Windows Analysis Report SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: iphlpapi.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: wuser32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	0_2_100090A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,	0_2_10026300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,	0_2_10008570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_10008740

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10008340 GetLogicalDriveStringsA,GetUserNameA,_stricmp,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 4x nop then mov al, byte ptr [esp+04h]	0_2_00401130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 4x nop then sub esp, 34h	0_2_00408690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 4x nop then mov eax, 00431900h	0_2_00401750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_10029700
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 4x nop then mov al, byte ptr [esp+04h]	3_2_00401130
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 4x nop then sub esp, 34h	3_2_00408690
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 4x nop then mov eax, 00431900h	3_2_00401750

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 206.238.196.240

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001F010 recv,

0_2_1001F010

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ptlogin2.qun.qq.com%s
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	String found in binary or memory: http://ptlogin2.qun.qq.com%sAccept-Language:
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://qun.qq.com%s
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	String found in binary or memory: http://qun.qq.com%sAccept-Language:
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.appspeed.com/
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Dtldt.exe, 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.appspeed.com/support
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	String found in binary or memory: https://localhost.ptlogin2.qq.com:4301%sAccept-Language:
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ssl.ptlogin2.qq.com%s
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	String found in binary or memory: https://ssl.ptlogin2.qq.com%sAccept-Language:
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

Creates a DirectInput object (often for capturing keystrokes)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_5fb39f51-4

Installs a raw input device (often for capturing keystrokes)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_98995968-a

Yara detected Keylogger Generic

Source: Yara match	File source: 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dtldt.exe PID: 5708, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Detects PCRat / Gh0st Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Detects PCRat / Gh0st Author: ditekSHen
Source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR	Matched rule: Identifies a variant of Gh0st Rat Author: unknown

PE file has a writeable .text section

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dtldt.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\Dtldt.exe

Code function: 3_2_014961E5 NtQueryVirtualMemory,

3_2_014961E5

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1000C570: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1000E010 ExitWindowsEx,		0_2_1000E010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1000C570 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,		0_2_1000C570

Creates files inside the system directory

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	File created: C:\Windows\SysWOW64\Dtldt.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	File created: C:\Windows\SysWOW64\Dtldt.exe:Zone.Identifier:$DATA			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10093080	0_2_10093080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100240A0	0_2_100240A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100170E0	0_2_100170E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1007A180	0_2_1007A180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10057190	0_2_10057190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1008F1A0	0_2_1008F1A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10037260	0_2_10037260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1007A430	0_2_1007A430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10092470	0_2_10092470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10055490	0_2_10055490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1008F4D0	0_2_1008F4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100904D0	0_2_100904D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100334E0	0_2_100334E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10056580	0_2_10056580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10013720	0_2_10013720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10053740	0_2_10053740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1007C7B0	0_2_1007C7B0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01219013	3_2_01219013
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121E457	3_2_0121E457
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120677E	3_2_0120677E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121A786	3_2_0121A786
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DDB8	3_2_0121DDB8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0147D16F	3_2_0147D16F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014561FB	3_2_014561FB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148518C	3_2_0148518C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148D183	3_2_0148D183
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0144D043	3_2_0144D043
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148E054	3_2_0148E054
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01392078	3_2_01392078
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01392075	3_2_01392075
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DB083	3_2_013DB083
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01413080	3_2_01413080
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014600A3	3_2_014600A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0147F3D0	3_2_0147F3D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146F390	3_2_0146F390
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148E24D	3_2_0148E24D
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01482245	3_2_01482245
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01490251	3_2_01490251
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148626F	3_2_0148626F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013BD215	3_2_013BD215
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0149920E	3_2_0149920E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0140320F	3_2_0140320F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0147C599	3_2_0147C599
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01208119	3_2_01208119
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01209A3F	3_2_01209A3F

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 005E4080 appears 243 times
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 011F111A appears 50 times
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 0042E744 appears 37 times
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 005E62BC appears 202 times
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 005E50A1 appears 38 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: String function: 005E4080 appears 243 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: String function: 0042E744 appears 38 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: String function: 005E62BC appears 202 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: String function: 005E50A1 appears 38 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Dtldt.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000266B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002D0A000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002DF7000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiphlpapi.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.00000000026B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.0000000002876000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
Source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dtldt.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@0/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_100174F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,

0_2_100174F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_100240A0 GetVersionExA,sprintf,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,FindWindowA,GetWindowTextA,GetWindow,GetClassNameA,GetTickCount,sprintf,atol,atol,#825,atol,#825,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,OpenSCManagerA,OpenServiceA,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,atoi,strstr,GetSystemDirectoryA,lstrcatA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,wsprintfA,

0_2_100240A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10025030 CreateToolhelp32Snapshot,LocalAlloc,Process32First,lstrlenA,OpenProcess,GetPriorityClass,sprintf,sprintf,OpenProcessToken,GetTokenInformation,GetTokenInformation,malloc,GetTokenInformation,LookupAccountSidA,free,CloseHandle,GetProcessMemoryInfo,sprintf,GetModuleFileNameExA,GetWindowsDirectoryA,_strnicmp,_strnicmp,_strnicmp,_strnicmp,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,Process32Next,LocalReAlloc,CloseHandle,

0_2_10025030

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10016340 CoInitialize,CoCreateInstance,SysFreeString,SysFreeString,CoUninitialize,

0_2_10016340

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001B930 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Virustotal: Detection: 57%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Detected unpacking (changes PE section rights)

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\Dtldt.exe C:\Windows\SysWOW64\Dtldt.exe -auto
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Static file information: File size 2138112 > 1048576

Source:	Binary string: iphlpapi.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: wuser32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Unpacked PE file: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
Source: C:\Windows\SysWOW64\Dtldt.exe	Unpacked PE file: 3.2.Dtldt.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10012640 sprintf,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegDeleteKeyA,RegDeleteValueA,

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .sedata

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: section name: .sedata
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: section name: .sedata
Source: Dtldt.exe.0.dr	Static PE information: section name: .sedata
Source: Dtldt.exe.0.dr	Static PE information: section name: .sedata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_00691046 pushfd ; mov dword ptr [esp], edi	0_2_00691063
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_00694059 pushfd ; mov dword ptr [esp], esp	0_2_0069405A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_00401000 pushad ; retn 0008h	0_2_0040101D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A2012 push eax; retf	0_2_006A2001
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0069F10A push edx; mov dword ptr [esp], ebp	0_2_0069F5A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0069320C pushfd ; mov dword ptr [esp], ebx	0_2_006936F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006992BF push esp; mov dword ptr [esp], ecx	0_2_00699299
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F73F0 pushad ; mov dword ptr [esp], edx	0_2_005F74F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F7451 pushad ; mov dword ptr [esp], edx	0_2_005F74F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A7441 push ss; retf	0_2_006A748A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0069F405 push ss; retf	0_2_0069F41D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F7424 pushad ; mov dword ptr [esp], edx	0_2_005F74F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A44EF pushfd ; mov dword ptr [esp], edx	0_2_006A45A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F74C5 pushad ; mov dword ptr [esp], edx	0_2_005F74F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006094D7 push dword ptr [esp+18h]; retn 001Ch	0_2_0060950E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A856B push 294E1ACBh; ret	0_2_006A853E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A455C pushfd ; mov dword ptr [esp], edx	0_2_006A45A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_00609528 push dword ptr [esp+18h]; retn 001Ch	0_2_0060950E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0069953E push word ptr [esp]; mov dword ptr [esp], ebp	0_2_00699564
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A9586 push word ptr [esp+02h]; mov dword ptr [esp], edi	0_2_006A958B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0042E5B0 push eax; ret	0_2_0042E5DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F062D push dword ptr [esp+24h]; retn 0028h	0_2_005F063A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A2613 push ss; retf	0_2_006A25E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006AB693 push word ptr [esp]; mov dword ptr [esp], ecx	0_2_006AB799
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0042E744 push eax; ret	0_2_0042E762
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A9763 push ss; retf	0_2_006A97C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F0731 push dword ptr [esp+04h]; retn 0008h	0_2_005F0750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006B37D1 push word ptr [esp+01h]; mov dword ptr [esp], eax	0_2_006B38C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0064D829 push dword ptr [esp+24h]; retn 0028h	0_2_0064D82E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006C781D push esp; mov dword ptr [esp], edx	0_2_006C781E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F4955 push dword ptr [esp+28h]; retn 002Ch	0_2_005F48F6

