0CE0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200488 second address: 7200497 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720050C second address: 720051E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 mov dl, 29h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720051E second address: 7200522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200522 second address: 7200528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200528 second address: 720052E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720052E second address: 7200532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200532 second address: 7200578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007FD3F95E0F88h 0x0000000f je 00007FD4679600CAh 0x00000015 pushad 0x00000016 mov ebx, ecx 0x00000018 mov ah, 05h 0x0000001a popad 0x0000001b mov eax, 00000000h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD3F95E0F81h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200578 second address: 7200599 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 mov edx, 36E9E22Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi], edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD3F95E0CE0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200599 second address: 7200610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c jmp 00007FD3F95E0F86h 0x00000011 mov dword ptr [esi+08h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FD3F95E0F7Dh 0x0000001d and ax, 2BC6h 0x00000022 jmp 00007FD3F95E0F81h 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007FD3F95E0F80h 0x0000002e xor ecx, 1E571468h 0x00000034 jmp 00007FD3F95E0F7Bh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200610 second address: 7200616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200616 second address: 720061A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720061A second address: 720063B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD3F95E0CE3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720063B second address: 720066F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FD3F95E0F84h 0x0000000c or al, 00000028h 0x0000000f jmp 00007FD3F95E0F7Bh 0x00000014 popfd 0x00000015 popad 0x00000016 mov eax, dword ptr [ebx+4Ch] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720066F second address: 7200673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200673 second address: 7200679 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200679 second address: 7200696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3F95E0CE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200767 second address: 7200805 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3F95E0F7Fh 0x00000009 adc ecx, 52C2D00Eh 0x0000000f jmp 00007FD3F95E0F89h 0x00000014 popfd 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esi+1Ch], eax 0x0000001e pushad 0x0000001f mov cl, bh 0x00000021 mov cx, 3021h 0x00000025 popad 0x00000026 mov eax, dword ptr [ebx+5Ch] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FD3F95E0F89h 0x00000032 xor si, D5A6h 0x00000037 jmp 00007FD3F95E0F81h 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007FD3F95E0F80h 0x00000043 adc ax, 6348h 0x00000048 jmp 00007FD3F95E0F7Bh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200805 second address: 720080B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720080B second address: 7200847 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+20h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007FD3F95E0F82h 0x00000017 add ecx, 40BB48D8h 0x0000001d jmp 00007FD3F95E0F7Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200847 second address: 72008F0 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD3F95E0CE8h 0x00000008 xor esi, 030C1338h 0x0000000e jmp 00007FD3F95E0CDBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 call 00007FD3F95E0CE8h 0x0000001b push ecx 0x0000001c pop edi 0x0000001d pop ecx 0x0000001e popad 0x0000001f mov eax, dword ptr [ebx+60h] 0x00000022 pushad 0x00000023 mov si, di 0x00000026 popad 0x00000027 mov dword ptr [esi+24h], eax 0x0000002a jmp 00007FD3F95E0CE0h 0x0000002f mov eax, dword ptr [ebx+64h] 0x00000032 jmp 00007FD3F95E0CE0h 0x00000037 mov dword ptr [esi+28h], eax 0x0000003a pushad 0x0000003b push eax 0x0000003c call 00007FD3F95E0CDDh 0x00000041 pop ecx 0x00000042 pop edi 0x00000043 mov di, si 0x00000046 popad 0x00000047 mov eax, dword ptr [ebx+68h] 0x0000004a pushad 0x0000004b mov eax, 763735A5h 0x00000050 mov esi, 3B8A8721h 0x00000055 popad 0x00000056 mov dword ptr [esi+2Ch], eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72008F0 second address: 7200909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200909 second address: 720090F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720090F second address: 7200945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+6Ch] 0x0000000c jmp 00007FD3F95E0F7Fh 0x00000011 mov word ptr [esi+30h], ax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD3F95E0F85h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200945 second address: 72009B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3F95E0CE7h 0x00000009 or cl, 0000003Eh 0x0000000c jmp 00007FD3F95E0CE9h 0x00000011 popfd 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ax, word ptr [ebx+00000088h] 0x0000001e jmp 00007FD3F95E0CDAh 0x00000023 mov word ptr [esi+32h], ax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FD3F95E0CE7h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72009B0 second address: 72009C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3F95E0F84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72009C8 second address: 7200A92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+0000008Ch] 0x00000011 pushad 0x00000012 push eax 0x00000013 mov eax, edi 0x00000015 pop edx 0x00000016 pushfd 0x00000017 jmp 00007FD3F95E0CDCh 0x0000001c adc si, E228h 0x00000021 jmp 00007FD3F95E0CDBh 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esi+34h], eax 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FD3F95E0CE4h 0x00000032 and ax, 9488h 0x00000037 jmp 00007FD3F95E0CDBh 0x0000003c popfd 0x0000003d mov ebx, eax 0x0000003f popad 0x00000040 mov eax, dword ptr [ebx+18h] 0x00000043 jmp 00007FD3F95E0CE2h 0x00000048 mov dword ptr [esi+38h], eax 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e pushfd 0x0000004f jmp 00007FD3F95E0CDDh 0x00000054 sbb cl, 00000056h 0x00000057 jmp 00007FD3F95E0CE1h 0x0000005c popfd 0x0000005d pushfd 0x0000005e jmp 00007FD3F95E0CE0h 0x00000063 and esi, 1EFB5478h 0x00000069 jmp 00007FD3F95E0CDBh 0x0000006e popfd 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200A92 second address: 7200ACE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+1Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD3F95E0F88h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200ACE second address: 7200AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200AD2 second address: 7200AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200AD8 second address: 7200BC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, A913h 0x00000007 mov eax, 62D3C36Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esi+3Ch], eax 0x00000012 jmp 00007FD3F95E0CE2h 0x00000017 mov eax, dword ptr [ebx+20h] 0x0000001a jmp 00007FD3F95E0CE0h 0x0000001f mov dword ptr [esi+40h], eax 0x00000022 jmp 00007FD3F95E0CE0h 0x00000027 lea eax, dword ptr [ebx+00000080h] 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007FD3F95E0CDEh 0x00000034 jmp 00007FD3F95E0CE5h 0x00000039 popfd 0x0000003a pushfd 0x0000003b jmp 00007FD3F95E0CE0h 0x00000040 adc cx, E788h 0x00000045 jmp 00007FD3F95E0CDBh 0x0000004a popfd 0x0000004b popad 0x0000004c push 00000001h 0x0000004e jmp 00007FD3F95E0CE6h 0x00000053 nop 0x00000054 jmp 00007FD3F95E0CE0h 0x00000059 push eax 0x0000005a jmp 00007FD3F95E0CDBh 0x0000005f nop 0x00000060 jmp 00007FD3F95E0CE6h 0x00000065 lea eax, dword ptr [ebp-10h] 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b mov dl, ADh 0x0000006d pushad 0x0000006e popad 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200BC8 second address: 7200BDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 77253966h 0x00000008 mov esi, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200BDC second address: 7200BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200BF7 second address: 7200BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200BFD second address: 7200C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200C36 second address: 7200C8C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD3F95E0F89h 0x00000008 jmp 00007FD3F95E0F7Bh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 call 00007FD3F95E0F88h 0x00000015 movzx esi, dx 0x00000018 pop edx 0x00000019 popad 0x0000001a mov edi, eax 0x0000001c pushad 0x0000001d mov dx, ax 0x00000020 popad 0x00000021 test edi, edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200C8C second address: 7200C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200C90 second address: 7200CAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200CAA second address: 7200CF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3F95E0CE1h 0x00000009 jmp 00007FD3F95E0CDBh 0x0000000e popfd 0x0000000f movzx eax, dx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 js 00007FD46795F6C8h 0x0000001b jmp 00007FD3F95E0CDBh 0x00000020 mov eax, dword ptr [ebp-0Ch] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FD3F95E0CE0h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200CF9 second address: 7200CFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200CFD second address: 7200D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200D03 second address: 7200D31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c jmp 00007FD3F95E0F80h 0x00000011 lea eax, dword ptr [ebx+78h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200D31 second address: 7200D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200D35 second address: 7200D3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200D3B second address: 7200DEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b jmp 00007FD3F95E0CE0h 0x00000010 nop 0x00000011 pushad 0x00000012 mov ebx, ecx 0x00000014 mov bh, cl 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FD3F95E0CE2h 0x0000001f and si, 03F8h 0x00000024 jmp 00007FD3F95E0CDBh 0x00000029 popfd 0x0000002a mov ax, 952Fh 0x0000002e popad 0x0000002f nop 0x00000030 jmp 00007FD3F95E0CE2h 0x00000035 lea eax, dword ptr [ebp-08h] 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007FD3F95E0CDEh 0x0000003f sub si, 8D88h 0x00000044 jmp 00007FD3F95E0CDBh 0x00000049 popfd 0x0000004a mov bl, al 0x0000004c popad 0x0000004d push ecx 0x0000004e jmp 00007FD3F95E0CE0h 0x00000053 mov dword ptr [esp], eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200DEB second address: 7200DF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200DF1 second address: 7200DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200E17 second address: 7200E34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200E34 second address: 7200EBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b pushad 0x0000000c mov di, si 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FD3F95E0CE6h 0x00000016 and cl, 00000038h 0x00000019 jmp 00007FD3F95E0CDBh 0x0000001e popfd 0x0000001f mov ch, B0h 0x00000021 popad 0x00000022 popad 0x00000023 js 00007FD46795F515h 0x00000029 jmp 00007FD3F95E0CDBh 0x0000002e mov eax, dword ptr [ebp-04h] 0x00000031 pushad 0x00000032 mov cx, 067Bh 0x00000036 pushfd 0x00000037 jmp 00007FD3F95E0CE0h 0x0000003c sub cx, 2BC8h 0x00000041 jmp 00007FD3F95E0CDBh 0x00000046 popfd 0x00000047 popad 0x00000048 mov dword ptr [esi+08h], eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200EBF second address: 7200EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200EC5 second address: 7200ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200ECB second address: 7200ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200ECF second address: 7200F04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+70h] 0x0000000e jmp 00007FD3F95E0CE0h 0x00000013 push 00000001h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200F04 second address: 7200F21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200F21 second address: 7200F43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, 3A2Eh 0x00000011 mov dx, CB3Ah 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200F43 second address: 7200F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007FD3F95E0F7Ah 0x0000000b or cl, 00000078h 0x0000000e jmp 00007FD3F95E0F7Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007FD3F95E0F89h 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD3F95E0F7Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200F8F second address: 7200F95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200F95 second address: 7200F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200F99 second address: 7200FBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-18h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ecx, edx 0x00000013 mov bx, 25B2h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7200FBF second address: 720102E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e jmp 00007FD3F95E0F88h 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007FD3F95E0F82h 0x0000001a add si, 0458h 0x0000001f jmp 00007FD3F95E0F7Bh 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD3F95E0F7Bh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720102E second address: 7201034 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201034 second address: 720105D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d call 00007FD3F95E0F7Ch 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201080 second address: 72010B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b jmp 00007FD3F95E0CE6h 0x00000010 test edi, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx edi, ax 0x00000018 mov edx, eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201200 second address: 720120A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 6128A84Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720120A second address: 720120F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720120F second address: 72012CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FD3F95E0F80h 0x0000000a sbb si, 2598h 0x0000000f jmp 00007FD3F95E0F7Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [edx], eax 0x0000001a jmp 00007FD3F95E0F86h 0x0000001f mov eax, dword ptr [esi+04h] 0x00000022 pushad 0x00000023 mov edi, ecx 0x00000025 mov dx, ax 0x00000028 popad 0x00000029 mov dword ptr [edx+04h], eax 0x0000002c pushad 0x0000002d push eax 0x0000002e mov bx, 0DD4h 0x00000032 pop edi 0x00000033 pushfd 0x00000034 jmp 00007FD3F95E0F7Ah 0x00000039 or esi, 70E72A58h 0x0000003f jmp 00007FD3F95E0F7Bh 0x00000044 popfd 0x00000045 popad 0x00000046 mov eax, dword ptr [esi+08h] 0x00000049 jmp 00007FD3F95E0F86h 0x0000004e mov dword ptr [edx+08h], eax 0x00000051 jmp 00007FD3F95E0F80h 0x00000056 mov eax, dword ptr [esi+0Ch] 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FD3F95E0F87h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72012CA second address: 72012F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [edx+0Ch], eax 0x0000000d jmp 00007FD3F95E0CDDh 0x00000012 mov eax, dword ptr [esi+10h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD3F95E0CDDh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72012F6 second address: 7201315 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+10h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov ax, 3769h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201315 second address: 7201347 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD3F95E0CE6h 0x00000008 sbb ax, BE38h 0x0000000d jmp 00007FD3F95E0CDBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 mov si, D605h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201347 second address: 7201370 instructions: 0x00000000 rdtsc 0x00000002 call 00007FD3F95E0F82h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esi+14h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD3F95E0F7Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201370 second address: 7201395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3F95E0CE1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [edx+14h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov di, 363Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201395 second address: 720139A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720139A second address: 72013B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3F95E0CE7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72013B5 second address: 72013DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+18h] 0x0000000b pushad 0x0000000c mov bx, 2A46h 0x00000010 mov dl, A4h 0x00000012 popad 0x00000013 mov dword ptr [edx+18h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007FD3F95E0F7Bh 0x0000001e mov ebx, eax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72013DC second address: 72013FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+1Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72013FE second address: 7201404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201404 second address: 7201424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+1Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201424 second address: 7201429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201429 second address: 7201442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3F95E0CE5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201442 second address: 7201452 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+20h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201452 second address: 7201518 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ADFAh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushfd 0x0000000a jmp 00007FD3F95E0CDEh 0x0000000f or al, 00000038h 0x00000012 jmp 00007FD3F95E0CDBh 0x00000017 popfd 0x00000018 pop esi 0x00000019 popad 0x0000001a mov dword ptr [edx+20h], eax 0x0000001d pushad 0x0000001e mov eax, edi 0x00000020 mov esi, edi 0x00000022 popad 0x00000023 mov eax, dword ptr [esi+24h] 0x00000026 pushad 0x00000027 call 00007FD3F95E0CE9h 0x0000002c movzx esi, di 0x0000002f pop edx 0x00000030 jmp 00007FD3F95E0CDAh 0x00000035 popad 0x00000036 mov dword ptr [edx+24h], eax 0x00000039 jmp 00007FD3F95E0CE0h 0x0000003e mov eax, dword ptr [esi+28h] 0x00000041 jmp 00007FD3F95E0CE0h 0x00000046 mov dword ptr [edx+28h], eax 0x00000049 jmp 00007FD3F95E0CE0h 0x0000004e mov ecx, dword ptr [esi+2Ch] 0x00000051 jmp 00007FD3F95E0CE0h 0x00000056 mov dword ptr [edx+2Ch], ecx 0x00000059 pushad 0x0000005a movzx esi, dx 0x0000005d call 00007FD3F95E0CE3h 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201518 second address: 7201571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov ax, word ptr [esi+30h] 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD3F95E0F7Bh 0x00000011 and ecx, 7A60912Eh 0x00000017 jmp 00007FD3F95E0F89h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007FD3F95E0F7Eh 0x00000025 sub cx, 36A8h 0x0000002a jmp 00007FD3F95E0F7Bh 0x0000002f popfd 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201571 second address: 7201575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201575 second address: 72015CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov word ptr [edx+30h], ax 0x0000000b jmp 00007FD3F95E0F84h 0x00000010 mov ax, word ptr [esi+32h] 0x00000014 pushad 0x00000015 push esi 0x00000016 mov eax, edx 0x00000018 pop ebx 0x00000019 mov cl, ABh 0x0000001b popad 0x0000001c mov word ptr [edx+32h], ax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007FD3F95E0F7Dh 0x00000029 sub ax, 1426h 0x0000002e jmp 00007FD3F95E0F81h 0x00000033 popfd 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72015CC second address: 7201634 instructions: 0x00000000 rdtsc 0x00000002 call 00007FD3F95E0CE0h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b mov ebx, ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov eax, dword ptr [esi+34h] 0x00000012 jmp 00007FD3F95E0CE9h 0x00000017 mov dword ptr [edx+34h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FD3F95E0CE3h 0x00000023 jmp 00007FD3F95E0CE3h 0x00000028 popfd 0x00000029 mov bx, ax 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201634 second address: 7201680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f jmp 00007FD3F95E0F7Eh 0x00000014 jne 00007FD46795F02Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD3F95E0F87h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201680 second address: 72016A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or dword ptr [edx+38h], FFFFFFFFh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 mov ecx, edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72016A9 second address: 72016F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD3F95E0F80h 0x00000008 pop esi 0x00000009 push edi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e or dword ptr [edx+3Ch], FFFFFFFFh 0x00000012 jmp 00007FD3F95E0F7Dh 0x00000017 or dword ptr [edx+40h], FFFFFFFFh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD3F95E0F88h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72016F3 second address: 72016F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72016F7 second address: 72016FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 72016FD second address: 720170D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 720170D second address: 7201711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7201711 second address: 7201717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7250C05 second address: 7250C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7250C0B second address: 7250C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7250C0F second address: 7250C3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bx, ax 0x0000000d push ecx 0x0000000e mov edx, 49263CDAh 0x00000013 pop edi 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FD3F95E0F7Eh 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7250C3B second address: 7250C3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7250C3F second address: 7250C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7250C45 second address: 7250C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 719005F second address: 719007A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 719071E second address: 7190736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3F95E0CE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7190736 second address: 7190767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD3F95E0F7Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD3F95E0F87h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7190767 second address: 71907AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007FD3F95E0CDCh 0x00000011 mov edx, eax 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD3F95E0CE3h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71907AC second address: 71907B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71907B2 second address: 71907B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71907B6 second address: 71907BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7190B26 second address: 7190BCF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD3F95E0CDFh 0x00000008 and ch, 0000004Eh 0x0000000b jmp 00007FD3F95E0CE9h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FD3F95E0CE0h 0x00000019 sub eax, 6FF580C8h 0x0000001f jmp 00007FD3F95E0CDBh 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 mov cx, 275Bh 0x0000002c mov ch, DEh 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 movzx eax, di 0x00000034 mov eax, ebx 0x00000036 popad 0x00000037 xchg eax, ebp 0x00000038 jmp 00007FD3F95E0CE7h 0x0000003d mov ebp, esp 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007FD3F95E0CDEh 0x00000048 jmp 00007FD3F95E0CE5h 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7190BCF second address: 7190BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3F95E0F7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 7190BDF second address: 7190BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71E0AD2 second address: 71E0AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71E0AD6 second address: 71E0ADC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71E0ADC second address: 71E0B05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3F95E0F82h 0x00000009 sbb ax, D038h 0x0000000e jmp 00007FD3F95E0F7Bh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71E0B05 second address: 71E0B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b call 00007FD3F95E0CE1h 0x00000010 pop eax 0x00000011 pushfd 0x00000012 jmp 00007FD3F95E0CE1h 0x00000017 or ax, 6986h 0x0000001c jmp 00007FD3F95E0CE1h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0C32 second address: 71B0C7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3F95E0F87h 0x00000009 and eax, 271CEB0Eh 0x0000000f jmp 00007FD3F95E0F89h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD3F95E0F7Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0C7F second address: 71B0C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3F95E0CDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0C91 second address: 71B0CD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movsx edi, ax 0x0000000d mov bl, al 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 jmp 00007FD3F95E0F87h 0x00000018 mov dx, si 0x0000001b popad 0x0000001c and esp, FFFFFFF0h 0x0000001f pushad 0x00000020 movzx esi, dx 0x00000023 mov dl, 76h 0x00000025 popad 0x00000026 sub esp, 44h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD3F95E0F7Bh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0CD9 second address: 71B0CFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0CFD second address: 71B0D03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0D03 second address: 71B0D2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0CE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD3F95E0CDDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0D2B second address: 71B0D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0D31 second address: 71B0D48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3F95E0CE3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0D48 second address: 71B0D63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD3F95E0F80h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0D63 second address: 71B0D84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 0EA4h 0x00000007 mov si, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov esi, ebx 0x00000013 jmp 00007FD3F95E0CDDh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0D84 second address: 71B0DA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3F95E0F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0DA2 second address: 71B0DA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0DA8 second address: 71B0DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0DAD second address: 71B0DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD3F95E0CE6h 0x00000011 sbb cx, 5A18h 0x00000016 jmp 00007FD3F95E0CDBh 0x0000001b popfd 0x0000001c mov ch, EDh 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0DEA second address: 71B0DEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0DEE second address: 71B0DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0DF4 second address: 71B0E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 mov esi, 6D7230B7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, edi 0x0000000e jmp 00007FD3F95E0F7Ah 0x00000013 mov edi, dword ptr [ebp+08h] 0x00000016 pushad 0x00000017 mov esi, 72650DFDh 0x0000001c pushfd 0x0000001d jmp 00007FD3F95E0F7Ah 0x00000022 xor ecx, 20CEDED8h 0x00000028 jmp 00007FD3F95E0F7Bh 0x0000002d popfd 0x0000002e popad 0x0000002f mov dword ptr [esp+24h], 00000000h 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FD3F95E0F7Bh 0x00000040 jmp 00007FD3F95E0F83h 0x00000045 popfd 0x00000046 jmp 00007FD3F95E0F88h 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0E77 second address: 71B0E7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0E7D second address: 71B0E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0E81 second address: 71B0E85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0E85 second address: 71B0E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lock bts dword ptr [edi], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov di, cx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0E99 second address: 71B0F42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3F95E0CE9h 0x00000009 xor si, 63E6h 0x0000000e jmp 00007FD3F95E0CE1h 0x00000013 popfd 0x00000014 mov ax, 4E17h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jc 00007FD469862235h 0x00000021 pushad 0x00000022 pushad 0x00000023 mov eax, 4D47B3A5h 0x00000028 mov dl, ch 0x0000002a popad 0x0000002b pushfd 0x0000002c jmp 00007FD3F95E0CE7h 0x00000031 jmp 00007FD3F95E0CE3h 0x00000036 popfd 0x00000037 popad 0x00000038 pop edi 0x00000039 pushad 0x0000003a mov eax, 6DD938FBh 0x0000003f pushfd 0x00000040 jmp 00007FD3F95E0CE0h 0x00000045 or si, CC48h 0x0000004a jmp 00007FD3F95E0CDBh 0x0000004f popfd 0x00000050 popad 0x00000051 pop esi 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0F42 second address: 71B0F48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0F48 second address: 71B0F90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD3F95E0CE8h 0x00000008 pop eax 0x00000009 push edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f jmp 00007FD3F95E0CDDh 0x00000014 mov esp, ebp 0x00000016 jmp 00007FD3F95E0CDEh 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f movsx edx, ax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71B0F90 second address: 71B0F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71F06F5 second address: 71F0748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3F95E0CE9h 0x00000009 or al, FFFFFF96h 0x0000000c jmp 00007FD3F95E0CE1h 0x00000011 popfd 0x00000012 mov ch, D8h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD3F95E0CE9h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71F0748 second address: 71F0782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3F95E0F87h 0x00000008 mov ebx, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FD3F95E0F82h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71F0782 second address: 71F0786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRDTSC instruction interceptor: First address: 71F0786 second address: 71F078C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSpecial instruction interceptor: First address: D1C404 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSpecial instruction interceptor: First address: B7B887 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSpecial instruction interceptor: First address: D2174C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeCode function: 0_2_071D0599 rdtsc 0_2_071D0599