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: section name: .text entropy: 7.998061242856676
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: section name: .sedata entropy: 7.487891420444405
Source: Dtldt.exe.0.dr	Static PE information: section name: .text entropy: 7.998061242856676
Source: Dtldt.exe.0.dr	Static PE information: section name: .sedata entropy: 7.487891420444405

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE0

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\SysWOW64\Dtldt.exe

Contains functionality to create new users

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10021440 lstrlenA,lstrlenA,lstrlenA,lstrlenA,NetUserAdd,#825,#825,wcscpy,#825,#825,NetLocalGroupAddMembers,#825,LocalFree,

0_2_10021440

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

File created: C:\Windows\SysWOW64\Dtldt.exe

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

File created: C:\Windows\SysWOW64\Dtldt.exe

Boot Survival

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Contains functionality to clear windows event logs (to hide its activities)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1000C4C0 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,

0_2_1000C4C0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10001140 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,#825,#825,#825,#825,

0_2_10001140

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001A4A0

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0454 second address: 6D0456 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D05C8 second address: 6D0B63 instructions: 0x00000000 rdtsc 0x00000002 neg dx 0x00000005 mov cx, 4EA1h 0x00000009 pop ax 0x0000000b jmp 00007F44817E1657h 0x0000000d bsf ax, dx 0x00000011 mov di, 6F97h 0x00000015 call 00007F44817E1C2Dh 0x0000001a pop dword ptr [esp+1Bh] 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0B63 second address: 6D0735 instructions: 0x00000000 rdtsc 0x00000002 bsr cx, cx 0x00000006 sub esp, 1Ah 0x00000009 jmp 00007F4481241A6Ch 0x0000000e lea esp, dword ptr [esp+48h] 0x00000012 inc dh 0x00000014 cpuid 0x00000016 mov cx, 6D02h 0x0000001a rol ax, cl 0x0000001d xchg bh, dl 0x0000001f jmp 00007F4481241C87h 0x00000024 stc 0x00000025 not bh 0x00000027 not ecx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0735 second address: 6D0695 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 mov edx, ecx 0x00000008 jmp 00007F44817E154Eh 0x0000000d stc 0x0000000e call 00007F44817E1664h 0x00000013 bsf ax, si 0x00000017 xchg word ptr [esp], bx 0x0000001b xchg word ptr [esp], cx 0x0000001f mov byte ptr [esp+02h], ch 0x00000023 bswap ebx 0x00000025 jmp 00007F44817E170Dh 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e xchg ch, bl 0x00000030 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D09D3 second address: 6D0A41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pop ecx 0x00000004 xchg esi, ebp 0x00000006 mov di, 7728h 0x0000000a jmp 00007F4481241D7Ch 0x0000000c bts edx, esp 0x0000000f xchg word ptr [esp+1Ch], si 0x00000014 xchg bx, dx 0x00000017 push dword ptr [esp+02h] 0x0000001b jmp 00007F4481241DDCh 0x0000001d sub esp, 05h 0x00000020 call 00007F4481241E44h 0x00000025 neg cx 0x00000028 pop dword ptr [esp+20h] 0x0000002c bsf bp, bp 0x00000030 pop ebp 0x00000031 lea eax, dword ptr [esp+0000EEACh] 0x00000038 jmp 00007F4481241CEEh 0x0000003d mov dword ptr [esp+18h], edi 0x00000041 call 00007F4481241DFBh 0x00000046 clc 0x00000047 bsf ecx, ebx 0x0000004a call 00007F4481241D84h 0x0000004f std 0x00000050 xchg ah, ch 0x00000052 popad 0x00000053 jmp 00007F4481241D86h 0x00000055 pop dword ptr [esp+03h] 0x00000059 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0A41 second address: 6D0AE9 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [esp+eax] 0x00000005 push word ptr [esp+01h] 0x0000000a jmp 00007F44817E16BFh 0x0000000c xchg bp, bx 0x0000000f pop dword ptr [esp] 0x00000012 add esp, 03h 0x00000015 cld 0x00000016 mov word ptr [esp], sp 0x0000001a lea eax, dword ptr [00000000h+edi4] 0x00000021 jmp 00007F44817E1655h 0x00000023 mov byte ptr [esp], cl 0x00000026 mov ebx, dword ptr [esp] 0x00000029 btc si, cx 0x0000002d xchg ch, bh 0x0000002f sub esp, 01h 0x00000032 jmp 00007F44817E1715h 0x00000037 sub esp, 1Eh 0x0000003a call 00007F44817E163Eh 0x0000003f sub esp, 1Ah 0x00000042 popad 0x00000043 neg esi 0x00000045 std 0x00000046 bts dx, sp 0x0000004a jmp 00007F44817E165Fh 0x0000004c lea edi, dword ptr [00000000h+esi4] 0x00000053 xchg word ptr [esp+07h], cx 0x00000058 setl ah 0x0000005b jmp 00007F44817E16AAh 0x0000005d push dx 0x0000005f mov dx, 63C0h 0x00000063 mov ebp, dword ptr [esp+17h] 0x00000067 not dl 0x00000069 sub esp, 05h 0x0000006c xchg word ptr [esp+16h], si 0x00000071 jmp 00007F44817E1656h 0x00000073 btc eax, esi 0x00000076 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0BB7 second address: 6D0BB9 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0BB9 second address: 6D0BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E165Fh 0x00000004 mov dword ptr [esp], eax 0x00000007 cmc 0x00000008 pushad 0x00000009 push word ptr [esp+03h] 0x0000000e mov bp, word ptr [esp+1Fh] 0x00000013 jmp 00007F44817E16D4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0CE6 second address: 6D0D0E instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241E23h 0x00000007 lea edx, dword ptr [00000000h+edx*4] 0x0000000e mov ecx, esp 0x00000010 jmp 00007F4481241D50h 0x00000012 pop edx 0x00000013 xchg word ptr [esp+04h], cx 0x00000018 cpuid 0x0000001a xchg word ptr [esp], bx 0x0000001e push word ptr [esp+13h] 0x00000023 add esp, 0Fh 0x00000026 jmp 00007F4481241D76h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0D0E second address: 6D0D93 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 