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeAPI coverage: 4.2 %
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exe TID: 4500Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: Gy53Tq6BdK.exe, Gy53Tq6BdK.exe, 00000000.00000002.1652629707.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Gy53Tq6BdK.exe, 00000000.00000003.1484547852.0000000006A61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlO#0
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Gy53Tq6BdK.exe, 00000000.00000002.1653315673.00000000016C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Gy53Tq6BdK.exe, 00000000.00000003.1482542456.0000000001682000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Gy53Tq6BdK.exe, 00000000.00000002.1652629707.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeCode function: 0_2_071F071A Start: 071F078C End: 071F07860_2_071F071A
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeCode function: 0_2_072308DE Start: 07230A49 End: 072309460_2_072308DE
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeCode function: 0_2_072703B6 Start: 072705EB End: 0727051C0_2_072703B6
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile opened: NTICE
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile opened: SICE
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeCode function: 0_2_071D0599 rdtsc 0_2_071D0599
Source: Gy53Tq6BdK.exe, Gy53Tq6BdK.exe, 00000000.00000002.1652629707.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CQZProgram Manager
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gy53Tq6BdK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Gy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
2
Process Injection
24
Virtualization/Sandbox Evasion
OS Credential Dumping751
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
2
Process Injection
LSASS Memory24
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing
NTDS1
Remote System Discovery
Distributed Component Object ModelInput Capture3
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets214
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Gy53Tq6BdK.exe66%ReversingLabsWin32.Trojan.Amadey
Gy53Tq6BdK.exe67%VirustotalBrowse
Gy53Tq6BdK.exe100%AviraTR/Crypt.TPM.Gen
Gy53Tq6BdK.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
httpbin.org
34.226.108.155
truefalse
    high
    home.fivetk5ht.top
    unknown
    unknownfalse
      high
      NameMaliciousAntivirus DetectionReputation
      https://httpbin.org/ipfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlGy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
          high
          http://html4/loose.dtdGy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
            high
            http://home.fivetk5ht.top/zldPRGy53Tq6BdK.exe, 00000000.00000002.1653315673.00000000016FC000.00000004.00000020.00020000.00000000.sdmpfalse
              unknown
              http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpGy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
                high
                https://httpbin.org/ipbeforeGy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
                  high
                  https://curl.se/docs/http-cookies.htmlGy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
                    high
                    http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv173457985135a1Gy53Tq6BdK.exe, 00000000.00000002.1653315673.000000000164E000.00000004.00000020.00020000.00000000.sdmpfalse
                      unknown
                      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851Gy53Tq6BdK.exe, 00000000.00000002.1653315673.000000000164E000.00000004.00000020.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
                        high
                        http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
                          high
                          http://upx.sf.netAmcache.hve.4.drfalse
                            high
                            https://curl.se/docs/alt-svc.htmlGy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
                              high
                              http://.cssGy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
                                high
                                http://.jpgGy53Tq6BdK.exe, 00000000.00000003.1453626790.00000000074E6000.00000004.00001000.00020000.00000000.sdmp, Gy53Tq6BdK.exe, 00000000.00000002.1651925818.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpfalse
                                  high
                                  http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851PXGy53Tq6BdK.exe, 00000000.00000002.1653315673.00000000016C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    unknown
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    34.226.108.155
                                    httpbin.orgUnited States
                                    14618AMAZON-AESUSfalse
                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1579674
                                    Start date and time:2024-12-23 07:24:18 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 28s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:10
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Gy53Tq6BdK.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:49fc187b211896a8d43fb7f54686b072.exe
                                    Detection:MAL
                                    Classification:mal100.evad.winEXE@2/5@14/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.189.173.20, 52.168.117.173, 20.190.177.85, 4.245.163.56, 13.107.246.63
                                    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    TimeTypeDescription
                                    01:25:22API Interceptor6x Sleep call for process: Gy53Tq6BdK.exe modified
                                    01:25:36API Interceptor1x Sleep call for process: WerFault.exe modified
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    34.226.108.155OmLwjD18cO.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      N3s5DQ51YF.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        Yda6AxtlVP.exeGet hashmaliciousUnknownBrowse
                                          2OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                            ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        httpbin.orgt9iCli9iWK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 98.85.100.80
                                                        uwa78qqv0x.exeGet hashmaliciousUnknownBrowse
                                                        • 98.85.100.80
                                                        OmLwjD18cO.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 34.226.108.155
                                                        N3s5DQ51YF.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 34.226.108.155
                                                        fW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
                                                        • 98.85.100.80
                                                        p3a0oZ4U7X.exeGet hashmaliciousUnknownBrowse
                                                        • 98.85.100.80
                                                        3mwHWIPiSo.exeGet hashmaliciousCryptbotBrowse
                                                        • 98.85.100.80
                                                        QeM0UAj5PK.exeGet hashmaliciousUnknownBrowse
                                                        • 98.85.100.80
                                                        GO33c8HVWG.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 98.85.100.80
                                                        5JfTgoNUcB.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 98.85.100.80
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AMAZON-AESUSHRpFufG1LJ.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 34.226.108.155
                                                        OmLwjD18cO.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 34.226.108.155
                                                        N3s5DQ51YF.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 34.226.108.155
                                                        Yda6AxtlVP.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        2OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 34.226.108.155
                                                        armv4l.elfGet hashmaliciousUnknownBrowse
                                                        • 54.88.200.107
                                                        loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                        • 54.137.103.116
                                                        loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                        • 54.136.31.230
                                                        arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                        • 54.2.45.144
                                                        No context
                                                        No context
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.943001090826797
                                                        Encrypted:false
                                                        SSDEEP:192:xQbWQtn0BU/Qju0ZrPMtwzuiFGZ24IO8+:i6Qt0BU/Qj5zuiFGY4IO8+
                                                        MD5:83EF6F8B28E33401B7D939F5F2E0ABFF
                                                        SHA1:10D8B30F974A885E4B91299E45D60EEDDEA82B27
                                                        SHA-256:E56FE76B2DCE685C7BD08745F5B5D68404F2ED7D8A3F76CE9D77089D1B06E902
                                                        SHA-512:E4411DD765ED0F1D18984182AD5623224F25DE331198AE61E68BE18686F98172E638B025CD9D6AA56C4B8CF4F114BE0702CD9B1AED1B7FE25F60957D1C255366
                                                        Malicious:true
                                                        Reputation:low
                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.0.8.7.2.4.8.2.1.5.2.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.0.8.7.2.6.1.4.9.6.6.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.3.3.5.0.a.d.-.5.7.8.9.-.4.6.d.e.-.8.e.f.e.-.c.f.d.0.c.a.1.9.d.8.8.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.a.e.d.2.9.e.-.c.d.9.a.-.4.d.9.b.-.a.1.a.7.-.b.b.0.1.9.a.1.f.b.d.7.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.G.y.5.3.T.q.6.B.d.K...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.1.0.-.0.0.0.1.-.0.0.1.4.-.e.4.4.f.-.1.3.6.f.0.3.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.d.3.3.6.6.c.d.7.f.8.b.6.a.4.e.b.7.e.e.6.f.2.f.5.7.0.a.0.7.f.f.0.0.0.0.f.f.f.f.!.0.0.0.0.2.0.2.f.b.b.9.b.5.3.0.2.3.f.6.c.3.c.1.0.1.a.8.7.1.e.7.1.6.a.3.5.e.e.0.6.f.6.9.d.!.G.y.5.3.T.q.6.B.d.K...e.x.e.....T.a.r.g.e.t.A.p.p.
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Mini DuMP crash report, 15 streams, Mon Dec 23 06:25:25 2024, 0x1205a4 type
                                                        Category:dropped
                                                        Size (bytes):215946
                                                        Entropy (8bit):1.3985914982370566
                                                        Encrypted:false
                                                        SSDEEP:768:5T+ERFQzEqTkaXaHp0OAIfHSm+C7uPDM3aqn:5T+EbQ5kK2BAIvQC+oBn
                                                        MD5:80370F54BD3D11222C83878B2A701055
                                                        SHA1:66E5A509B99FE9EEA55A132B22E399FEC4DAB7A4
                                                        SHA-256:A0BAA6EACDF8470A4D5D0FFE32E7C03ACC54DD8AFFB87B4079BA4EFABB7EC1BC
                                                        SHA-512:D46C2C24146E55398C006F48D4614BBEE83BCE4718F14353EA84D019FE10897E52ABA3543F0388B610AA21A341FC6B1B959282A169E1961255B809BCFE8CD155
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:MDMP..a..... .......U.ig............D...........D...X............ ......D....z..........`.......8...........T...........H,..B........... !...........#..............................................................................eJ.......#......GenuineIntel............T...........M.ig.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):8348
                                                        Entropy (8bit):3.7001522254639356
                                                        Encrypted:false
                                                        SSDEEP:192:R6l7wVeJUM6W6YSQSUDgmfxbmrprU89bqXsfqOm:R6lXJf6W6YlSUDgmfxb2qcf6
                                                        MD5:BCAC93F89F5C455A0F5289CC194F8860
                                                        SHA1:74B1F9BAEB0ECFD19EC6C75A45ECF774377B4743
                                                        SHA-256:858FD60CDE1AA5439D8CEDB7B9FDCF32D94B02782F543E7426622D7E52EB8A86
                                                        SHA-512:CDF03AA45CB580AB41A96BA0C07E54BDE17727E2D843573DC0F599F2DB4B9B029C7810D833B47F55DAF95219A7AB432AD6412ED158DEAF5D02111311E01DC277
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.3.2.<./.P.i.
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):4594
                                                        Entropy (8bit):4.471950656098234
                                                        Encrypted:false
                                                        SSDEEP:48:cvIwWl8zsn+Jg77aI9zwWpW8VYlPYm8M4JmBK5F5+q8dHulPIUzZUAd:uIjfn0I7hJ7VcSJmB8WOlPIUzZUAd
                                                        MD5:3FC2A06628A39D23C0AAD05BB46A89C2
                                                        SHA1:17028146965E6A41F6B92437A13B188BB69E21F3
                                                        SHA-256:9A386049DCA67CDFCB298A9C06AAE57500A7EFF1F0CA79AAFC468E24BF668B8A
                                                        SHA-512:6F82202E7EC4761AB6C38918C087FAB9DB4C3FA1F51EE28C1E1BB6772549CC8935854178866D2AF29EFA186B139612C1069E5ED67D145E1F2FE7DC1A537D5ADC
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643528" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:MS Windows registry file, NT/2000 or above
                                                        Category:dropped
                                                        Size (bytes):1835008
                                                        Entropy (8bit):4.372058456763575
                                                        Encrypted:false
                                                        SSDEEP:6144:DFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNFiL:5V1QyWWI/glMM6kF73q
                                                        MD5:ED485C9DDC947C2D35AA4873A558427F
                                                        SHA1:9D61333CAD95D000519EFF462338BCF53927DF17
                                                        SHA-256:66546AE05625E908C76CDF9C7478A6277D2C3EDA08849DED3BA048B0512647DA
                                                        SHA-512:07C86059800850B9F1FA6B8B75B77E136256384729CDF4F08C6046A14C7077CE8558ACAE0538AD26B41C859CD05FBF3CD0D1D4272C39083F5EA5FB8065BCFF50
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmrqks.U...............................................................................................................................................................................................................................................................................................................................................~|G........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                        Entropy (8bit):7.984920105910557
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • VXD Driver (31/22) 0.00%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:Gy53Tq6BdK.exe
                                                        File size:4'468'736 bytes
                                                        MD5:49fc187b211896a8d43fb7f54686b072
                                                        SHA1:202fbb9b53023f6c3c101a871e716a35ee06f69d
                                                        SHA256:529c63741b376355bc8cd10c2d28279719e2167474d02272fb365d3f1f536129
                                                        SHA512:d58b50d743d52ccb09f1a41d651258ad6648099b24de63c5e416669afefa26d685bf2ab1cc80d693753f32ba2ecffd25334d1bc360b7d7adf0ac442c78a37acf
                                                        SSDEEP:98304:d+ti7+kh2BWzN/cki6Xayhos0BtruSybD/Ko6gELrpP:Ati7+I2BWzpPi6X7mxf6tbbPs
                                                        TLSH:232633F6DCB30923E31590B7C7251528B67EED0C0AE2CBA9620BD6D47ABB057593D309
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...........pH...@.................................dVD...@... ............................
                                                        Icon Hash:00928e8e8686b000
                                                        Entrypoint:0x108b000
                                                        Entrypoint Section:.taggant
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                        DLL Characteristics:DYNAMIC_BASE
                                                        Time Stamp:0x67639809 [Thu Dec 19 03:50:33 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                        Instruction
                                                        jmp 00007FD3F8E5ED5Ah
                                                        femms
                                                        inc esp
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add cl, ch
                                                        add byte ptr [eax], ah
                                                        add byte ptr [eax], al
                                                        add byte ptr [ebx], cl
                                                        or al, byte ptr [eax]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], dh
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax+eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        and al, byte ptr [eax]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        or al, 80h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        adc byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        pop es
                                                        or al, byte ptr [eax]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74705f0x73.idata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x7460000x1ac.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc895fc0x10pfkrromk
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc895ac0x18pfkrromk
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        0x10000x7450000x284c00fd16b4cb889a19a45a1d8a2e46be249dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x7460000x1ac0x200483945143665abb1b011986d30bf9342False0.583984375data4.554398239379002IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .idata 0x7470000x10000x200e84636d45557e74dadd0f14f36394655False0.166015625data1.1471680400846989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        0x7480000x3870000x200167f1dfda8e674ab2b79b48b1e6dec06unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        pfkrromk0xacf0000x1bb0000x1ba8007fa4da585eb459a9a27de1d97ef1518eFalse0.9940523481638418data7.954681489515957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        hghjijlv0xc8a0000x10000x40086af8c88a2631618408a6c32a9b99810False0.7412109375data5.81020072787371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .taggant0xc8b0000x30000x22004f9eda936ec4c7f1c4aab794417aaf1cFalse0.06893382352941177DOS executable (COM)0.7854826158139392IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_MANIFEST0xc8960c0x152ASCII text, with CRLF line terminators0.6479289940828402
                                                        DLLImport
                                                        kernel32.dlllstrcpy
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 23, 2024 07:25:19.890254974 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:19.890299082 CET4434970434.226.108.155192.168.2.8
                                                        Dec 23, 2024 07:25:19.890389919 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:19.907917023 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:19.907932997 CET4434970434.226.108.155192.168.2.8
                                                        Dec 23, 2024 07:25:21.643804073 CET4434970434.226.108.155192.168.2.8
                                                        Dec 23, 2024 07:25:21.644416094 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:21.644460917 CET4434970434.226.108.155192.168.2.8
                                                        Dec 23, 2024 07:25:21.645881891 CET4434970434.226.108.155192.168.2.8
                                                        Dec 23, 2024 07:25:21.645976067 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:21.647336960 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:21.647427082 CET4434970434.226.108.155192.168.2.8
                                                        Dec 23, 2024 07:25:21.652894020 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:21.652934074 CET4434970434.226.108.155192.168.2.8
                                                        Dec 23, 2024 07:25:21.704924107 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:21.974447966 CET4434970434.226.108.155192.168.2.8
                                                        Dec 23, 2024 07:25:21.974539995 CET4434970434.226.108.155192.168.2.8
                                                        Dec 23, 2024 07:25:21.974617004 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:21.983726025 CET49704443192.168.2.834.226.108.155
                                                        Dec 23, 2024 07:25:21.983767986 CET4434970434.226.108.155192.168.2.8
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 23, 2024 07:25:19.592343092 CET6398153192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:19.592417002 CET6398153192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:19.729218006 CET53639811.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:19.885040045 CET53639811.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:22.714243889 CET6398453192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:22.714402914 CET6398453192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:23.125348091 CET53639841.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:23.341290951 CET53639841.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:23.803997040 CET6398553192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:23.804060936 CET6398553192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:23.942699909 CET53639851.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:23.942806959 CET53639851.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:24.119517088 CET6398653192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:24.119568110 CET6398653192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:24.257167101 CET53639861.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:24.257184982 CET53639861.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:24.426192999 CET6398753192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:24.426286936 CET6398753192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:24.563126087 CET53639871.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:24.563162088 CET53639871.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:24.734102011 CET6398853192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:24.734153032 CET6398853192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:24.872102022 CET53639881.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:24.872121096 CET53639881.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:25.053776979 CET6398953192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:25.053819895 CET6398953192.168.2.81.1.1.1
                                                        Dec 23, 2024 07:25:25.191848040 CET53639891.1.1.1192.168.2.8
                                                        Dec 23, 2024 07:25:25.191910028 CET53639891.1.1.1192.168.2.8
                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 23, 2024 07:25:19.592343092 CET192.168.2.81.1.1.10x456bStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:19.592417002 CET192.168.2.81.1.1.10x5ae2Standard query (0)httpbin.org28IN (0x0001)false
                                                        Dec 23, 2024 07:25:22.714243889 CET192.168.2.81.1.1.10xd37bStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:22.714402914 CET192.168.2.81.1.1.10x828eStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                        Dec 23, 2024 07:25:23.803997040 CET192.168.2.81.1.1.10x9de1Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:23.804060936 CET192.168.2.81.1.1.10xef47Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.119517088 CET192.168.2.81.1.1.10x566cStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.119568110 CET192.168.2.81.1.1.10xf024Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.426192999 CET192.168.2.81.1.1.10x91a3Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.426286936 CET192.168.2.81.1.1.10x3486Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.734102011 CET192.168.2.81.1.1.10xf974Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.734153032 CET192.168.2.81.1.1.10x19b4Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                        Dec 23, 2024 07:25:25.053776979 CET192.168.2.81.1.1.10x81f6Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:25.053819895 CET192.168.2.81.1.1.10x9749Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 23, 2024 07:25:19.885040045 CET1.1.1.1192.168.2.80x456bNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:19.885040045 CET1.1.1.1192.168.2.80x456bNo error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:23.125348091 CET1.1.1.1192.168.2.80xd37bName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:23.341290951 CET1.1.1.1192.168.2.80x828eName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                        Dec 23, 2024 07:25:23.942699909 CET1.1.1.1192.168.2.80xef47Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                        Dec 23, 2024 07:25:23.942806959 CET1.1.1.1192.168.2.80x9de1Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.257167101 CET1.1.1.1192.168.2.80x566cName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.257184982 CET1.1.1.1192.168.2.80xf024Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.563126087 CET1.1.1.1192.168.2.80x3486Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.563162088 CET1.1.1.1192.168.2.80x91a3Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.872102022 CET1.1.1.1192.168.2.80xf974Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:24.872121096 CET1.1.1.1192.168.2.80x19b4Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                        Dec 23, 2024 07:25:25.191848040 CET1.1.1.1192.168.2.80x81f6Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                        Dec 23, 2024 07:25:25.191910028 CET1.1.1.1192.168.2.80x9749Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                        • httpbin.org
                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.84970434.226.108.1554432832C:\Users\user\Desktop\Gy53Tq6BdK.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-23 06:25:21 UTC52OUTGET /ip HTTP/1.1
                                                        Host: httpbin.org
                                                        Accept: */*
                                                        2024-12-23 06:25:21 UTC224INHTTP/1.1 200 OK
                                                        Date: Mon, 23 Dec 2024 06:25:21 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 31
                                                        Connection: close
                                                        Server: gunicorn/19.9.0
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Allow-Credentials: true
                                                        2024-12-23 06:25:21 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                        Data Ascii: { "origin": "8.46.123.189"}