sub esp, 06h 0x00000007 push word ptr [esp+06h] 0x0000000c jmp 00007F44817E16B6h 0x0000000e sbb edx, 4C9FCF64h 0x00000014 mov bh, dh 0x00000016 mov eax, dword ptr [esp+03h] 0x0000001a lea eax, dword ptr [esp+edx] 0x0000001d xchg byte ptr [esp+07h], dh 0x00000021 jmp 00007F44817E1657h 0x00000023 lea esp, dword ptr [esp] 0x00000026 pop ax 0x00000028 pop si 0x0000002a mov bx, CC7Ch 0x0000002e lea esp, dword ptr [esp+03h] 0x00000032 jmp 00007F44817E16E9h 0x00000034 lea esp, dword ptr [esp] 0x00000037 mov di, bp 0x0000003a rcl ebx, 17h 0x0000003d neg al 0x0000003f lea edi, dword ptr [00000000h+esi*4] 0x00000046 ror ebx, cl 0x00000048 jmp 00007F44817E1646h 0x0000004a add esi, esp 0x0000004c cld 0x0000004d mov dh, byte ptr [esp+07h] 0x00000051 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D102C second address: 6D1047 instructions: 0x00000000 rdtsc 0x00000002 mov dl, 2Eh 0x00000004 pop edx 0x00000005 pushad 0x00000006 pop cx 0x00000008 push dword ptr [esp+10h] 0x0000000c jmp 00007F4481241D6Fh 0x0000000e lea edx, dword ptr [edx+ebp] 0x00000011 and ch, FFFFFFCCh 0x00000014 mov eax, esi 0x00000016 xchg ecx, esi 0x00000018 dec di 0x0000001a sbb ax, 0000B5A1h 0x0000001e jmp 00007F4481241D7Ah 0x00000020 mov byte ptr [esp+14h], dh 0x00000024 add esp, 26h 0x00000027 not ebp 0x00000029 pop word ptr [esp] 0x0000002d mov bl, 13h 0x0000002f jmp 00007F4481241DDAh 0x00000031 mov ebp, 9AAF724Ch 0x00000036 btr bp, si 0x0000003a pop bp 0x0000003c bswap ebp 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D12E9 second address: 6D11B5 instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+0Bh], cx 0x00000007 setbe dl 0x0000000a xchg byte ptr [esp+04h], dl 0x0000000e jmp 00007F44817E1627h 0x00000010 pop dword ptr [esp] 0x00000013 dec edx 0x00000014 add esp, 05h 0x00000017 mov bp, ax 0x0000001a mov cl, 88h 0x0000001c mov edx, dword ptr [esp+03h] 0x00000020 jmp 00007F44817E1603h 0x00000022 push word ptr [esp+01h] 0x00000027 dec cl 0x00000029 lea esp, dword ptr [esp+04h] 0x0000002d bsf edi, ebx 0x00000030 push word ptr [esp+02h] 0x00000035 pop ebx 0x00000036 jmp 00007F44817E1606h 0x00000038 lea edi, dword ptr [00000000h+ebx*4] 0x0000003f not ebp 0x00000041 xchg bh, cl 0x00000043 pop bp 0x00000045 mov bx, BEE2h 0x00000049 mov ax, 565Ah 0x0000004d jmp 00007F44817E1655h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5EFC12 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 jmp 00007F4481241E09h 0x00000008 mov esi, dword ptr [esp+34h] 0x0000000c mov ch, dl 0x0000000e call 00007F4481241D7Dh 0x00000013 mov ah, bh 0x00000015 mov ch, dl 0x00000017 jmp 00007F4481241DDAh 0x00000019 lea ebp, dword ptr [esp+0Ch] 0x0000001d lea edi, dword ptr [ecx+esi] 0x00000020 mov bl, DCh 0x00000022 not ax 0x00000025 sub esp, 000000B4h 0x0000002b jmp 00007F4481241D56h 0x0000002d mov edi, esp 0x0000002f call 00007F4481241DC0h 0x00000034 mov word ptr [esp], bx 0x00000038 lea edx, dword ptr [00000000h+ebx4] 0x0000003f mov ecx, esi 0x00000041 jmp 00007F4481241DBDh 0x00000043 mov dx, F2EDh 0x00000047 neg ebx 0x00000049 jc 00007F4481241E1Dh 0x0000004b lea ebx, dword ptr [00000000h+ebp4] 0x00000052 mov ax, 8AE6h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5EFD44 second address: 5EFD82 instructions: 0x00000000 rdtsc 0x00000002 mov bl, byte ptr [esp] 0x00000005 push sp 0x00000007 mov word ptr [esp], bp 0x0000000b mov ah, dh 0x0000000d push word ptr [esp] 0x00000011 jc 00007F44817E1646h 0x00000013 jmp 00007F44817E166Ah 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 add esi, 565B2E4Fh 0x0000001f mov bx, ax 0x00000022 inc eax 0x00000023 jmp 00007F44817E16DCh 0x00000025 jp 00007F44817E162Eh 0x00000027 bsf edx, ebx 0x0000002a lea eax, dword ptr [ebp-0000FDAEh] 0x00000030 jmp 00007F44817E165Fh 0x00000032 pushad 0x00000033 jmp 00007F44817E16A2h 0x00000035 lea esp, dword ptr [esp+20h] 0x00000039 not esi 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5EFD82 second address: 5EFE06 instructions: 0x00000000 rdtsc 0x00000002 mov bl, CBh 0x00000004 xchg ebx, edx 0x00000006 jmp 00007F4481241E10h 0x00000008 mov eax, ecx 0x0000000a mov ax, word ptr [esp] 0x0000000e bt bx, ax 0x00000012 jc 00007F4481241D28h 0x00000014 mov eax, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F0912 second address: 5F0EEB instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+50h] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c jmp 00007F44817E16A8h 0x0000000e mov dx, cx 0x00000011 setnl dh 0x00000014 setnp bl 0x00000017 jmp 00007F44817E1661h 0x00000019 cmp ebp, eax 0x0000001b call 00007F44817E1C37h 0x00000020 not dl 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 603B99 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push dword ptr [esp+38h] 0x00000007 retn 003Ch 0x0000000a lea eax, dword ptr [eax+edx] 0x0000000d add ebx, 2AEE4402h 0x00000013 jmp 00007F448122DF54h 0x00000018 mov ecx, esi 0x0000001a jmp 00007F4481241DBDh 0x0000001c mov dx, F2EDh 0x00000020 neg ebx 0x00000022 jc 00007F4481241E1Dh 0x00000024 lea ebx, dword ptr [00000000h+ebp*4] 0x0000002b mov ax, 8AE6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 603E4D second address: 5F76B3 instructions: 0x00000000 rdtsc 0x00000002 bsf ax, bx 0x00000006 jmp 00007F44817E16CBh 0x00000008 adc ax, ax 0x0000000b push dword ptr [esp+14h] 0x0000000f retn 0018h 0x00000012 pop esi 0x00000013 jmp 00007F44817D4E76h 0x00000018 mov ecx, edi 0x0000001a jmp 00007F44817E16BAh 0x0000001c mov edx, dword ptr [esp] 0x0000001f lea ebx, dword ptr [esp+000076EAh] 0x00000026 lea eax, dword ptr [esp+edx] 0x00000029 call 00007F44817E165Dh 0x0000002e mov dx, word ptr [esp+02h] 0x00000033 add esp, 00000000h 0x00000036 jl 00007F44817E2AFAh 0x0000003c jnl 00007F44817E1778h 0x00000042 push word ptr [esp+02h] 0x00000047 mov bh, cl 0x00000049 