                                                        Click to jump to process

                                                        Click to jump to process

                                                        Click to dive into process behavior distribution

                                                        Click to jump to process

                                                        Target ID:0
                                                        Start time:01:25:17
                                                        Start date:23/12/2024
                                                        Path:C:\Users\user\Desktop\Gy53Tq6BdK.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\Gy53Tq6BdK.exe"
                                                        Imagebase:0x430000
                                                        File size:4'468'736 bytes
                                                        MD5 hash:49FC187B211896A8D43FB7F54686B072
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        Target ID:4
                                                        Start time:01:25:24
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1152
                                                        Imagebase:0xdf0000
                                                        File size:483'680 bytes
                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:0.1%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:47
                                                          Total number of Limit Nodes:2
                                                          execution_graph 14827 71f0199 14828 71f01a6 GetLogicalDrives 14827->14828 14830 71f032a 14828->14830 14681 7240338 14682 7240344 Process32NextW 14681->14682 14684 724036f 14681->14684 14682->14684 14883 71f0000 14884 71f0025 14883->14884 14885 71f01a2 GetLogicalDrives 14884->14885 14886 71f01a6 GetLogicalDrives 14885->14886 14888 71f032a 14886->14888 14889 7230000 14890 723001f 14889->14890 14895 723005f 14890->14895 14892 7230055 Process32FirstW 14894 7230433 14892->14894 14900 7230074 14895->14900 14897 7230067 Process32FirstW 14899 7230433 14897->14899 14901 7230092 Process32FirstW 14900->14901 14903 7230433 14901->14903 14904 7240000 14905 724001c Process32NextW 14904->14905 14907 7240370 14905->14907 14939 723008b 14940 72300bf Process32FirstW 14939->14940 14942 7230433 14940->14942 14773 71f02a9 14775 71f02ac 14773->14775 14774 71f0325 GetLogicalDrives 14776 71f032a 14774->14776 14775->14774 14775->14776 14916 7230049 14917 723004c 14916->14917 14919 7230055 Process32FirstW 14916->14919 14918 723005f 2 API calls 14917->14918 14918->14919 14921 7230433 14919->14921 14817 71f0162 14818 71f0178 14817->14818 14820 71f01a6 GetLogicalDrives 14817->14820 14823 71f01a2 14818->14823 14822 71f032a 14820->14822 14824 71f01a6 GetLogicalDrives 14823->14824 14826 71f032a 14824->14826 14922 723005c 14923 7230074 Process32FirstW 14922->14923 14924 7230067 Process32FirstW 14922->14924 14923->14924 14926 7230433 14924->14926
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: be61f4c299db0e883bc1ee537b98cba2295d5e1ccf6cd118a4f628f3810cbe85
                                                          • Instruction ID: 1c8e35a832113e4a711148499c0e4bae5e7733cc09b8cd6bc00a37a307951f39
                                                          • Opcode Fuzzy Hash: be61f4c299db0e883bc1ee537b98cba2295d5e1ccf6cd118a4f628f3810cbe85
                                                          • Instruction Fuzzy Hash: BFA13BEB56C125BDB219C0816B54AFB676EE2CB730F32842BF807D5582E3984F4A1931

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /bw@
                                                          • API String ID: 0-2229588379
                                                          • Opcode ID: 9c9174fb3c9000c2516e9288a1129b4a1c6a80b7a6fdc0f94f08d48ad328d3ee
                                                          • Instruction ID: 9c4170056dfae17889f01e3a1707262c358a92f779eae41af6cb8992a9b4cf70
                                                          • Opcode Fuzzy Hash: 9c9174fb3c9000c2516e9288a1129b4a1c6a80b7a6fdc0f94f08d48ad328d3ee
                                                          • Instruction Fuzzy Hash: D361E6EB27C115BE722294851B54AFB6A2FE6D7730F308426B407DB642F2E84E4A5171

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 110 723005f-72303e4 call 7230074 148 72303f6-723041a Process32FirstW 110->148 150 7230433-723051e call 7230520 148->150
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /bw@
                                                          • API String ID: 0-2229588379
                                                          • Opcode ID: 8b36dcbc21a1be0e1641a63a9221a92fc5e21de946e48c58b4ae4dfb9b18a42d
                                                          • Instruction ID: f760eef7ea69c01c8b34549d0a3befce9787c248c7f6d47dd61663e097dfaf15
                                                          • Opcode Fuzzy Hash: 8b36dcbc21a1be0e1641a63a9221a92fc5e21de946e48c58b4ae4dfb9b18a42d
                                                          • Instruction Fuzzy Hash: 6851D4EB27C211BE712294952B54AFB6B2FE6D7730B308426B407DB642F2E84F4A5171

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 57 723005c-7230061 58 7230067-72303e4 57->58 59 7230062 call 7230074 57->59 95 72303f6-723041a Process32FirstW 58->95 59->58 97 7230433-723051e call 7230520 95->97
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /bw@
                                                          • API String ID: 0-2229588379
                                                          • Opcode ID: 1ef1b8767ae2fc4281c14c2d926b06de9ef7fe4738cc434528e9a55b3185f850
                                                          • Instruction ID: c74676fb10fba0c03b6df1fbf134117c09748bfb2f87d370a9ab1c78d9e94e23
                                                          • Opcode Fuzzy Hash: 1ef1b8767ae2fc4281c14c2d926b06de9ef7fe4738cc434528e9a55b3185f850
                                                          • Instruction Fuzzy Hash: 6E51D3EB27C211BE712294952B54AFB6B2FE6D7730B308426B407DA642F2E84F4A5171

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 163 7230074-72303e4 199 72303f6-723041a Process32FirstW 163->199 201 7230433-723051e call 7230520 199->201
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID: /bw@
                                                          • API String ID: 2623510744-2229588379
                                                          • Opcode ID: 219c382e5b52bd28dcc801b96f154d81bf30ac525ec9433420a0e58db0fdefd3
                                                          • Instruction ID: ef6e7f4552a67dfc82c41dea5e479a964a10f44b2cbf722a1120dd5b1b1e699a
                                                          • Opcode Fuzzy Hash: 219c382e5b52bd28dcc801b96f154d81bf30ac525ec9433420a0e58db0fdefd3
                                                          • Instruction Fuzzy Hash: 5E51D6EB27C211BE716394852B549FB6A2FE6D7730F308026B807D7642F2D84F4A5171

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 214 72300e5-72300e8 215 7230083-72300e0 214->215 216 72300ea-72300ec 214->216 218 72300ee-72303e4 215->218 216->218 252 72303f6-723041a Process32FirstW 218->252 254 7230433-723051e call 7230520 252->254
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /bw@
                                                          • API String ID: 0-2229588379
                                                          • Opcode ID: 806f53dbcf3704a5f4ffe4853f05267dac9e036f308192ab1b9ee56f10b61a2a
                                                          • Instruction ID: e42eb7729f14c2cc4f3ddf8547eacfd68542bb3e5c8cef25dcbefe8c9773ff49
                                                          • Opcode Fuzzy Hash: 806f53dbcf3704a5f4ffe4853f05267dac9e036f308192ab1b9ee56f10b61a2a
                                                          • Instruction Fuzzy Hash: 9C51D5EB27D111BE717284852B64AF75B2FE6D7730F308426B407DA642F2E84F4A5171

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 267 723008b-72303e4 302 72303f6-723041a Process32FirstW 267->302 304 7230433-723051e call 7230520 302->304
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID: /bw@
                                                          • API String ID: 2623510744-2229588379
                                                          • Opcode ID: fbc7d0ba7b6691fe141819b4818891dc99d7888e86442650e78f4addb8937216
                                                          • Instruction ID: f977e5607d7a73ffb9595c115914492ce524d723841132b1a0200d5918e83ad2
                                                          • Opcode Fuzzy Hash: fbc7d0ba7b6691fe141819b4818891dc99d7888e86442650e78f4addb8937216
                                                          • Instruction Fuzzy Hash: AF51E6EB27D211BE726384852B549F75B2FE6D7730B308027B807DA642F2E84F4A5131

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 317 7230049-723004a 318 72300bf-72303e4 317->318 319 723004c-72300b0 call 723005f 317->319 357 72303f6-723041a Process32FirstW 318->357 319->318 359 7230433-723051e call 7230520 357->359
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /bw@
                                                          • API String ID: 0-2229588379
                                                          • Opcode ID: 46ba26f0da021c8b2c925c56e8b549828021ae39427999f54e4e854820a56675
                                                          • Instruction ID: 8562e8480e51489e92f906f08233245d3c92c482fffcc5f4edd095edb56196cc
                                                          • Opcode Fuzzy Hash: 46ba26f0da021c8b2c925c56e8b549828021ae39427999f54e4e854820a56675
                                                          • Instruction Fuzzy Hash: 4A51E5EB27D115BE717284852B64AFB5A2FE6D7730F308427B407DA642F2E84F4A5131

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 372 7230111-7230112 373 72300d2-723010a 372->373 374 7230114-723011f 372->374 376 7230121-72303e4 373->376 374->376 409 72303f6-723041a Process32FirstW 376->409 411 7230433-723051e call 7230520 409->411
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /bw@
                                                          • API String ID: 0-2229588379
                                                          • Opcode ID: 5dfdca3b53363a01a85ffb7c15a7472e178821991e85b73bb78d7a081725ec46
                                                          • Instruction ID: b7f8527a4d7b2e136b481f81f93b60fee157af39053567381f459bb460538ec4
                                                          • Opcode Fuzzy Hash: 5dfdca3b53363a01a85ffb7c15a7472e178821991e85b73bb78d7a081725ec46
                                                          • Instruction Fuzzy Hash: CC51E6EB27D211BE727284951B649F72B2FE6E7730B308426B407DA642F2D84F4A9171

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 424 72300b5-72303e4 459 72303f6-723041a Process32FirstW 424->459 461 7230433-723051e call 7230520 459->461
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID: /bw@
                                                          • API String ID: 2623510744-2229588379
                                                          • Opcode ID: 3d1bca18e97de97ee3fd5da20ac7d50c0643e1528858189aa87a0a99bdf7a770
                                                          • Instruction ID: d763aca557c2a9498939177d461678c0b32aa0c6fccdbc2c6e49a7a2578d13e4
                                                          • Opcode Fuzzy Hash: 3d1bca18e97de97ee3fd5da20ac7d50c0643e1528858189aa87a0a99bdf7a770
                                                          • Instruction Fuzzy Hash: 7D51D5EB27D111BE716284852B549FB5B2FE6D7730B308427B407DA642F2E84F4A5131

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 474 72300d4-72303e4 508 72303f6-723041a Process32FirstW 474->508 510 7230433-723051e call 7230520 508->510
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID: /bw@
                                                          • API String ID: 2623510744-2229588379
                                                          • Opcode ID: e4e58c5d01c5507170be71b5aaa1dedc40809b878e7c89cec144469cc085561d
                                                          • Instruction ID: 971f8a2d2761d30c70bf15c034320e7859f968f6e6fce8a7a5f28322ffff9ce0
                                                          • Opcode Fuzzy Hash: e4e58c5d01c5507170be71b5aaa1dedc40809b878e7c89cec144469cc085561d
                                                          • Instruction Fuzzy Hash: BE51C4EB27D211BE727284851B64DFB5A2FE6D7730F308426B407DA642F2E84F4A5171

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 523 72301e5-72303e4 545 72303f6-723041a Process32FirstW 523->545 547 7230433-723051e call 7230520 545->547
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID: 4n`f
                                                          • API String ID: 2623510744-3714644234
                                                          • Opcode ID: f3ff002fb1c3ec2ee3b0289243c52e2797b227b2155461ad2fe900297fb4d26d
                                                          • Instruction ID: b8fbd5b18b9778ce07deee7a5cf206bae9a4f8147b35d74402c9f22163cd6158
                                                          • Opcode Fuzzy Hash: f3ff002fb1c3ec2ee3b0289243c52e2797b227b2155461ad2fe900297fb4d26d
                                                          • Instruction Fuzzy Hash: 4A416FEB27D122BEB22284412F54EFB572FE2D7730B348427B907D6542E2D84F4A5171

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 560 71f0162-71f0176 561 71f0178-71f0192 call 71f01a2 560->561 562 71f01a6-71f030f 560->562 561->562 580 71f0315-71f0325 GetLogicalDrives 562->580 582 71f032a-71f03b4 580->582 589 71f03bf-71f03d6 call 71f03da 582->589 592 71f03d8 589->592 593 71f03b7-71f03be 589->593 593->589
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID: A:\
                                                          • API String ID: 999431828-3379428675
                                                          • Opcode ID: eb2191db5cdc8911dc7c24cc262667a37d4ae3a55de82961e8a599792c7f6e54
                                                          • Instruction ID: 432e36ec05a2577bdf8e883d4314e630b31649cc41cb9b443dca2c1a6614830a
                                                          • Opcode Fuzzy Hash: eb2191db5cdc8911dc7c24cc262667a37d4ae3a55de82961e8a599792c7f6e54
                                                          • Instruction Fuzzy Hash: A331C4F756C615EFB31586911F449FB67ADEACB730B72802AF603D2283E7A48A494131

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 594 71f01bf-71f030f 608 71f0315-71f0325 GetLogicalDrives 594->608 610 71f032a-71f03b4 608->610 617 71f03bf-71f03d6 call 71f03da 610->617 620 71f03d8 617->620 621 71f03b7-71f03be 617->621 621->617
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID: A:\
                                                          • API String ID: 999431828-3379428675
                                                          • Opcode ID: e6c64b45358c1399fe6d0009818eacf7cedd4aa49f5d0663bca05206c13c9240
                                                          • Instruction ID: 94a67ef65aebdce3e6f9b0b78aa6e4cf3acbaeea8b4476134a1363365757f579
                                                          • Opcode Fuzzy Hash: e6c64b45358c1399fe6d0009818eacf7cedd4aa49f5d0663bca05206c13c9240
                                                          • Instruction Fuzzy Hash: B83105F752C204EFA31586915F549FA77ADEACF730B32806AFA02D3283D3A44A098131

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 622 71f01a2-71f030f 639 71f0315-71f0325 GetLogicalDrives 622->639 641 71f032a-71f03b4 639->641 648 71f03bf-71f03d6 call 71f03da 641->648 651 71f03d8 648->651 652 71f03b7-71f03be 648->652 652->648
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID: A:\
                                                          • API String ID: 999431828-3379428675
                                                          • Opcode ID: bff406cb02622f6216b524ffd541b489f8120dec5b82606481fd4af221bf95b1
                                                          • Instruction ID: cd40b59470d488d5a4d8681bb472cc204b07657ace17daca39a07a86042da1ff
                                                          • Opcode Fuzzy Hash: bff406cb02622f6216b524ffd541b489f8120dec5b82606481fd4af221bf95b1
                                                          • Instruction Fuzzy Hash: A431C4FB56C214AFB31986511F149FA67ADE5CB730B32802AF603D2283E3A44E494131