lea edx, dword ptr [00000000h+esi4] 0x00000050 jmp 00007F44817E15F2h 0x00000055 bsr ebx, ebp 0x00000058 bts ax, dx 0x0000005c jmp 00007F44817E17F1h 0x00000061 neg ah 0x00000063 lea esp, dword ptr [esp+02h] 0x00000067 jmp 00007F44817E14DAh 0x0000006c rol edi, 00000000h 0x0000006f stc 0x00000070 jnl 00007F44817E1666h 0x00000072 pushad 0x00000073 jmp 00007F44817E1686h 0x00000075 sub esp, 06h 0x00000078 lea ebx, dword ptr [00000000h+edi4] 0x0000007f lea esp, dword ptr [esp+02h] 0x00000083 jmp 00007F44817E16C4h 0x00000085 lea esp, dword ptr [esp+28h] 0x00000089 dec edi 0x0000008a lea eax, dword ptr [00000000h+ebx*4] 0x00000091 push eax 0x00000092 mov dx, cx 0x00000095 jmp 00007F44817E1645h 0x00000097 mov word ptr [esp+01h], dx 0x0000009c not al 0x0000009e lea esp, dword ptr [esp+04h] 0x000000a2 add edi, 507E8820h 0x000000a8 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F76B3 second address: 5F7759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE0h 0x00000004 mov edx, dword ptr [esp] 0x00000007 setnb al 0x0000000a bswap edx 0x0000000c rcl dl, cl 0x0000000e jp 00007F4481241D58h 0x00000010 not dl 0x00000012 sub esp, 10h 0x00000015 jmp 00007F4481241E25h 0x0000001a lea esp, dword ptr [esp+10h] 0x0000001e xor edi, 77D48258h 0x00000024 bsf ax, si 0x00000028 jnl 00007F4481241D7Ah 0x0000002a sub esp, 03h 0x0000002d mov ebx, edx 0x0000002f setne bh 0x00000032 xchg bh, dl 0x00000034 lea esp, dword ptr [esp+03h] 0x00000038 jmp 00007F4481241DBCh 0x0000003a xor edi, 60BA760Eh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F7759 second address: 5F7785 instructions: 0x00000000 rdtsc 0x00000002 btc ax, bx 0x00000006 jmp 00007F44817E16BCh 0x00000008 jno 00007F44817E164Ah 0x0000000a rcl al, cl 0x0000000c add edi, dword ptr [ebp+00h] 0x0000000f mov ax, word ptr [esp] 0x00000013 jmp 00007F44817E1697h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 601B40 second address: 601B44 instructions: 0x00000000 rdtsc 0x00000002 mov dh, B2h 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 604FB2 second address: 5F4C8A instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 mov ecx, 84CCED5Ah 0x0000000b jmp 00007F44817E163Fh 0x0000000d mov edx, ebp 0x0000000f pop ebx 0x00000010 jmp 00007F44817D1318h 0x00000015 mov ebx, edi 0x00000017 mov ax, word ptr [esp] 0x0000001b xchg eax, edx 0x0000001c mov dl, 3Ah 0x0000001e jmp 00007F44817E165Dh 0x00000020 lea eax, dword ptr [edx+edx] 0x00000023 lea edx, dword ptr [ebx-6DA261F9h] 0x00000029 mov dx, bx 0x0000002c sub esp, 14h 0x0000002f jmp 00007F44817E1696h 0x00000031 jo 00007F44817E1696h 0x00000033 mov edx, dword ptr [esp+05h] 0x00000037 pop dx 0x00000039 jmp 00007F44817E1792h 0x0000003e mov dh, 8Ch 0x00000040 lea esp, dword ptr [esp+02h] 0x00000044 jmp 00007F44817E1582h 0x00000049 lea esp, dword ptr [esp+10h] 0x0000004d sub edi, 128A0F11h 0x00000053 jmp 00007F44817E1709h 0x00000058 rcr cx, 0005h 0x0000005c jp 00007F44817E162Dh 0x0000005e shl al, 1 0x00000060 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F4C8A second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D86h 0x00000004 mov cx, EB63h 0x00000008 jmp 00007F4481241DCEh 0x0000000a ror edi, 00000000h 0x0000000d stc 0x0000000e jle 00007F4481241D86h 0x00000010 lea edx, dword ptr [eax+ecx] 0x00000013 jmp 00007F4481241DF0h 0x00000015 xchg edx, ecx 0x00000017 mov al, byte ptr [esp] 0x0000001a mov dx, word ptr [esp] 0x0000001e jmp 00007F4481241D81h 0x00000020 mov edx, 96F70AFFh 0x00000025 jmp 00007F4481241D75h 0x00000027 add edi, 4B2345C8h 0x0000002d mov ecx, dword ptr [esp] 0x00000030 mov ecx, edx 0x00000032 lea edx, dword ptr [ecx+ebp] 0x00000035 jmp 00007F4481241DEFh 0x00000037 xchg dl, dh 0x00000039 xchg ecx, edx 0x0000003b ror edi, 00000000h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F6D40 second address: 5F6D45 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+ebp] 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60139C second address: 6014E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D5Eh 0x00000004 sub ebp, 04h 0x00000007 mov dx, sp 0x0000000a add al, C5h 0x0000000c jnle 00007F4481241DF2h 0x0000000e mov eax, esp 0x00000010 mov ax, di 0x00000013 jmp 00007F4481241DEFh 0x00000015 mov edx, edi 0x00000017 mov ecx, dword ptr [edx] 0x00000019 mov dh, cl 0x0000001b rcr edx, cl 0x0000001d jmp 00007F44812420C7h 0x00000022 jp 00007F4481241F86h 0x00000028 mov edx, F267AC06h 0x0000002d setnp dl 0x00000030 jmp 00007F4481241B8Ah 0x00000035 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 601682 second address: 6017C4 instructions: 0x00000000 rdtsc 0x00000002 bt dx, di 0x00000006 jmp 00007F44817E1698h 0x00000008 jne 00007F44817E1696h 0x0000000a bswap eax 0x0000000c inc al 0x0000000e mov ax, word ptr [esp] 0x00000012 jmp 00007F44817E173Eh 0x00000017 cmc 0x00000018 mov eax, esi 0x0000001a mov dx, 4C11h 0x0000001e jmp 00007F44817E15CDh 0x00000023 rol ecx, 00000000h 0x00000026 jnc 00007F44817E16DBh 0x00000028 mov ah, al 0x0000002a mov dh, byte ptr [esp] 0x0000002d mov edx, dword ptr [esp] 0x00000030 rcl eax, 09h 0x00000033 lea edx, dword ptr [ebx+esi] 0x00000036 call 00007F44817E1725h 0x0000003b jmp 00007F44817E16BAh 0x0000003d not eax 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6023D2 second address: 601A3F instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 jmp 00007F44812414D0h 0x00000009 add ebp, 04h 0x0000000c lea edx, dword ptr [00000000h+ebp*4] 0x00000013 not ax 0x00000016 push esi 0x00000017 jmp 00007F4481241CE1h 0x0000001c not ah 0x0000001e bsr cx, bx 0x00000022 jnl 00007F4481241D79h 0x00000024 mov si, bx 0x00000027 jmp 00007F4481241D87h 0x00000029 push ebx 0x0000002a mov cx, A66Fh 0x0000002e mov edx, 7C18FE6Fh 0x00000033 mov ah, 72h 0x00000035 xchg eax, ecx 0x00000036 jmp 00007F4481241DAEh 0x00000038 push edi 0x00000039 