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 653 71f0199-71f030f 670 71f0315-71f0325 GetLogicalDrives 653->670 672 71f032a-71f03b4 670->672 679 71f03bf-71f03d6 call 71f03da 672->679 682 71f03d8 679->682 683 71f03b7-71f03be 679->683 683->679
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID: A:\
                                                          • API String ID: 999431828-3379428675
                                                          • Opcode ID: 2714c1dd638c96c5c3b93592a7844a7dd88a5d5c8e68e59b6153625f53d76a17
                                                          • Instruction ID: 2f9c4d4770d4e64daae9f0a3b70923c6d446ad47bd07db456af1b0ebc146ef98
                                                          • Opcode Fuzzy Hash: 2714c1dd638c96c5c3b93592a7844a7dd88a5d5c8e68e59b6153625f53d76a17
                                                          • Instruction Fuzzy Hash: 8F31D5FB56C214FFB31986411F149FA67ADE6CF730B328426F602D2283E3A44E494571
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID: A:\
                                                          • API String ID: 999431828-3379428675
                                                          • Opcode ID: 6e8e1a03aa01a8d74569a49b5671988a7a812c8b9ba0051da5903840992b05e1
                                                          • Instruction ID: 69d3030a9ab7e0361025ff4244a2bf7ad7ea62193eaa81b867645824ebb11964
                                                          • Opcode Fuzzy Hash: 6e8e1a03aa01a8d74569a49b5671988a7a812c8b9ba0051da5903840992b05e1
                                                          • Instruction Fuzzy Hash: 8531B3FB56C214BFB319C6511F449FA67ADE6CF730B72802AF607D2282E3A48E494131
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID: A:\
                                                          • API String ID: 999431828-3379428675
                                                          • Opcode ID: 6de70363f819138ae623a8edd6c2c16c34c466b9d20ccab932800767c7793040
                                                          • Instruction ID: 4bb07291c0ffc214554a9e33237579eed72c8480b601daf63fd8610286077093
                                                          • Opcode Fuzzy Hash: 6de70363f819138ae623a8edd6c2c16c34c466b9d20ccab932800767c7793040
                                                          • Instruction Fuzzy Hash: 7331F7FB56C214AFB31685911F549FB6BADE6CB730B32846AF602D6283E3A44E494131
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID: A:\
                                                          • API String ID: 999431828-3379428675
                                                          • Opcode ID: 5957f8e7bb79c8afc8f170c4f1b7d63fad2d9ee8a03938168e9c5e353eca3688
                                                          • Instruction ID: 3e0acc5853de4d6e2939cfda2722b1ef80aa59930be41f2163f492b74cbe46d0
                                                          • Opcode Fuzzy Hash: 5957f8e7bb79c8afc8f170c4f1b7d63fad2d9ee8a03938168e9c5e353eca3688
                                                          • Instruction Fuzzy Hash: 8C31C3FB56C214AFA31585911F549FA67BDE6CB730B32806AF603D2283D7A44F498171
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID: A:\
                                                          • API String ID: 999431828-3379428675
                                                          • Opcode ID: 93024c99a3c46e0116880eeeb1eaa303cdd307453f6c9833812600dc0120de9f
                                                          • Instruction ID: 9b51b40c3980360e00797c906c268ec9596ed1cab09ae14e82ba2cf69d53026f
                                                          • Opcode Fuzzy Hash: 93024c99a3c46e0116880eeeb1eaa303cdd307453f6c9833812600dc0120de9f
                                                          • Instruction Fuzzy Hash: 2A21A1FB56C214AFB35585911F549FA67ADE6CB730B328026F902D2283E3A44E495131
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID: A:\
                                                          • API String ID: 999431828-3379428675
                                                          • Opcode ID: 14e137788c13d9f74b3f6830e32c39d80f213d184f2590a3634e72480d30ee88
                                                          • Instruction ID: 5a7e0b6d7e0ee1310b75b02abba487f207c289968703a4e52464faf8b1293bbf
                                                          • Opcode Fuzzy Hash: 14e137788c13d9f74b3f6830e32c39d80f213d184f2590a3634e72480d30ee88
                                                          • Instruction Fuzzy Hash: CA219FEB66C214AFA35585911F04AFB676DE6CB730F328026F602D2583D3A40E495531
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng$R
                                                          • API String ID: 0-2140015743
                                                          • Opcode ID: 337da53a0e4dcef745d2b14d1bf7bf8ae6db8bc975822b29b0543877453bdda5
                                                          • Instruction ID: 14fab45d47af48f1eb027bc7caab72f06d21d9730077b6d3ca8f36f2469898c7
                                                          • Opcode Fuzzy Hash: 337da53a0e4dcef745d2b14d1bf7bf8ae6db8bc975822b29b0543877453bdda5
                                                          • Instruction Fuzzy Hash: D2418FFB16D121BD721AD1416B54AFB676EE4CB730F32846BF807C6582E3884F4A5931
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: df0113ce8565d4f532661f06b93639d6a17c0963568f656093369933ee270352
                                                          • Instruction ID: 17c6132e869bce8e2741cc11ccb0a235fb8848c2a0103c79864b1a1e5776424c
                                                          • Opcode Fuzzy Hash: df0113ce8565d4f532661f06b93639d6a17c0963568f656093369933ee270352
                                                          • Instruction Fuzzy Hash: 585117E717C211BEB26AC1955B14AFA6F7ED6D3330F3084A7F907DA182E2E40A895171
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 921dc488bbe4a6736d0369b0df8575bd4420a252ad8c0cde09d12a87d1a66360
                                                          • Instruction ID: 982c975211e8a775ea432a07099ce3b60286dbb43efa1511b1e591dfb435ba63
                                                          • Opcode Fuzzy Hash: 921dc488bbe4a6736d0369b0df8575bd4420a252ad8c0cde09d12a87d1a66360
                                                          • Instruction Fuzzy Hash: C75106E717C211BEB16AC4411B18AFA2F6ED6D3330F3084B6F607CA282E2E40AC95171
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 1eb4613e442c48d89739980b326bacfd3487920c00e2cf26e31718a547a91db3
                                                          • Instruction ID: 368b074c3e443ef9e2ceff5e4ec924ff4df2764494e84c04fcafebb32c5ddcd8
                                                          • Opcode Fuzzy Hash: 1eb4613e442c48d89739980b326bacfd3487920c00e2cf26e31718a547a91db3
                                                          • Instruction Fuzzy Hash: FB5107E717C211BEB26AC5511B18AFA6F6ED6D3330F3084B6F607D6682E2E40AC95171
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc8b5078c0652fbf62b354d470addc6d33424696a312d1e23838d5e844cc2c4b
                                                          • Instruction ID: aa799a6559abcc242110675bf7cee1a34b4c39439739685c2449bf11b6071a51
                                                          • Opcode Fuzzy Hash: dc8b5078c0652fbf62b354d470addc6d33424696a312d1e23838d5e844cc2c4b
                                                          • Instruction Fuzzy Hash: 125128F717C211BEB26AC0415B14AFA6F6EE6D7330F3084A6FA07C6182F2E40A8D5171
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 77094724229a4ff735db446cf90b6d967e8b4532adb42f4341f01b1469667481
                                                          • Instruction ID: 9d99af2ecfdb8aa4421fc771b5ec9aed85fb3baeb33bc86b03351ac010644486
                                                          • Opcode Fuzzy Hash: 77094724229a4ff735db446cf90b6d967e8b4532adb42f4341f01b1469667481
                                                          • Instruction Fuzzy Hash: 685129E717C211BEA22EC5515B54AFA2F6EE6D3330F3084E6F507CA582E2D50ACD5171
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: cc9d93d5bc7ab8648f4286eed04e7742b3b8c508b624bf4bdd0cc9abeb82e2e3
                                                          • Instruction ID: 8013abc1694a4d784b348028134f4398c24732b678999d3bfe6b13c938d80d94
                                                          • Opcode Fuzzy Hash: cc9d93d5bc7ab8648f4286eed04e7742b3b8c508b624bf4bdd0cc9abeb82e2e3
                                                          • Instruction Fuzzy Hash: 0A5107E717C211BEB26AC5511B14AFA6F6ED6D3330F3080B6F907CA582E3E54A8D5171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 8440d611a574e75a4b4c8f15352fbbf1f2f32542dd94e76366449f32b1b0009e
                                                          • Instruction ID: 55b22ab85d1319348b2a5c91e2beeac1c3d866962b0824e5a4a0f9847804342e
                                                          • Opcode Fuzzy Hash: 8440d611a574e75a4b4c8f15352fbbf1f2f32542dd94e76366449f32b1b0009e
                                                          • Instruction Fuzzy Hash: BEA13CFB56C125BDB219C0826B54AFB676EE2CB730F32842BF807D5581E3984F4A1935
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 8b060cf4e88bde5262cff13ef1fbbef287def52a1e26e29260541dd0e20bd604
                                                          • Instruction ID: 7a82794d79ea2e8426b4501e36976f1e8318af179d08fda21ca7348dde8b893a
                                                          • Opcode Fuzzy Hash: 8b060cf4e88bde5262cff13ef1fbbef287def52a1e26e29260541dd0e20bd604
                                                          • Instruction Fuzzy Hash: B441D5EB27D221BE717284852B54DFB5A2FE6D7730B308426B807D6642F2E84F4A5171
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: f480fc17949ae1ae9be8d436de8a1e314e1d142cbef4fdef83d340e44191107e
                                                          • Instruction ID: 3944a52dcd8cf7961aa7c1e00c6dbba43d5feb6d8c90907307d1a2937258dcdb
                                                          • Opcode Fuzzy Hash: f480fc17949ae1ae9be8d436de8a1e314e1d142cbef4fdef83d340e44191107e
                                                          • Instruction Fuzzy Hash: CC4117E717C211BEA12AC5815B14AFA6F6EE6D3330F3084B6F507DA582F3E40A895171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: c47efbc3426397d3e3a8f9dcb8f05c0884e45ab0b94d9887a4c2ccf9df66adb0
                                                          • Instruction ID: f9e679016377d74454b9d949440aa407aaaec305655f7962389e930d2ab01a0a
                                                          • Opcode Fuzzy Hash: c47efbc3426397d3e3a8f9dcb8f05c0884e45ab0b94d9887a4c2ccf9df66adb0
                                                          • Instruction Fuzzy Hash: C3915BEB52D125BDB209C1816F54AFB676EE2CB730F32842BF807D5582E3984F4A5931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 8126972f5bba82c250becead923fea793e6d7ee66f7e3482255939b97a6ccd95
                                                          • Instruction ID: c8ae9c08b815e32fd5994be4ef60b7cb2a0f3cd18c32c795c85a5bdc60b99d59
                                                          • Opcode Fuzzy Hash: 8126972f5bba82c250becead923fea793e6d7ee66f7e3482255939b97a6ccd95
                                                          • Instruction Fuzzy Hash: 1B915CEB52D121BDB209C1816F54AFB676EE1CB730F32842BF807D5582E3984F4A5931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 5e0af4bec06f2d5541ebf84b39e83cf806e3d29b1e47d9684a356050ead38ef9
                                                          • Instruction ID: a32f2337437556086658d177f12f7a84e9001924702271a1fa172fc6606f65a2
                                                          • Opcode Fuzzy Hash: 5e0af4bec06f2d5541ebf84b39e83cf806e3d29b1e47d9684a356050ead38ef9
                                                          • Instruction Fuzzy Hash: 35915DEB56D120BDB209C0816F54AFB676EE2CB730F32842BF807D5582E3984F4A1931
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 369d7b65ce867796bc5d18c9f2ace29d882378f0f0e1f774fdb5f6eb4d6a1b1b
                                                          • Instruction ID: 0c4df077bd45ad2ba0c4f5a891e87c00221414b2dd631c4ae372cb1dca24bfc1
                                                          • Opcode Fuzzy Hash: 369d7b65ce867796bc5d18c9f2ace29d882378f0f0e1f774fdb5f6eb4d6a1b1b
                                                          • Instruction Fuzzy Hash: F041E6E717C111BEB16AC1811B14AFA6F6EE6D7330B3084B6F907D6682F3D50A8D5171
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: c1cdf8e579d10b5137dd7faf06f027b7686bb0dc75ef4436bec2ef452fa29da4
                                                          • Instruction ID: 6f3690ed68e2025336c1c7dec209e792805ca4cbbb8b98569106f2b22b250f23
                                                          • Opcode Fuzzy Hash: c1cdf8e579d10b5137dd7faf06f027b7686bb0dc75ef4436bec2ef452fa29da4
                                                          • Instruction Fuzzy Hash: 3A4183EB27D222BE713284852B549FB572FE6D7730B308427B507D6942E2D84F4A5171
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 0861b91fdd4927ba1619c0eb653d87893bce319d01b931674c13b7919afcb2ce
                                                          • Instruction ID: 3c94229575af0e163ffcde1806ba0a8d7ce8d585bb82628fc5f828c169139e9f
                                                          • Opcode Fuzzy Hash: 0861b91fdd4927ba1619c0eb653d87893bce319d01b931674c13b7919afcb2ce
                                                          • Instruction Fuzzy Hash: 194116E717C111BEB16AC4812B14AFA6F6EE6D3330B3084A6F907D6582E3E50A8D5171
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d0defa737c9522777c015d4eb19af1c6f2fcb4806c716da8a3b52f58b0559a8
                                                          • Instruction ID: 60baa617822a7d465ab07fbb505b00d2e4442e9d65f1bf92734fbedc953c47d1
                                                          • Opcode Fuzzy Hash: 0d0defa737c9522777c015d4eb19af1c6f2fcb4806c716da8a3b52f58b0559a8
                                                          • Instruction Fuzzy Hash: E741B4EB27D226BEB23294412F54DFB572FE6D7730B308426B407D6582E2D84F4A4171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 827eba08e1defc3e91c463db20fe885c7ca0449a2b232d55ebd3a4c6c36b743d
                                                          • Instruction ID: bda032cf2656b2d0e1bb934008dbf07791ba58b0aaa5f3753a33dd74228e8fc9
                                                          • Opcode Fuzzy Hash: 827eba08e1defc3e91c463db20fe885c7ca0449a2b232d55ebd3a4c6c36b743d
                                                          • Instruction Fuzzy Hash: 13915CFB56D120BDB209C1826B54AFB676EE1CB730F32842BF807D5586E3984F4A1931
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 808ba31105e79b5f0dfe8af2100feda89caa73fe175224f6b21a6737f0ffab9d
                                                          • Instruction ID: da4afc0419a1d1afa83baf5d32d1afe7a6dd001ee3ffe1995128a3821f96ef1f
                                                          • Opcode Fuzzy Hash: 808ba31105e79b5f0dfe8af2100feda89caa73fe175224f6b21a6737f0ffab9d
                                                          • Instruction Fuzzy Hash: EC41B3EB27D222BE723290812B64AFB572FE6D7730F308427B907D6542E2D84F4A5171
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: a0466663fdbdf5a4e185a14101c738d3679b81fb0f56c2e92d02312ea9e8a98c
                                                          • Instruction ID: 5496aebe7a95917be38156341d20f2e1dcd81f196b1246fdcb424911b75ebb93
                                                          • Opcode Fuzzy Hash: a0466663fdbdf5a4e185a14101c738d3679b81fb0f56c2e92d02312ea9e8a98c
                                                          • Instruction Fuzzy Hash: AB415FEB27D222BE723294412B64EFB562FE6D7730B308427B907D6942E3D84F4A5171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 7115ecfc6d12bd285af6de297f724a55b54197703f130ec299ae8097d0f694ef
                                                          • Instruction ID: b2e244c4694099c7b9e4162de00d526a5a3454fda83d8a1c7c57a9902bd2c831
                                                          • Opcode Fuzzy Hash: 7115ecfc6d12bd285af6de297f724a55b54197703f130ec299ae8097d0f694ef
                                                          • Instruction Fuzzy Hash: 46817CEB56D124BCB209C0826F54AFB676EE1CB730F32842BF807D5582E3984F4A5935
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 73033f2089108c514028fcfa7d10dee4a4d300c40ab23621b66dc312dc8f2c59
                                                          • Instruction ID: 497d4d024fe993c42723e45f8074cf39332f665c66364bbd818b431054c65af6
                                                          • Opcode Fuzzy Hash: 73033f2089108c514028fcfa7d10dee4a4d300c40ab23621b66dc312dc8f2c59
                                                          • Instruction Fuzzy Hash: D14148E717C111BFA22AC1411B14AFA6F2ED6D3330B3084A6F907DA582E3D50ACD4131
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 011b7cd290ac36a3298be3edafe6bd430609756ad12024ae82ec1cacf7f6c93e
                                                          • Instruction ID: f3438498c6075d171d21d0432bed3e69219017582b9cb5e03dd85db3d7503838
                                                          • Opcode Fuzzy Hash: 011b7cd290ac36a3298be3edafe6bd430609756ad12024ae82ec1cacf7f6c93e
                                                          • Instruction Fuzzy Hash: 284158E717C111BFA22AC0811B54AFA6F2EE6D3330B3084A6F907DA682F3D50ACD5131