not bh 0x0000003b sets dh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 603DFC second address: 603EE8 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [eax+ebx] 0x00000005 jmp 00007F44817E1705h 0x0000000a bsr edx, edx 0x0000000d jo 00007F44817E16CBh 0x0000000f jno 00007F44817E16C9h 0x00000011 mov edi, dword ptr [ebp+00h] 0x00000014 clc 0x00000015 jnc 00007F44817E1650h 0x00000017 jmp 00007F44817E1696h 0x00000019 xchg ax, dx 0x0000001b jmp 00007F44817E16A2h 0x0000001d add ebp, 04h 0x00000020 mov ah, byte ptr [esp] 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 604FCA second address: 6050CF instructions: 0x00000000 rdtsc 0x00000002 not edx 0x00000004 jmp 00007F4481241DCFh 0x00000006 push esi 0x00000007 bsr eax, esp 0x0000000a jo 00007F4481241DF5h 0x0000000c mov cl, D6h 0x0000000e mov ecx, dword ptr [esp] 0x00000011 dec esi 0x00000012 jmp 00007F4481241DC7h 0x00000014 push ebx 0x00000015 call 00007F4481241E34h 0x0000001a mov ax, 7417h 0x0000001e bswap edx 0x00000020 bt ecx, edx 0x00000023 pushfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6050CF second address: 60503E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A7h 0x00000004 xchg dword ptr [esp+04h], ecx 0x00000008 mov dx, si 0x0000000b mov ebx, esp 0x0000000d not bh 0x0000000f call 00007F44817E165Fh 0x00000014 lea ecx, dword ptr [ecx+01h] 0x00000017 mov ah, byte ptr [esp] 0x0000001a jmp 00007F44817E16B9h 0x0000001c lea esi, dword ptr [00000000h+esi*4] 0x00000023 lea esi, dword ptr [eax+ebp] 0x00000026 btr ax, sp 0x0000002a mov bx, 430Fh 0x0000002e xchg dword ptr [esp+08h], ecx 0x00000032 neg dl 0x00000034 jmp 00007F44817E164Fh 0x00000036 sub esp, 1Ah 0x00000039 lea esp, dword ptr [esp+11h] 0x0000003d pop dword ptr [esp] 0x00000040 xor ebx, 69AE8573h 0x00000046 jmp 00007F44817E1710h 0x0000004b lea esp, dword ptr [esp+01h] 0x0000004f push dword ptr [esp+0Ch] 0x00000053 retn 0010h 0x00000056 stc 0x00000057 ja 00007F44817E17C0h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60503E second address: 60518E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241EC2h 0x00000007 mov cx, 032Ah 0x0000000b sub cx, bx 0x0000000e jmp 00007F4481241DB8h 0x00000010 push ebp 0x00000011 lea eax, dword ptr [ecx+edx] 0x00000014 jmp 00007F4481241DA6h 0x00000016 mov eax, dword ptr [esp] 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60518E second address: 6051B3 instructions: 0x00000000 rdtsc 0x00000002 mov dx, E701h 0x00000006 mov cx, dx 0x00000009 xchg ebx, ebp 0x0000000b xchg dl, ah 0x0000000d jmp 00007F44817E1698h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F4CDF second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 mov cx, EB63h 0x00000006 jmp 00007F4481241D5Fh 0x00000008 ror edi, 00000000h 0x0000000b stc 0x0000000c jle 00007F4481241D86h 0x0000000e lea edx, dword ptr [eax+ecx] 0x00000011 jmp 00007F4481241DF0h 0x00000013 xchg edx, ecx 0x00000015 mov al, byte ptr [esp] 0x00000018 mov dx, word ptr [esp] 0x0000001c jmp 00007F4481241D81h 0x0000001e mov edx, 96F70AFFh 0x00000023 jmp 00007F4481241D75h 0x00000025 add edi, 4B2345C8h 0x0000002b mov ecx, dword ptr [esp] 0x0000002e mov ecx, edx 0x00000030 lea edx, dword ptr [ecx+ebp] 0x00000033 jmp 00007F4481241DEFh 0x00000035 xchg dl, dh 0x00000037 xchg ecx, edx 0x00000039 ror edi, 00000000h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 604854 second address: 604865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16DDh 0x00000004 mov ecx, dword ptr [ebp+00h] 0x00000007 mov edx, esp 0x00000009 seto al 0x0000000c setb dh 0x0000000f jmp 00007F44817E161Ah 0x00000011 add dword ptr [ebp+04h], ecx 0x00000014 xchg ah, dh 0x00000016 mov dl, byte ptr [esp] 0x00000019 mov eax, DB213984h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6047C6 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [esi-000000EAh] 0x00000008 jmp 00007F4481241D6Bh 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F4481241E45h 0x00000015 jns 00007F4481241D2Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F4481241DBCh 0x00000027 jp 00007F4481241DBAh 0x00000029 pop ebx 0x0000002a jmp 00007F4481241DBDh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F4481241DECh 0x00000039 jbe 00007F4481241D5Ah 0x0000003b pop esi 0x0000003c jmp 00007F448123218Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F4481241D7Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F4481241DB6h 0x0000005d jo 00007F4481241DB6h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F4481241EB2h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F4481241CA2h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F4481241E29h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F4481241D4Dh 0x0000008a shl al, 1 0x0000008c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60C3F9 second address: 60B418 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 04h 0x00000005 pushfd 0x00000006 pop dx 0x00000008 jmp 00007F44817E1650h 0x0000000a mov eax, dword ptr [esp] 0x0000000d lea esp, dword ptr [esp+02h] 0x00000011 mov dword ptr [ebp+00h], ebx 0x00000014 lea eax, dword ptr [00000000h+eax4] 0x0000001b inc dh 0x0000001d jmp 00007F44817E16B5h 0x0000001f jo 00007F44817E1622h 0x00000021 mov ah, byte ptr [esp] 0x00000024 call 00007F44817E1665h 0x00000029 xor ax, sp 0x0000002c lea eax, dword ptr [esi-000000F8h] 0x00000032 push ax 0x00000034 jmp 00007F44817E1696h 0x00000036 mov edx, B2EBA21Ah 0x0000003b dec edx 0x0000003c lea esp, dword ptr [esp+02h] 0x00000040 xchg dword ptr [esp], ecx 0x00000043 mov dl, BBh 0x00000045 rcl dl, 1 0x00000047 jmp 00007F44817E16B3h 0x00000049 lea edx, dword ptr [00000000h+ebp4] 0x00000050 push esp 0x00000051 xchg dh, dl 0x00000053 lea ecx, dword ptr [ecx-0000104Ah] 0x00000059 mov ax, word ptr [esp] 0x0000005d bt dx, ax 0x00000061 jmp 00007F44817E1652h 0x00000063 rcr ax, cl 0x00000066 rcr ah, cl 0x00000068 xchg dword ptr [esp+04h], ecx 0x0000006c inc dx 0x0000006e jmp 00007F44817E1B33h 0x00000073 lea edx, dword ptr [edi+0000008Eh] 0x00000079 push ax 0x0000007b lea esp, dword ptr [esp] 0x0000007e mov word ptr [esp], ax 0x00000082 lea esp, dword ptr [esp+02h] 0x00000086 push dword ptr [esp+04h] 0x0000008a retn 0008h 0x0000008d mov ax, word ptr [esp] 0x00000091 bsr ebx, edx 0x00000094 jp 00007F44817E1663h 0x00000096 btc ax, cx 0x0000009a jmp 00007F44817E16B2h 0x0000009c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60B12B second address: 60B154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE4h 0x00000004 lea esp, dword ptr [esp+02h] 0x00000008 xchg dword ptr [esp+04h], ebp 0x0000000c mov ah, byte ptr [esp] 0x0000000f mov dh, 8Eh 0x00000011 xchg edx, eax 0x00000013 lea ebp, dword ptr [ebp+5Dh] 0x00000016 jmp 00007F4481241D71h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60B154 second address: 60B187 instructions: 0x00000000 rdtsc 0x00000002 mov ax, sp 0x00000005 call 00007F44817E16C2h 0x0000000a sub esp, 11h 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 xchg dword ptr [esp+18h], ebp 0x00000015 add al, 3Ah 0x00000017 jmp 00007F44817E165Dh 0x00000019 neg edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60B187 second address: 60B244 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 call 00007F4481241DC0h 0x00000008 push dword ptr [esp+1Ch] 0x0000000c retn 0020h 0x0000000f bts edx, ebp 0x00000012 sub esp, 1Bh 0x00000015 jmp 00007F4481241EE5h 0x0000001a xchg byte ptr [esp+0Bh], dh 0x0000001e xchg dl, al 0x00000020 ror bl, 00000000h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60B244 second address: 60B1DE instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ebx+edi] 0x00000005 jmp 00007F44817E163Dh 0x00000007 clc 0x00000008 jnbe 00007F44817E1662h 0x0000000a lea eax, dword ptr [00000000h+edi*4] 0x00000011 rol bl, 00000000h 0x00000014 jmp 00007F44817E1660h 0x00000016 sub dh, ah 0x00000018 js 00007F44817E16BDh 0x0000001a btr ax, si 0x0000001e mov dl, byte ptr [esp] 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 603F07 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 bts dx, dx 0x00000006 xchg dword ptr [esp], edi 0x00000009 mov eax, esp 0x0000000b mov eax, edx 0x0000000d btc dx, di 0x00000011 jmp 00007F4481241B5Fh 0x00000016 mov ax, E5E4h 0x0000001a push dword ptr [esp] 0x0000001d retn 0004h 0x00000020 mov ebx, edi 0x00000022 mov ax, word ptr [esp] 0x00000026 xchg eax, edx 0x00000027 mov dl, 3Ah 0x00000029 jmp 00007F4481241D7Dh 0x0000002b lea eax, dword ptr [edx+edx] 0x0000002e lea edx, dword ptr [ebx-6DA261F9h] 0x00000034 mov dx, bx 0x00000037 sub esp, 14h 0x0000003a jmp 00007F4481241DB6h 0x0000003c jo 00007F4481241DB6h 0x0000003e mov edx, dword ptr [esp+05h] 0x00000042 pop dx 0x00000044 jmp 00007F4481241EB2h 0x00000049 mov dh, 8Ch 0x0000004b lea esp, dword ptr [esp+02h] 0x0000004f jmp 00007F4481241CA2h 0x00000054 lea esp, dword ptr [esp+10h] 0x00000058 sub edi, 128A0F11h 0x0000005e jmp 00007F4481241E29h 0x00000063 rcr cx, 0005h 0x00000067 jp 00007F4481241D4Dh 0x00000069 shl al, 1 0x0000006b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 607D80 second address: 607B82 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 call 00007F44817E148Dh 0x0000000a setne dh 0x0000000d mov ecx, ebp 0x0000000f mov dh, 9Bh 0x00000011 mov dl, 24h 0x00000013 bswap edx 0x00000015 jmp 00007F44817E165Fh 0x00000017 xchg dword ptr [esp], ebx 0x0000001a lea ecx, dword ptr [edi+41h] 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 607B82 second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 mov edx, F46DAA9Dh 0x00000007 inc ch 0x00000009 jmp 00007F4481241DB4h 0x0000000b lea ebx, dword ptr [ebx-000001C5h] 0x00000011 mov dx, 50EEh 0x00000015 bsr cx, di 0x00000019 call 00007F4481241E16h 0x0000001e stc 0x0000001f pop word ptr [esp] 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 jmp 00007F4481241D65h 0x00000029 xchg dword ptr [esp], ebx 0x0000002c xchg cl, dh 0x0000002e xchg cx, dx 0x00000031 mov cx, word ptr [esp] 0x00000035 push dword ptr [esp] 0x00000038 retn 0004h 0x0000003b sub ebp, 02h 0x0000003e jmp 00007F4481241DA6h 0x00000040 neg dl 0x00000042 jo 00007F4481241DD3h 0x00000044 mov eax, ecx 0x00000046 xchg edx, eax 0x00000048 mov dh, 4Fh 0x0000004a jmp 00007F4481241F01h 0x0000004f mov cl, byte ptr [edi] 0x00000051 not dl 0x00000053 bswap edx 0x00000055 setb dl 0x00000058 neg ah 0x0000005a jmp 00007F4481241CA0h 0x0000005f jng 00007F4481241E3Bh 0x00000065 pushfd 0x00000066 mov al, byte ptr [esp+03h] 0x0000006a xchg word ptr [esp], ax 0x0000006e btc ax, dx 0x00000072 pop eax 0x00000073 sub esp, 0Bh 0x00000076 jmp 00007F4481241D24h 0x00000078 push dword ptr [esp+06h] 0x0000007c jnp 00007F4481241D79h 0x0000007e dec dx 0x00000080 lea esp, dword ptr [esp+03h] 0x00000084 jmp 00007F4481241D7Dh 0x00000086 sub cl, bl 0x00000088 xchg eax, edx 0x00000089 mov al, 17h 0x0000008b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60476F second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A2h 0x00000004 lea esi, dword ptr [esi-000000EAh] 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F44817E1725h 0x00000015 jns 00007F44817E160Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F44817E169Ch 0x00000027 jp 00007F44817E169Ah 0x00000029 pop ebx 0x0000002a jmp 00007F44817E169Dh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F44817E16CCh 0x00000039 jbe 00007F44817E163Ah 0x0000003b pop esi 0x0000003c jmp 00007F44817D1A6Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F44817E165Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F44817E1696h 0x0000005d jo 