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 9c795f9b6c184d759ccca0bbb313d35163bf92b4fec4345e1ef997e150d82456
                                                          • Instruction ID: cb300a88ba477b16cfea24ae8d4bd76b03a58ffa3ad492518f8debe649843d79
                                                          • Opcode Fuzzy Hash: 9c795f9b6c184d759ccca0bbb313d35163bf92b4fec4345e1ef997e150d82456
                                                          • Instruction Fuzzy Hash: 50814AEB56D124BDB209C0826F54AFB676EE1CB730F32842BF807D5582E3984F4A1935
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 5cfaab5a90734dbafc80692874fbeb6026cccd24ae4ea7621baa0d22517ff2e2
                                                          • Instruction ID: eec713e1ee0ad6282333cfbfc16e42781ade56da4b5d0a60faab32a59401bd9b
                                                          • Opcode Fuzzy Hash: 5cfaab5a90734dbafc80692874fbeb6026cccd24ae4ea7621baa0d22517ff2e2
                                                          • Instruction Fuzzy Hash: AD4159F727C121AFE22A85541B545FA7F6EE6D3230B3044F6F607CA682E3D506CA5171
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 4662c645d98a78ffc533ce18dabfbf9182297bc9591b050a2a82bb46d4b56584
                                                          • Instruction ID: 66c31c3ad385ad90a0c401abafacd8aedf8e1b6c761436b20c011b922e9b023d
                                                          • Opcode Fuzzy Hash: 4662c645d98a78ffc533ce18dabfbf9182297bc9591b050a2a82bb46d4b56584
                                                          • Instruction Fuzzy Hash: 704161EB27D122BE722284812F64DFB572FE6D7730B348427B907D6542E2D84F4A5171
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04ec226d01be79be2b76a5b8ac8948a0bc03695394a50010bf3a4a3b8f57ceac
                                                          • Instruction ID: 9c5ee63f8e3c8c79445f32999f4907d938c8bef030d5b6fb2d38814e7c236f9d
                                                          • Opcode Fuzzy Hash: 04ec226d01be79be2b76a5b8ac8948a0bc03695394a50010bf3a4a3b8f57ceac
                                                          • Instruction Fuzzy Hash: 013170EB27D122BE722294812F64DFB5B2FE6D7730B308427B907D6542E2D84F4A5171
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b317b17ab793cdbde204e5153a90259914a0527ef29a3b4a609224dc21672af2
                                                          • Instruction ID: 030212b9b10b9b5615ecf50452b0f1268b535421524a7505af2f86fcd4b7f7f7
                                                          • Opcode Fuzzy Hash: b317b17ab793cdbde204e5153a90259914a0527ef29a3b4a609224dc21672af2
                                                          • Instruction Fuzzy Hash: 8D4128E717C111BFA12AC0411B54AFA6F6EE6D7330B3080A6F607DA582F3D50ACD4171
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: bb60823d9d3aeebe676cb4c9e11a7b28e88f63b60cdb046acfdce3483025afff
                                                          • Instruction ID: 541bb6fbca93e7281ae8e2fd8f8c29c98a87f98b39c41fa0aae51d8c83891095
                                                          • Opcode Fuzzy Hash: bb60823d9d3aeebe676cb4c9e11a7b28e88f63b60cdb046acfdce3483025afff
                                                          • Instruction Fuzzy Hash: CB31BEEB27D122BEB22294412F64EFB172FE2E7730B308426B907D6542E2D84F4A4171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: a0757c84cee35d8711a684191a778f05f5a007c11521b76ae2d3704b274a469b
                                                          • Instruction ID: 5571f40fec77fe046c1dbdfa293bec5df135d12ca532de5cbf7f82383e33d4cb
                                                          • Opcode Fuzzy Hash: a0757c84cee35d8711a684191a778f05f5a007c11521b76ae2d3704b274a469b
                                                          • Instruction Fuzzy Hash: 1D816BEB52D120BDB209C0826B54AFB676EE1CB730F32842BF807D5586E3984F4A5931
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 03f8976b9b1d4e9cd0fee69d18f7683aed437a87a294e05ee7d98031d1e32771
                                                          • Instruction ID: d359cf488154cdd5610b165fee0bcf35720baa1a3c172f682e846d162935556d
                                                          • Opcode Fuzzy Hash: 03f8976b9b1d4e9cd0fee69d18f7683aed437a87a294e05ee7d98031d1e32771
                                                          • Instruction Fuzzy Hash: 9831A3E727D262BEB22284552F649FB1B2FE6E7330B348467F507CA542E2D84B4A4171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 72cd5e84524a05a5c90db72a2439ae6783334f318efcf9b40b47f5c6f115ca6b
                                                          • Instruction ID: abad07bda260cb5e1d7d69ea6192ea3b56dbb05e56e66cd2a2f4e168212a8cd4
                                                          • Opcode Fuzzy Hash: 72cd5e84524a05a5c90db72a2439ae6783334f318efcf9b40b47f5c6f115ca6b
                                                          • Instruction Fuzzy Hash: F28138EB52D125BDB219C0826B54EFB676EE1CB730F32842BF807D5586E3984F4A1931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 028dbfc032752fe973491c63b45ee6f2ef67f0ffd0d40ba60b7ec1a288d872ba
                                                          • Instruction ID: 2745179a50e43a2d8b98c868845851455f88ed0b4cd0f008f5c7eec77603f570
                                                          • Opcode Fuzzy Hash: 028dbfc032752fe973491c63b45ee6f2ef67f0ffd0d40ba60b7ec1a288d872ba
                                                          • Instruction Fuzzy Hash: 17815AEB52D124BDB209C0826B54EFB676EE1CB730F32842BF807D5586E3984F4A5931
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 80cd3c7cfc70805652e9de44f4608013a74f8fd91644a927760d1dd4b51479ad
                                                          • Instruction ID: ac9af67840276c825013352a12a0b30e51ed13f38b04639f8fe9d2f32478e5b1
                                                          • Opcode Fuzzy Hash: 80cd3c7cfc70805652e9de44f4608013a74f8fd91644a927760d1dd4b51479ad
                                                          • Instruction Fuzzy Hash: AE31A4E727D125BEB22284512F64DFB172FE6E7730B348427B907D6942E3D84B4A4171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: ed977236413bf423b092d7a08142375c21c3ba5bcc7a7f7b40a43695eb0fcc6c
                                                          • Instruction ID: d8b12e8262b419638b9bbe0b7777b388b9d2cf938d5de4503d098085ba987dc8
                                                          • Opcode Fuzzy Hash: ed977236413bf423b092d7a08142375c21c3ba5bcc7a7f7b40a43695eb0fcc6c
                                                          • Instruction Fuzzy Hash: 9D7159EB52D124BC720AC1426B54EFB676EE1CB730F32882BF807D5586E3984F4A5931
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 5572084c7431215aad07bb61da8feb7523cc4c6f97e49f5a009d753c8139eac3
                                                          • Instruction ID: ca2780e81ade9d2895277f07cff0676c8a1b7c14d2cc7671f5f3e4cf9895d2c3
                                                          • Opcode Fuzzy Hash: 5572084c7431215aad07bb61da8feb7523cc4c6f97e49f5a009d753c8139eac3
                                                          • Instruction Fuzzy Hash: 2B3148E717C211BFA22E85915B546FA6F6ED6D7230B3040E6FA03DA682E3E50AC94171
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 8f73aa19b7544d4929fe75769988e6a95257b4c02d99b53f24e40ad14e11b6d3
                                                          • Instruction ID: cb436cb2729ad43189f7c07407113eb30db0f64aa08f270b431a7c6cba8a03db
                                                          • Opcode Fuzzy Hash: 8f73aa19b7544d4929fe75769988e6a95257b4c02d99b53f24e40ad14e11b6d3
                                                          • Instruction Fuzzy Hash: 23318FE727D222BEB22280412F609FB572FE6E7730B34C427B907D6542E2D84F4A5171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 766af87e997fe36b7c5e870cf68b81b92b1ab78c8b672eee0082296382ecd6d8
                                                          • Instruction ID: fccffcfe2a2e30a3ed5906bb48b55b50c4722f61b0ce12dea08105aa207388dc
                                                          • Opcode Fuzzy Hash: 766af87e997fe36b7c5e870cf68b81b92b1ab78c8b672eee0082296382ecd6d8
                                                          • Instruction Fuzzy Hash: 65715AEB52D124BCB21AC0426B54EFB676EE1DB730F32842BF807D5582E3984F4A1971
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 4dec2851dd1247276777dd55d6f80d008e91065812f054534cf55811cb1c2905
                                                          • Instruction ID: 115012b71d77367348b98b7bf46dc9ace0eb6df667b925c938e3b9276c76a00c
                                                          • Opcode Fuzzy Hash: 4dec2851dd1247276777dd55d6f80d008e91065812f054534cf55811cb1c2905
                                                          • Instruction Fuzzy Hash: 852171E727D125BE722294412F64AFB172FE6D7730B348427B907D6542E3E84F4A5071
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: ce44fa03e557ffe64bb91fb2690a5f9fda66b2ee0f8cfc76aedcfc8d90a86802
                                                          • Instruction ID: 0363d4e31d2756a413677512c4c9e313a33d3f53e2fac0fb107e7c152ee34812
                                                          • Opcode Fuzzy Hash: ce44fa03e557ffe64bb91fb2690a5f9fda66b2ee0f8cfc76aedcfc8d90a86802
                                                          • Instruction Fuzzy Hash: 757159EB52D124BCB20AC1426B54EFB676EE1CB730F32842BF807D5582E3984F4A1931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: a67deb98f7740bb5581594acda7e265e093a71a225a9153db8c6ff52179157b8
                                                          • Instruction ID: f31c537fd52de640062f93f0e0461e30f3b7c2d0cf86fca89fa72fe41542aad0
                                                          • Opcode Fuzzy Hash: a67deb98f7740bb5581594acda7e265e093a71a225a9153db8c6ff52179157b8
                                                          • Instruction Fuzzy Hash: D57149EB56D124BC721AC0426B54EFB676EE1CB730F32842BF807D5586E3984F4A1931
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: c9fe24b174f4f9f21581b0fdd881e191134e68883ceb29baf32f20056d314132
                                                          • Instruction ID: b6f9e72cfc2d1be660f4cf60274dcd0552fbf1ea3433622da9503d23f2ae5657
                                                          • Opcode Fuzzy Hash: c9fe24b174f4f9f21581b0fdd881e191134e68883ceb29baf32f20056d314132
                                                          • Instruction Fuzzy Hash: 853127E717C111BFA22E91911B546FA6F6EE6D7230F3044F6FA03CA682E3D40AC95171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 32733b15b075833b89e476634c4bb9c008928c650727ee36c91fa643dc925abd
                                                          • Instruction ID: df842386cebb4308b81c3e736c0393dd2677db945ce5c318b8251597732fdf81
                                                          • Opcode Fuzzy Hash: 32733b15b075833b89e476634c4bb9c008928c650727ee36c91fa643dc925abd
                                                          • Instruction Fuzzy Hash: 26716AEB56D124BC720AC0822B54EFB676EE5CB730F32842BF807D5582E3984F4A5971
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: c91b4c900b0e87f994389c9b6d4d01ef0743ecb9ff73a992c09dbce4e7fcf340
                                                          • Instruction ID: 1407989ab4c915c1ac52f27bddade2f42b077610dcac02361bb175b916dff2aa
                                                          • Opcode Fuzzy Hash: c91b4c900b0e87f994389c9b6d4d01ef0743ecb9ff73a992c09dbce4e7fcf340
                                                          • Instruction Fuzzy Hash: 5E212DE717C111BFB22E95515B546FA6F6ED6D7230F3040B6F9038A682E3D40ACD5171
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 6ac15de625ccd6d4a5ccb8f1c055be624147e117df37f0dc3ccfeb05a999b49b
                                                          • Instruction ID: 3c947caca407c413fc0b9a082275a4aa0b678f40276e785ff067001de9947cfd
                                                          • Opcode Fuzzy Hash: 6ac15de625ccd6d4a5ccb8f1c055be624147e117df37f0dc3ccfeb05a999b49b
                                                          • Instruction Fuzzy Hash: 797169EB56D120BCB20AC0416B54EFB676EE0DB730F32986BF807D5582E3884F4A5971
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 0e020b6d591c81306797c73571404ea7e8d8e8939d920ab18992afdaddffa170
                                                          • Instruction ID: 0aab8c353ca1e55c2c872c5f019adb71434f7a7f2c91736caca2b8e3f1622210
                                                          • Opcode Fuzzy Hash: 0e020b6d591c81306797c73571404ea7e8d8e8939d920ab18992afdaddffa170
                                                          • Instruction Fuzzy Hash: 7A213CEB27D122BEB22280412F649FB162FE6D7730B348426B907C6542E2E84F4A5071
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: f0da29ea9581a85a19c49c50b764d3102b592519f3027ceaf8ab4c4822f2d2fb
                                                          • Instruction ID: 3d81509655ac90abf192d22f4f99cf776f7097d05edf97531b7c13f2f2e5d2bd
                                                          • Opcode Fuzzy Hash: f0da29ea9581a85a19c49c50b764d3102b592519f3027ceaf8ab4c4822f2d2fb
                                                          • Instruction Fuzzy Hash: 722129E613C111BFB12981515F54AFB6F6DD6D3230B3084B6FA07CA282E2E40AC95171
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 13a56df1242eafc14e2acd2d80f526eebca36e769937893552ae59a1e6aa5071
                                                          • Instruction ID: 8a38c69aeffd881b42a84e417ab75975ed9e1e584dae3eeda77be2df10725b82
                                                          • Opcode Fuzzy Hash: 13a56df1242eafc14e2acd2d80f526eebca36e769937893552ae59a1e6aa5071
                                                          • Instruction Fuzzy Hash: 09218EEB27D162BEB22280512F649FB172FE5E7730B34C467F907CA542E3E84A4A5071
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: cadbb07f30d0e0fc86cbebf577b8fde34a4d0f7f387bd676ab5822df965e3d25
                                                          • Instruction ID: 3ade9b09dcedff4faf48dde6404e84ccbc67fe0a32a582b18140577a31b9d0a0
                                                          • Opcode Fuzzy Hash: cadbb07f30d0e0fc86cbebf577b8fde34a4d0f7f387bd676ab5822df965e3d25
                                                          • Instruction Fuzzy Hash: 3D715AEB56D124BC720AC1826B54EFB676EE1CB730F32842BF807D5586E3984F4A5931
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: e7143f0206bfe38dccb32cbfa77024873686c1c3cf78e77d299429d854500409
                                                          • Instruction ID: 010c4ab9b0c978e4002dbe5dc7341d4e45aeddb773c2100498e4d04baa5c531d
                                                          • Opcode Fuzzy Hash: e7143f0206bfe38dccb32cbfa77024873686c1c3cf78e77d299429d854500409
                                                          • Instruction Fuzzy Hash: 38218CE767D262AE722684512B609FB0B6FE5E7330B349427F907CA542F2D84B4A5071
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: bce3b609742b8b86519c83a86abbb252762c9061a116d72c400bbfecf6f6594a
                                                          • Instruction ID: 813e213550c8de3da45db9428cccfd2e0dced09a482307cb1b0b651acb8935f6
                                                          • Opcode Fuzzy Hash: bce3b609742b8b86519c83a86abbb252762c9061a116d72c400bbfecf6f6594a
                                                          • Instruction Fuzzy Hash: 836169EB52D124BC720AC0426B54EFB676EE1CB730F32882BF807D5582E3984F4A5931
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 4c5648f55c3f35bd5a8bb36be929e73112abf82f5c1215d41f6284071f0ba54b
                                                          • Instruction ID: d0babaa1e2fd970066ad87ca10a13edf81bd9faff577acd10c488ce78babd27f
                                                          • Opcode Fuzzy Hash: 4c5648f55c3f35bd5a8bb36be929e73112abf82f5c1215d41f6284071f0ba54b
                                                          • Instruction Fuzzy Hash: 87210AE713C111BFB22E85511B54AFA6F6ED6D3230B3080F6FA03C9682E7E40AC95171
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 34632ae0b932f02cf00829c343c0cafc0198c578b6e849fbe4c30ed140a25625
                                                          • Instruction ID: 12165272a93bd61b90e41054b0bd1794dc7b7f31a05a01195fb8e51f045c2171
                                                          • Opcode Fuzzy Hash: 34632ae0b932f02cf00829c343c0cafc0198c578b6e849fbe4c30ed140a25625
                                                          • Instruction Fuzzy Hash: 412197D213D2416FE72E90701B645FA7F29D6D323073041E6EA57CE1C3E2E449CA82A1
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID:
                                                          • API String ID: 999431828-0
                                                          • Opcode ID: 3002e3af6def80238c24ecd1674ac61412ac5604875b42e2d81e5333171b8700
                                                          • Instruction ID: 9dfc10c419c705180dee57920cb5fa91457d7a2fbe99b9e7442d6e32ef12bfc7
                                                          • Opcode Fuzzy Hash: 3002e3af6def80238c24ecd1674ac61412ac5604875b42e2d81e5333171b8700
                                                          • Instruction Fuzzy Hash: FD2136F762D255AFE31286611B549FB37ADEACB730B31847AF502C7987D3540A099132
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: c222e2c8549439457049fc3c39aa3e12064ea761f1c0a9e147ca665b2ddd9d9c