00007F44817E1696h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F44817E1792h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F44817E1582h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F44817E1709h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F44817E162Dh 0x0000008a shl al, 1 0x0000008c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 610C59 second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DFAh 0x00000004 mov dh, dl 0x00000006 jmp 00007F448123A8A9h 0x0000000b mov eax, 0B0F4634h 0x00000010 jmp 00007F4481241D36h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 607B5F second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 jmp 00007F44817E16E1h 0x00000007 sub ebp, 02h 0x0000000a jmp 00007F44817E1686h 0x0000000c neg dl 0x0000000e jo 00007F44817E16B3h 0x00000010 mov eax, ecx 0x00000012 xchg edx, eax 0x00000014 mov dh, 4Fh 0x00000016 jmp 00007F44817E17E1h 0x0000001b mov cl, byte ptr [edi] 0x0000001d not dl 0x0000001f bswap edx 0x00000021 setb dl 0x00000024 neg ah 0x00000026 jmp 00007F44817E1580h 0x0000002b jng 00007F44817E171Bh 0x00000031 pushfd 0x00000032 mov al, byte ptr [esp+03h] 0x00000036 xchg word ptr [esp], ax 0x0000003a btc ax, dx 0x0000003e pop eax 0x0000003f sub esp, 0Bh 0x00000042 jmp 00007F44817E1604h 0x00000044 push dword ptr [esp+06h] 0x00000048 jnp 00007F44817E1659h 0x0000004a dec dx 0x0000004c lea esp, dword ptr [esp+03h] 0x00000050 jmp 00007F44817E165Dh 0x00000052 sub cl, bl 0x00000054 xchg eax, edx 0x00000055 mov al, 17h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F4B9A second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea ebp, dword ptr [esp] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c mov bx, B92Bh 0x00000010 setnl dh 0x00000013 jmp 00007F4481241D77h 0x00000015 mov si, ax 0x00000018 jmp 00007F4481241DC8h 0x0000001a sub esp, 000000C0h 0x00000020 jmp 00007F4481241DD7h 0x00000022 mov esi, esp 0x00000024 sub eax, 56CA30D9h 0x00000029 jne 00007F4481241D83h 0x0000002b mov bx, di 0x0000002e jmp 00007F4481241DDBh 0x00000030 lea ebx, dword ptr [ebx-3Bh] 0x00000033 mov ebx, edi 0x00000035 mov ax, word ptr [esp] 0x00000039 xchg eax, edx 0x0000003a mov dl, 3Ah 0x0000003c jmp 00007F4481241D7Dh 0x0000003e lea eax, dword ptr [edx+edx] 0x00000041 lea edx, dword ptr [ebx-6DA261F9h] 0x00000047 mov dx, bx 0x0000004a sub esp, 14h 0x0000004d jmp 00007F4481241DB6h 0x0000004f jo 00007F4481241DB6h 0x00000051 mov edx, dword ptr [esp+05h] 0x00000055 pop dx 0x00000057 jmp 00007F4481241EB2h 0x0000005c mov dh, 8Ch 0x0000005e lea esp, dword ptr [esp+02h] 0x00000062 jmp 00007F4481241CA2h 0x00000067 lea esp, dword ptr [esp+10h] 0x0000006b sub edi, 128A0F11h 0x00000071 jmp 00007F4481241E29h 0x00000076 rcr cx, 0005h 0x0000007a jp 00007F4481241D4Dh 0x0000007c shl al, 1 0x0000007e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6068A9 second address: 60687C instructions: 0x00000000 rdtsc 0x00000002 sub cx, bx 0x00000005 jmp 00007F44817E164Ah 0x00000007 mov dx, word ptr [esp] 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 606B01 second address: 606B35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB2h 0x00000004 lea esp, dword ptr [esp+03h] 0x00000008 jmp 00007F4481241DB8h 0x0000000a rol cx, 0000h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 606B35 second address: 606C59 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [00000000h+ebp*4] 0x00000009 mov eax, edx 0x0000000b jmp 00007F44817E16BDh 0x0000000d mov eax, edx 0x0000000f lea esp, dword ptr [esp+04h] 0x00000013 not cx 0x00000016 rcl ah, cl 0x00000018 jnp 00007F44817E163Ah 0x0000001a jmp 00007F44817E16A5h 0x0000001c mov dl, cl 0x0000001e cmc 0x0000001f sub edx, ebx 0x00000021 jmp 00007F44817E1658h 0x00000023 add cx, 46A5h 0x00000028 mov dl, byte ptr [esp] 0x0000002b xor edx, AB5782EBh 0x00000031 jmp 00007F44817E16FCh 0x00000033 jne 00007F44817E1643h 0x00000035 mov dh, 44h 0x00000037 mov dx, BF5Ch 0x0000003b call 00007F44817E16A1h 0x00000040 lea eax, dword ptr [ebx+ebp] 0x00000043 jmp 00007F44817E1661h 0x00000045 lea esp, dword ptr [esp+04h] 0x00000049 xor cx, EF15h 0x0000004e lea eax, dword ptr [esi-0000C2B9h] 0x00000054 mov al, ah 0x00000056 jmp 00007F44817E16ABh 0x00000058 pushfd 0x00000059 mov dl, bh 0x0000005b xchg byte ptr [esp], al 0x0000005e bsf edx, esp 0x00000061 jne 00007F44817E16B6h 0x00000063 mov dword ptr [esp], ecx 0x00000066 jmp 00007F44817E16B9h 0x00000068 lea esp, dword ptr [esp+04h] 0x0000006c inc cx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 606C59 second address: 606C5B instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 64C1E3 second address: 64C2CE instructions: 0x00000000 rdtsc 0x00000002 btr ebx, ebx 0x00000005 jno 00007F44817E16AFh 0x00000007 cmc 0x00000008 jmp 00007F44817E1669h 0x0000000a mov ebx, 1F08C55Dh 0x0000000f jmp 00007F44817E1694h 0x00000011 sub ebp, 08h 0x00000014 setns bl 0x00000017 sub esp, 1Ch 0x0000001a jmp 00007F44817E16CCh 0x0000001c jns 00007F44817E163Ah 0x0000001e pop dword ptr [esp+11h] 0x00000022 mov bh, byte ptr [esp+14h] 0x00000026 jmp 00007F44817E16A8h 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, E17Ah 0x0000002f mov edx, 6E64272Bh 0x00000034 sub esp, 18h 0x00000037 jmp 00007F44817E1734h 0x0000003c ja 00007F44817E1712h 0x00000042 mov edx, dword ptr [esp+0Eh] 0x00000046 mov dword ptr [ebp+04h], eax 0x00000049 mov eax, ebp 0x0000004b jmp 00007F44817E1597h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5E4613 second address: 5E47B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov byte ptr [esp+0Fh], ah 0x00000007 jmp 00007F4481241DEBh 0x00000009 sub ebp, 08h 0x0000000c call 00007F4481241D87h 0x00000011 push word ptr [esp+02h] 0x00000016 jnl 00007F4481241DD7h 0x00000018 lea esp, dword ptr [esp+02h] 0x0000001c jmp 00007F4481241D7Eh 0x0000001e mov dword ptr [ebp+00h], edx 0x00000021 lea edx, dword ptr [00000000h+ebx*4] 0x00000028 clc 0x00000029 js 