                                                          • Instruction ID: 9d9e5672cc064cfa25b31e22d0afd3ec6ba67b007a6a9b9959565c8a5f1f2a60
                                                          • Opcode Fuzzy Hash: c222e2c8549439457049fc3c39aa3e12064ea761f1c0a9e147ca665b2ddd9d9c
                                                          • Instruction Fuzzy Hash: 0D1149EB27D222BD722284912F609FB072FE1E7730B34C427F907CA542E2D84B4A1071
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 7d4075fcca2c4fa26e16b2ed58a3027f21cf278c744a5f6515008b233c2f705a
                                                          • Instruction ID: acaf2a3f0200bf6dc64de53fe2eb4fe3fe54bee7d53da274370c1aa9b90f0ffd
                                                          • Opcode Fuzzy Hash: 7d4075fcca2c4fa26e16b2ed58a3027f21cf278c744a5f6515008b233c2f705a
                                                          • Instruction Fuzzy Hash: 2C21F9F713D111AF622ED5556B545FA7F69D6C323073084F7FA03CA582E2E409C99271
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: fdab270e2f05d9264c67c7d179860a4e35163d292f3bad62d57792decd7f1a85
                                                          • Instruction ID: 525b64d91b97cc33271ba07317a9fc982a161ac4c8ff0ebafabf3f2f3d3ecb97
                                                          • Opcode Fuzzy Hash: fdab270e2f05d9264c67c7d179860a4e35163d292f3bad62d57792decd7f1a85
                                                          • Instruction Fuzzy Hash: D8112BEB67D122BD722680512B209FB072FE5E7730B348427F907DA542F2D84B4A1071
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: d0f7a30d0f62a8195fd4ada7054b723db0d6ccfb15e78be4eb1c5c13a3040bcd
                                                          • Instruction ID: 3e2a469e7ea3bbdb2d50017039d6bbf2c5314e992afa8778f2a95d8364b60ab2
                                                          • Opcode Fuzzy Hash: d0f7a30d0f62a8195fd4ada7054b723db0d6ccfb15e78be4eb1c5c13a3040bcd
                                                          • Instruction Fuzzy Hash: 92112CE713D111AF722ED1512B545FA7F59D5C723073080F7EA03DA682D6E00AC99171
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID:
                                                          • API String ID: 999431828-0
                                                          • Opcode ID: 4ffabff75da8ec041caf6bf5bb87c9e9630abf11a169496ed800163362d37da6
                                                          • Instruction ID: 0de79bfadcd88c6065f3846c509a1c6f1e182d247cbe498863837e92bbab0bdf
                                                          • Opcode Fuzzy Hash: 4ffabff75da8ec041caf6bf5bb87c9e9630abf11a169496ed800163362d37da6
                                                          • Instruction Fuzzy Hash: 0F1103E7628214BFB35686611B14AFB676DE6CB730B31812AF502C6583E7980E0A8131
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 3fd54baff50a5ae28194f87f4ed3dfeafaa369b70478e59ada9c76902702feb8
                                                          • Instruction ID: 8a74212858e2b3b711cea538c25eb05f9ac5c231064d91e9d4ebc98ca5f22e32
                                                          • Opcode Fuzzy Hash: 3fd54baff50a5ae28194f87f4ed3dfeafaa369b70478e59ada9c76902702feb8
                                                          • Instruction Fuzzy Hash: 6A5169EB56D124BC711AC0422B54EFB676EE0CB730F32982BF807D5586E3984F8A1871
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 9da81e8601d30f3d1bac3337fdbfcca5537577783f1b541ce8045c1ec1bf893d
                                                          • Instruction ID: 3bd20f52d18b2df6d204e861876a03103c84cb2fa15745d5b7810fb1c848764e
                                                          • Opcode Fuzzy Hash: 9da81e8601d30f3d1bac3337fdbfcca5537577783f1b541ce8045c1ec1bf893d
                                                          • Instruction Fuzzy Hash: B8112AEB27D222AD722280952B209BB472FE5E7730B349427F907DA542E2D88B4A1071
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 29a71c995a95da4e765870fd3ca7d4ff12f995a7958ee5eb518fd51317163feb
                                                          • Instruction ID: 13a0ee4ecf248002a60f15aff6fddfd11080b622969fa83d8633c8a0616502b8
                                                          • Opcode Fuzzy Hash: 29a71c995a95da4e765870fd3ca7d4ff12f995a7958ee5eb518fd51317163feb
                                                          • Instruction Fuzzy Hash: 3C5169EB56D120BD721AC0826B54EFB676EE0CB730F32842BF807D5586E3984F4A1871
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID:
                                                          • API String ID: 999431828-0
                                                          • Opcode ID: be615ea763665c8d9c12e200c029e49b518b3a93263ae6f7588810174200cc90
                                                          • Instruction ID: abd96e965af2d971564901219534b030034a4d4889af27d3b28a1d21bec0a3fa
                                                          • Opcode Fuzzy Hash: be615ea763665c8d9c12e200c029e49b518b3a93263ae6f7588810174200cc90
                                                          • Instruction Fuzzy Hash: C4110AEB62C610BFB25681512F18AFB676DE6CF730B31802AF503D6683D7940E098031
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: 1742365cb161548c04efa74b491f5c2299ea8f0c39edda21684251f1940d1d3b
                                                          • Instruction ID: a36d04565ec1b5a786a3de9e2c96b0541fc8437ec93fd1f671d89968092f05ff
                                                          • Opcode Fuzzy Hash: 1742365cb161548c04efa74b491f5c2299ea8f0c39edda21684251f1940d1d3b
                                                          • Instruction Fuzzy Hash: 821163E667D162AEB222D0642F609FB176FE5D3720B358466F506C7442F2C84A0A5175
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: b0a6c5b3f2532de465f14ff98ee917c32f2c1611cb3702cd9e054a3ef34e5d98
                                                          • Instruction ID: 8bc8d0768b668ca06d8af1a29bb27f77c7c61ed0fb7e52aa7aa23455587e8d89
                                                          • Opcode Fuzzy Hash: b0a6c5b3f2532de465f14ff98ee917c32f2c1611cb3702cd9e054a3ef34e5d98
                                                          • Instruction Fuzzy Hash: 40112DEA27D212BD722684512F209BB176FE5EB730B34C467F907CA542F2D88F4A5075
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 826ae251c1766060172be2bbf8a061285561b0f341fd053f54eadbad22ec9e8c
                                                          • Instruction ID: 56265cd7d67d131c81a2097ff8fa5996d92988b718513e658127d63de3f934dc
                                                          • Opcode Fuzzy Hash: 826ae251c1766060172be2bbf8a061285561b0f341fd053f54eadbad22ec9e8c
                                                          • Instruction Fuzzy Hash: 02114CE713D111BFA63E91551B545FA7F5AD6C7230B3080F6FA038E682E2E40AC95272
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: a0dcd0c53196f858be4ab344a4ab265b86db2ec9d8365f714e85aeea4d621c36
                                                          • Instruction ID: 55eda3558f4fa8783c14d2de876208f2026ade48b98e0570b04fbc35accd1d7f
                                                          • Opcode Fuzzy Hash: a0dcd0c53196f858be4ab344a4ab265b86db2ec9d8365f714e85aeea4d621c36
                                                          • Instruction Fuzzy Hash: 9F5148EB56D124BC721AD1426B54EFB676EE0CB730F32842BF807D5686E3984F4A1871
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 962f59af4230a8b6cb1dae972f7d3f5a3cca4bb1f9b525aca4b697d662e1b9be
                                                          • Instruction ID: ce4073c3e8db5860207d9d41abdbb00f9334302e2dfa90a0ef205c95b2d16b02
                                                          • Opcode Fuzzy Hash: 962f59af4230a8b6cb1dae972f7d3f5a3cca4bb1f9b525aca4b697d662e1b9be
                                                          • Instruction Fuzzy Hash: 200149E31381017EA62E916117545FA7F9AD9C313073484F6FA038E683E2E506CA5271
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 6656261f9923c7e6cb9cf7e2bd83f4e31404c5e252546c867f522cccdbbe8414
                                                          • Instruction ID: 560af4861e09946df2fa9eabdf615bffa5e0a437355790bdb04de194adf9a7e3
                                                          • Opcode Fuzzy Hash: 6656261f9923c7e6cb9cf7e2bd83f4e31404c5e252546c867f522cccdbbe8414
                                                          • Instruction Fuzzy Hash: B75139EB56D124BC721AC1426B54EFB676EE0CB730F32842BF807D5586E3984F4A1871
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 01a83370656eb15ea1c5bf00fc2ca31bf71afdb75ffef9d386946176f04766c8
                                                          • Instruction ID: 06a0490a3287caff242cf2e241d6bbc086502ea61630d8580f6b013b4c965798
                                                          • Opcode Fuzzy Hash: 01a83370656eb15ea1c5bf00fc2ca31bf71afdb75ffef9d386946176f04766c8
                                                          • Instruction Fuzzy Hash: 66515AEB56D124BC711AC1426B54EFB676EE0CB730F32882BF807D5586E3984F4A1971
                                                          APIs
                                                          • Process32NextW.KERNEL32(?,?,?,?), ref: 07240357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654977368.0000000007240000.00000040.00001000.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: 3d4c4e6c5b4f64773e666077d7bef405ce41151ff5606a041758ac8936190b79
                                                          • Instruction ID: 03d132c44297e3e0b7d396ca5b107d38c8fc8e3b8f3b925008c742ea89216e42
                                                          • Opcode Fuzzy Hash: 3d4c4e6c5b4f64773e666077d7bef405ce41151ff5606a041758ac8936190b79
                                                          • Instruction Fuzzy Hash: DC016DF2138202AFE63E91A517145FA7F65DAC3230B3084F6E6038A582E3E016CA5271
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 7498c1642250807ebe43ae456299e84d92740bc05a990b9b1384b0a9ac886246
                                                          • Instruction ID: 64fc84c7f37581c2f4d1143020c23b6651ea480fe4f383ceb22cd6b7bb378ec3
                                                          • Opcode Fuzzy Hash: 7498c1642250807ebe43ae456299e84d92740bc05a990b9b1384b0a9ac886246
                                                          • Instruction Fuzzy Hash: 57518DEB56D120BC721AC1426B54EFB676EE1DB730F32842BF807D5582E3984F4A2831
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 3e47fcb615209ac1be8449492a62d9ed8edea4c69355f52d6b318cb858609f7f
                                                          • Instruction ID: b0b89751097747f73c90c7e92eb2fc251a443e74bf18e424d4742c92ae5d3a8b
                                                          • Opcode Fuzzy Hash: 3e47fcb615209ac1be8449492a62d9ed8edea4c69355f52d6b318cb858609f7f
                                                          • Instruction Fuzzy Hash: 175147EB56D124BD721AD1426B54EFB676EE0CB730F32842BF807D5686E3984F4A1831
                                                          APIs
                                                          • Process32FirstW.KERNEL32(?,?,?,00000063), ref: 07230409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: c8a94d0a17882c1335d0bd74dce591219bb722458e3ae5a34cde7e187a895e75
                                                          • Instruction ID: c945ef7d0e6bbce18c57994c4e3705b73422d91b365ab7d026851ced8df14950
                                                          • Opcode Fuzzy Hash: c8a94d0a17882c1335d0bd74dce591219bb722458e3ae5a34cde7e187a895e75
                                                          • Instruction Fuzzy Hash: C9013CE627D162BCB226C5512F20DBA172FE4EB734B38C827F646C6442F3C49B0A5071
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 1954ef742c363698d041138f363a431276ddb943a22c61637b68b83e0e2063f4
                                                          • Instruction ID: 4f341feef45145187703c204f5e6d4848e715fbf4a909a5fc6ca4d92140077d0
                                                          • Opcode Fuzzy Hash: 1954ef742c363698d041138f363a431276ddb943a22c61637b68b83e0e2063f4
                                                          • Instruction Fuzzy Hash: 98518EEB56D120BD721AC1416B54EFB676EE1DB730F32846BF807D5582E3984F4A1831
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID:
                                                          • API String ID: 999431828-0
                                                          • Opcode ID: ac481092aa88a91cff842d5798df9a58a83a775a717a872f223423af0a396958
                                                          • Instruction ID: 6a68f88ddf8ab57c947b6a673fb144c8c491fcfd3dfacea60e51722d355da478
                                                          • Opcode Fuzzy Hash: ac481092aa88a91cff842d5798df9a58a83a775a717a872f223423af0a396958
                                                          • Instruction Fuzzy Hash: CB0147F7628315AFA35692A10B046FA77ADEBCF730B31812AF602D61C2E3640E408131
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID:
                                                          • API String ID: 999431828-0
                                                          • Opcode ID: 578ba4623e68abce9666504338ee3994e3658294aed3e3a3420c86219a695def
                                                          • Instruction ID: 1c7183afaba092d7257a6b8a62c977e44c8d2f9d1bc86b1efd75248a2e1935ef
                                                          • Opcode Fuzzy Hash: 578ba4623e68abce9666504338ee3994e3658294aed3e3a3420c86219a695def
                                                          • Instruction Fuzzy Hash: 11012DE6618714EFF35242610B546FB77A9F7DB330B308179F502D62C6E7551E458131
                                                          APIs
                                                          • GetLogicalDrives.KERNELBASE ref: 071F0325
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID: DrivesLogical
                                                          • String ID:
                                                          • API String ID: 999431828-0
                                                          • Opcode ID: d00d1fe507a34433bc0fc953273a3faee02fb0a0d85ecfd4d8fff25bf047011c
                                                          • Instruction ID: 6e11965b5fc6fe7d62c85ce1898687bd988f1d6c12f03ad7c621ee6a310b28bd
                                                          • Opcode Fuzzy Hash: d00d1fe507a34433bc0fc953273a3faee02fb0a0d85ecfd4d8fff25bf047011c
                                                          • Instruction Fuzzy Hash: 6301F7F6628715AFE35696611B446FB7769FBCB730B318129F602D72C3D7644E048131
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: dcd2e01c2421ad7d66d8be89b0cc03deb2c195896181bb5a9923c0d10a1a07c0
                                                          • Instruction ID: 510ac974a783fb9e1972c361135f2241c17fa288b1afb007e80f09c7b6381e0d
                                                          • Opcode Fuzzy Hash: dcd2e01c2421ad7d66d8be89b0cc03deb2c195896181bb5a9923c0d10a1a07c0
                                                          • Instruction Fuzzy Hash: B4516CEB56D124BC721AC1426B54EFB676EE0CB730F32846BF807D5586E3984F4A1831
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: e1791e93fc8c55de7663c941d4b5afcccf39fcbf22940700229166020e8ffe7f
                                                          • Instruction ID: 6624b788f641a03ca8599b0b4a3cd814816e60b8c6a8323c640464036a46e15c
                                                          • Opcode Fuzzy Hash: e1791e93fc8c55de7663c941d4b5afcccf39fcbf22940700229166020e8ffe7f
                                                          • Instruction Fuzzy Hash: 98515BEB56D124BC721AC1426B54EFB676EE0CB730F32842BF807D5682E3984F4A1931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 790172d4837f744d16dfb793189bc31464ee0fadbdc4fb79c997d4db9ba7afbc
                                                          • Instruction ID: 1e6b4bc22a7db8706f8f0a2b640adf626c0fac7ddfe5c839fa9d4b6b23a63acb
                                                          • Opcode Fuzzy Hash: 790172d4837f744d16dfb793189bc31464ee0fadbdc4fb79c997d4db9ba7afbc
                                                          • Instruction Fuzzy Hash: B2518CEB56D120BD721AC1426B54EFB676EE5CB730F32942BF807C5582E3984F4A2931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 58b39523714e7e6b1c8e1e45bfaa932bfea59fa6e97a7baba1e1b3a07b6a4400
                                                          • Instruction ID: ebb74b886df9f4e3a218b5cb6e67e7f1d048d87b26f62a84120a9f02b7300750
                                                          • Opcode Fuzzy Hash: 58b39523714e7e6b1c8e1e45bfaa932bfea59fa6e97a7baba1e1b3a07b6a4400
                                                          • Instruction Fuzzy Hash: 0C517AEB16D124BD721AC1426B54EFB676EE5CB730F32842BF807D5582E3984F4A2931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 08e304ef66cdd51e862a7642fd043733f0af557b2a23b6e68cb1b7c7ba2bebed
                                                          • Instruction ID: 324c455b979bbf80feeca01606aef34361bc3edb38322a6e7d069a03896ea60a
                                                          • Opcode Fuzzy Hash: 08e304ef66cdd51e862a7642fd043733f0af557b2a23b6e68cb1b7c7ba2bebed
                                                          • Instruction Fuzzy Hash: F851E1FB12C151BDB20A81456B54EFB6B6ED5CB730F32846BF407CA582E3844F4A5971
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 92e48549bc99d665d248f8f1654b2f7f3baecb7c8c8b2504b64c9cd0629d7b6c
                                                          • Instruction ID: 73784d4511aeb78cd8a953506180040a0921d5ed9f492d800caf70b774a732aa
                                                          • Opcode Fuzzy Hash: 92e48549bc99d665d248f8f1654b2f7f3baecb7c8c8b2504b64c9cd0629d7b6c
                                                          • Instruction Fuzzy Hash: F7416BEB12D120BD721AC1426B54EFB676ED4CB730F32882BF807D5681E3984F4A1931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: c5181241647f9e93942a03f9288737671fdfd21d537cb429f2b05098dbc9f2e2
                                                          • Instruction ID: cd758a09b591999f24d322dcd7263516164dd776dcfe41c8790b83936796a75c
                                                          • Opcode Fuzzy Hash: c5181241647f9e93942a03f9288737671fdfd21d537cb429f2b05098dbc9f2e2
                                                          • Instruction Fuzzy Hash: AA418BFB12D125BDB20AC1456B50AFB676ED5CB730F32882BF807C6682E3944F4A5931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 39f86d63449b72bd9e4abffe90ca01b6a99f434f5c07a4af9396b1419e00dacf
                                                          • Instruction ID: 7333fac41bd873a14cb1335744580b6e07dc237efa54d6a6b0bd600b6fe90e18
                                                          • Opcode Fuzzy Hash: 39f86d63449b72bd9e4abffe90ca01b6a99f434f5c07a4af9396b1419e00dacf
                                                          • Instruction Fuzzy Hash: C3419DEB12D121BD7219C1416B54EFB676EE5CB730F32886BF807D6682E3984F4A1931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 4dd260f4ef43773a389abcdad1b90f2661106eea0166992c8107b595d98f20b6
                                                          • Instruction ID: 1c54698ded5c69c2187a7ca73a971c4db017648b7f295bbb6a19b98d5c849b4a
                                                          • Opcode Fuzzy Hash: 4dd260f4ef43773a389abcdad1b90f2661106eea0166992c8107b595d98f20b6
                                                          • Instruction Fuzzy Hash: 2831EDEB17D024BDB20AD5456B54AFB676EE0CF730F32846AF807CA681E3944F4A5931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: c044de1347d62313cf8aaa3bc943e7f86c824ba5398d246f7b515612425e30c3
                                                          • Instruction ID: a134ecfa9a8d8c9b04d11f85a190a76fcec86bc393a24d2783227fe732d4238d
                                                          • Opcode Fuzzy Hash: c044de1347d62313cf8aaa3bc943e7f86c824ba5398d246f7b515612425e30c3
                                                          • Instruction Fuzzy Hash: EA31E1EB13C111BDB20AC0456B54AFB672EE1CF730F32846AF807CA681E3944F4A1931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: c0a7e5cfe089ec7c903fdc48f1e1ed61eb0339c473823e1d17c7e2adaf81f9bf
                                                          • Instruction ID: 9869d9c4a45fd4b9da3d8775e16e02c6e837695fa973b6f001867b97db5f4fb9
                                                          • Opcode Fuzzy Hash: c0a7e5cfe089ec7c903fdc48f1e1ed61eb0339c473823e1d17c7e2adaf81f9bf
                                                          • Instruction Fuzzy Hash: EB3104FB13D011BD621A84456B54AFB676EE5CF730F32886AF803CA681E3944F4A5931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 2072c8b884fae260a7838869c996f5d411d3d4aeaecfe518e733a57fa85d74fb
                                                          • Instruction ID: a02d16aaf9dc83129303c0ddd34c4f15a59252094399246f0cc6fe8f9c93dff4
                                                          • Opcode Fuzzy Hash: 2072c8b884fae260a7838869c996f5d411d3d4aeaecfe518e733a57fa85d74fb
                                                          • Instruction Fuzzy Hash: 6931CBEB13D120BDA20A91456B54AFA672EE4CB730F32887AF803C6681E3944F4A5931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: bfd8a59a0b9b012b2920e2f9cf1a5ee75cffcb40ed2c920cdab9959ecf986129
                                                          • Instruction ID: 3e391a289ac97a14daa884374419b744fc8250392b7659ec52fdccb6e405c8dc
                                                          • Opcode Fuzzy Hash: bfd8a59a0b9b012b2920e2f9cf1a5ee75cffcb40ed2c920cdab9959ecf986129
                                                          • Instruction Fuzzy Hash: 9931FEFB12C121AEA21AC5456B54AFB636EE5CB330F32886AF803C6681E3944F495931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: b50b5cef97b6c93e0a24388c100346261e1f678e6e63e641262ec9538fd6f7c5
                                                          • Instruction ID: 8e84eed512be70fa295846b9ea9b3fd447feb63db57e0f4e8220b95bb50493f9
                                                          • Opcode Fuzzy Hash: b50b5cef97b6c93e0a24388c100346261e1f678e6e63e641262ec9538fd6f7c5
                                                          • Instruction Fuzzy Hash: 1F2103FB13C110ADB209C1046A50AFA672ED5CF330F32846AF403C6681E3944F4A5932
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 28b3939d21892863eec97d5851dac7b30ad4b2e0255f1673784a9cc76407bebd
                                                          • Instruction ID: 506d10c3f4a189a1d7fa88d11494fb78f4aeef6651f29f5b03e7554a5b1dbebd
                                                          • Opcode Fuzzy Hash: 28b3939d21892863eec97d5851dac7b30ad4b2e0255f1673784a9cc76407bebd
                                                          • Instruction Fuzzy Hash: 5721D1FB13D111BD721A95056B50BFA672EE5CF730F32886AF803C6681E7944F895932
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 1062a89c23bf4703cb8072b4c675e4c6d0a8aedd1ba9a22068921fee399a814c
                                                          • Instruction ID: 6c3457ecd89c549c34d6f1d5e2ba415a53c5eff654d0b2a8589428e63695e29c
                                                          • Opcode Fuzzy Hash: 1062a89c23bf4703cb8072b4c675e4c6d0a8aedd1ba9a22068921fee399a814c
                                                          • Instruction Fuzzy Hash: 5C21EFFB13D111BDB20A95456B50AFA632EE5CF730F32886AF403C6681E7984F895931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 0b1f24c844fe35a5ae8c4c1398605f1e7b3926906a1c62a6e3dbd25c49e4298b
                                                          • Instruction ID: d40c45a12ce6c8053bf45984e78fd55495834b171264999e9f36aca2413587d6
                                                          • Opcode Fuzzy Hash: 0b1f24c844fe35a5ae8c4c1398605f1e7b3926906a1c62a6e3dbd25c49e4298b
                                                          • Instruction Fuzzy Hash: ED21EFFB13C114BE720A91556B54BFA672EE5CF330F32886AF803CA681E3944F495971
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: cfc746f13c712bac7ef21978505b3ce8f7d5d0ec4af2d03dc1bb1804fd5ac027
                                                          • Instruction ID: 207e3a7d7ff6beb9e21b200f64fb876c045d77b44d80d9a461d38a8814c0a160
                                                          • Opcode Fuzzy Hash: cfc746f13c712bac7ef21978505b3ce8f7d5d0ec4af2d03dc1bb1804fd5ac027
                                                          • Instruction Fuzzy Hash: 7D2146FB13C111BEA30A81506A90BFA772ED4CF334F3288AAF403CA181D3944F4A5932
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 04262382ebdc7b96f312c14185801031424a4055dc545849d3e15c03c4b18de1
                                                          • Instruction ID: 3e326e82aba281c92c6f32ec52e696d290716fddecb13a6ce8ede14cc44c0ef7
                                                          • Opcode Fuzzy Hash: 04262382ebdc7b96f312c14185801031424a4055dc545849d3e15c03c4b18de1
                                                          • Instruction Fuzzy Hash: A42104FB13C111AD630AD1156B90BFA276DE5CF330F3288AAF403CA181E3544F4A5931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: c6ab76ceeaf7d1a9718af567ea8d66846d8894818b699e1e6bc75089b470405e
                                                          • Instruction ID: 264571ef81305d58d4f38357bbd79186bf3c153b4b9f6fcd290655a245969f02
                                                          • Opcode Fuzzy Hash: c6ab76ceeaf7d1a9718af567ea8d66846d8894818b699e1e6bc75089b470405e
                                                          • Instruction Fuzzy Hash: 4A11D2FB13D111ADA309D5556B54AFA672DD6CF330F32886AF403CA281E7944F455931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 0c9c1a9544c8edaf7e77227074e8da359d93b882d349fac4f8ced5a80f5b3ef0
                                                          • Instruction ID: cefba470d4988d061ba11b47a8f6a104dc4162530de86964461cc2f879277d2a
                                                          • Opcode Fuzzy Hash: 0c9c1a9544c8edaf7e77227074e8da359d93b882d349fac4f8ced5a80f5b3ef0
                                                          • Instruction Fuzzy Hash: 0A1126FB03D114EEA319D5556B50AFA236ED5CF330F3288AAF403C6681E7544F855931
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: bfd34e75a447118abc1dc70057cae79c850c014f3dce2428920a6cda9a121775
                                                          • Instruction ID: 8856b1d56cb4d4249cf4ca98f35fb7e2dd5f7c7afd498e5bd425503069062a84
                                                          • Opcode Fuzzy Hash: bfd34e75a447118abc1dc70057cae79c850c014f3dce2428920a6cda9a121775
                                                          • Instruction Fuzzy Hash: 531138FB13C211EF9315952966906FE336AEA8F230F3144AAE003C7280D7644F455921
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 818f17a546d1bc771d99094b396f3378b2da4ad707c5ddd2fa7b84b40faeac7f
                                                          • Instruction ID: 85b1a15ed41749d989cef351c42970fc8825ea037436b6dc95713aeab95929b3
                                                          • Opcode Fuzzy Hash: 818f17a546d1bc771d99094b396f3378b2da4ad707c5ddd2fa7b84b40faeac7f
                                                          • Instruction Fuzzy Hash: 301129FB13C111EE930A951466906FE372AE5CF330F3144A9F443C7281E3544F455921
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 0c51daed49dd082eaf404a5c27ffc30c35a137c36cb92bbc46cc1a301c3cb5de
                                                          • Instruction ID: 0d4d8099ddf45b49d875b01f5763afdaad3a8342c9b404ac0d468b7ccb237e1a
                                                          • Opcode Fuzzy Hash: 0c51daed49dd082eaf404a5c27ffc30c35a137c36cb92bbc46cc1a301c3cb5de
                                                          • Instruction Fuzzy Hash: 5D014CFB03C111EE930AA51496947FE376EE58F330F3144AAF4038B681E7644F855E62
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 6ef040b1f112ec4915bec66f8f9f347b2acf89897f39683d2ce3861723ea18d0
                                                          • Instruction ID: 56d3f6f90724143d871aa821004d3ff0305852b34ee4bd1ab92b415eaced30f9
                                                          • Opcode Fuzzy Hash: 6ef040b1f112ec4915bec66f8f9f347b2acf89897f39683d2ce3861723ea18d0
                                                          • Instruction Fuzzy Hash: F5016DF6038215DFC706AA38C5902EE3B666F0F230F3108E9E0838B7C3D7205E818A52
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 246f3520abcd31315ff6bc172aff03dc16b6aaa2191094b0bd6daaf75b7d46e9
                                                          • Instruction ID: dce6cc4211b9cfbde6c84b093a23ae9932df9d89084518a847780290eeeab707
                                                          • Opcode Fuzzy Hash: 246f3520abcd31315ff6bc172aff03dc16b6aaa2191094b0bd6daaf75b7d46e9
                                                          • Instruction Fuzzy Hash: 65014CF643C2519FC7075A3455D41E93F61AD1F120F2504EDD0828F782DB265F858F42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 281809cbf51df9664d86ca4fdccd6fc9d27cdaca9802deb392ac94b2ae624713
                                                          • Instruction ID: 4810cd915e59cca7a19f76a48f375edbb3ed83b3199c7663c43ac30695091dc4
                                                          • Opcode Fuzzy Hash: 281809cbf51df9664d86ca4fdccd6fc9d27cdaca9802deb392ac94b2ae624713
                                                          • Instruction Fuzzy Hash: 54012BFB43D211DFC706A669A2902ED3B66A94F230F3144EAD0434B781E7605F955E81
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: 912dd05a123233ef093a7c10ac67225f3fb3f930b57c3397317d529eeebf7dde
                                                          • Instruction ID: 969a44c5159c396ac123e9a64cfd69137461cd5e9727cecbb4e6af361da9c201
                                                          • Opcode Fuzzy Hash: 912dd05a123233ef093a7c10ac67225f3fb3f930b57c3397317d529eeebf7dde
                                                          • Instruction Fuzzy Hash: 8B012BF743C111DF830AEA25E2942FD376AAA8F330F3144EAE0038B381E7649E455E51
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )9Ng
                                                          • API String ID: 0-1793619911
                                                          • Opcode ID: c0476dd54244eabbcbf30fc9d3a7886120ed2f5a874a431cf1e9a5c4da810b69
                                                          • Instruction ID: 21fd24b4e87137c7c404dda595549cc0387217f46877566849d171c40fac22e8
                                                          • Opcode Fuzzy Hash: c0476dd54244eabbcbf30fc9d3a7886120ed2f5a874a431cf1e9a5c4da810b69
                                                          • Instruction Fuzzy Hash: D0F027F6838212DFC71A653891D52EE6752695F130F3105EDE0534B7C2D7154E925A42
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e925bc32150ba1857565f5a0e33f683ec45e322ffc7d1b91b9b51a389281975c
                                                          • Instruction ID: 4051baf456f206bbacc2edd143b1c3c28f3c8a2e4f96f4fe0ee003f8a02246ad
                                                          • Opcode Fuzzy Hash: e925bc32150ba1857565f5a0e33f683ec45e322ffc7d1b91b9b51a389281975c
                                                          • Instruction Fuzzy Hash: D6017DE39381618FCB0B6A3595D02D97FA1AA0F230F3100E8C0878B782E7150F818E45
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654819693.00000000071D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71d0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb5b26ed865c3659bc8e8a19b8e49cceb80bd4395716cadbfec059bfc9855a44
                                                          • Instruction ID: 6c418ad8088634cc2d22f1e0ccaf056b8aa677dcec00f32efb5fd196692ad5c6
                                                          • Opcode Fuzzy Hash: cb5b26ed865c3659bc8e8a19b8e49cceb80bd4395716cadbfec059bfc9855a44
                                                          • Instruction Fuzzy Hash: D8E0C2F6938312CFC7197B3891842AFA390692F220F3158A9E44397282E72A8D811D17
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1655089880.0000000007270000.00000040.00001000.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7270000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0382212a93fc47b7551535bd9070ebccf6d368755d8f0f2111a0344686c03ee9
                                                          • Instruction ID: 1a3242218410d957cc7194d0c471036d8a9d0919a5ba4f8a591a0d47e73d3a8a
                                                          • Opcode Fuzzy Hash: 0382212a93fc47b7551535bd9070ebccf6d368755d8f0f2111a0344686c03ee9
                                                          • Instruction Fuzzy Hash: FBC08CDB0BC06A9E3869C0802B84977727AB2E33307BAD473E803C010A92E01A0D91A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654939475.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7230000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ='1[
                                                          • API String ID: 0-618864843
                                                          • Opcode ID: 993841fe8303b5257be91718181ed75a155431164dde48c146d12b6442e23b1b
                                                          • Instruction ID: 96cb7ba89f31eb05149da271f21a96fcd6798caacf081f5319dc8aa203763eb8
                                                          • Opcode Fuzzy Hash: 993841fe8303b5257be91718181ed75a155431164dde48c146d12b6442e23b1b
                                                          • Instruction Fuzzy Hash: BD314BF713C144BEF313C99597909F67BBBEB8BB30B3440AAE006CA602D6D50B458631
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1655089880.0000000007270000.00000040.00001000.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7270000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4b0b43c23540a47cdcb55df471109ef572aa565d53d625905151c617311ef72e
                                                          • Instruction ID: 5c22d275c2f6d4b609be069c9ea5c9232322f7f95820562242da33e5a42074de
                                                          • Opcode Fuzzy Hash: 4b0b43c23540a47cdcb55df471109ef572aa565d53d625905151c617311ef72e
                                                          • Instruction Fuzzy Hash: 363124EB63D111BEB13281926B649FB6B6DE1C76307308426F847DA502E2F44E4ED1B1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1654859068.00000000071F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71f0000_Gy53Tq6BdK.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e33c2d317c9669bd6d88dcc3c6c674b3d985249b7037306ebdcaaeb65ca971d2
                                                          • Instruction ID: 29a092a1e9a89fca572ff491f14c857747d04af592f0d82df57be739cb270fb1
                                                          • Opcode Fuzzy Hash: e33c2d317c9669bd6d88dcc3c6c674b3d985249b7037306ebdcaaeb65ca971d2
                                                          • Instruction Fuzzy Hash: 940128FB50C294AFB342856157A56FABB78F9D7230B3580FAE582C7147E386490E9630