00007F4481241DCDh 0x0000002b xchg dl, dh 0x0000002d jmp 00007F4481241E1Eh 0x0000002f xchg eax, ecx 0x00000030 mov dx, 7D53h 0x00000034 bswap edx 0x00000036 mov dh, dl 0x00000038 jmp 00007F4481241D7Ch 0x0000003a mov dword ptr [ebp+04h], ecx 0x0000003d lea edx, dword ptr [eax+ecx] 0x00000040 dec ecx 0x00000041 jno 00007F4481241D83h 0x00000043 mov cl, 71h 0x00000045 jmp 00007F4481241DEEh 0x00000047 jmp 00007F4481241E2Ah 0x0000004c mov ecx, dword ptr [esp] 0x0000004f bswap eax 0x00000051 lea ecx, dword ptr [esi+50h] 0x00000054 bt ax, di 0x00000058 jnp 00007F4481241D65h 0x0000005a mov ax, 5EB0h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 606615 second address: 6065B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E161Fh 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60DA0E second address: 60DADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D73h 0x00000004 lea eax, dword ptr [00000000h+eax4] 0x0000000b lea eax, dword ptr [00000000h+eax4] 0x00000012 jmp 00007F4481241DC1h 0x00000014 ror bx, 0000h 0x00000018 mov dh, byte ptr [esp] 0x0000001b mov ax, word ptr [esp] 0x0000001f neg ax 0x00000022 jl 00007F4481242C6Fh 0x00000028 mov ax, 9EF1h 0x0000002c xchg dx, ax 0x0000002f mov dh, 93h 0x00000031 jmp 00007F4481241DEBh 0x00000033 mov dx, DA80h 0x00000037 jmp 00007F4481241E2Dh 0x0000003c inc bx 0x0000003e btc edx, edx 0x00000041 jnc 00007F4481241D63h 0x00000043 setb al 0x00000046 not dh 0x00000048 bt edx, eax 0x0000004b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 655636 second address: 655647 instructions: 0x00000000 rdtsc 0x00000002 shr cx, cl 0x00000005 jl 00007F44817E1665h 0x00000007 jnl 00007F44817E168Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60F361 second address: 60F346 instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebp 0x00000005 mov dx, 0278h 0x00000009 jmp 00007F4481241D79h 0x0000000b neg ax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 659584 second address: 62E2AD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+18h], ebx 0x00000006 jmp 00007F44817E1686h 0x00000008 lea esp, dword ptr [esp+04h] 0x0000000c popad 0x0000000d lea ecx, dword ptr [ecx-56ECA26Eh] 0x00000013 mov ecx, 9F0203F6h 0x00000018 lea ecx, dword ptr [esp+edi] 0x0000001b call 00007F44817E16A8h 0x00000020 jmp 00007F44817E166Ah 0x00000022 lea esp, dword ptr [esp+04h] 0x00000026 lea ecx, dword ptr [esp+74h] 0x0000002a jmp 00007F44817E1690h 0x0000002c call 00007F448178778Ch 0x00000031 jmp 00007F44817C5DEEh 0x00000036 jmp 00007F44817E1654h 0x0000003b jmp 00007F44817FE1C9h 0x00000040 push esi 0x00000041 jmp 00007F448180EFBFh 0x00000046 pushad 0x00000047 lea ebp, dword ptr [ebp+25A1C75Dh] 0x0000004d not ebx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 656379 second address: 65661E instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebx+000000B6h] 0x00000008 call 00007F4481241E3Bh 0x0000000d mov edx, dword ptr [ebp+00h] 0x00000010 neg ebx 0x00000012 jnc 00007F4481241E25h 0x00000018 lea eax, dword ptr [00000000h+esi4] 0x0000001f jmp 00007F4481241EB7h 0x00000024 lea ebx, dword ptr [00000000h+edi4] 0x0000002b xchg ah, al 0x0000002d jmp 00007F4481241D81h 0x0000002f add ebp, 02h 0x00000032 shl bx, cl 0x00000035 jo 00007F4481241E7Ah 0x0000003b bsf ax, si 0x0000003f jmp 00007F4481241DCEh 0x00000041 sub esp, 05h 0x00000044 cmc 0x00000045 lea esp, dword ptr [esp+01h] 0x00000049 jmp 00007F4481241DCAh 0x0000004b jmp 00007F4481241D78h 0x0000004d mov al, byte ptr [edx] 0x00000050 mov dx, cx 0x00000053 xchg dh, dl 0x00000055 bsr edx, edi 0x00000058 jns 00007F4481241DD5h 0x0000005a mov bh, byte ptr [esp] 0x0000005d mov word ptr [ebp+00h], ax 0x00000061 dec dx 0x00000063 jnbe 00007F4481241DBCh 0x00000065 rol dx, 0007h 0x00000069 call 00007F4481241DD5h 0x0000006e mov edx, dword ptr [esp] 0x00000071 shl edx, 1 0x00000073 mov bx, 859Dh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 65661E second address: 656620 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 637B15 second address: 637B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB4h 0x00000004 pushfd 0x00000005 pop dword ptr [ebp+00h] 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 607F6E second address: 608024 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1665h 0x00000007 mov dh, ah 0x00000009 mov edx, dword ptr [esp+01h] 0x0000000d push dword ptr [esp+24h] 0x00000011 retn 0028h 0x00000014 bt edx, ecx 0x00000017 btr ax, si 0x0000001b setl dh 0x0000001e jmp 00007F44817E16F6h 0x00000020 not cl 0x00000022 not dx 0x00000025 lea edx, dword ptr [00000000h+edx*4] 0x0000002c push bx 0x0000002e bsr dx, si 0x00000032 jbe 00007F44817E15FAh 0x00000038 pop dx 0x0000003a jmp 00007F44817E169Ah 0x0000003c add cl, FFFFFFA5h 0x0000003f bts dx, sp 0x00000043 jmp 00007F44817E16A8h 0x00000045 jc 00007F44817E165Eh 0x00000047 inc dl 0x00000049 xchg dx, ax 0x0000004c mov al, byte ptr [esp] 0x0000004f clc 0x00000050 not dx 0x00000053 mov ax, si 0x00000056 jmp 00007F44817E16A9h 0x00000058 xor cl, 00000015h 0x0000005b bswap edx 0x0000005d adc ax, dx 0x00000060 jns 00007F44817E16B4h 0x00000062 js 00007F44817E169Ch 0x00000064 pushfd 0x00000065 mov dword ptr [esp], ebx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 657A01 second address: 658F1B instructions: 0x00000000 rdtsc 0x00000002 rcr bh, cl 0x00000004 mov bh, byte ptr [esp] 0x00000007 xchg dword ptr [esp], edi 0x0000000a jmp 00007F44812432ADh 0x0000000f mov dl, byte ptr [esp] 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5E245C second address: 60B418 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 4BB0h 0x00000006 mov bx, si 0x00000009 btr bx, dx 0x0000000d jmp 00007F4481817380h 0x00000012 jnl 00007F44817AB99Fh 0x00000018 lea ebx, dword ptr [00000000h+esi*4] 0x0000001f jmp 00007F448181738Dh 0x00000024 sub ebp, 08h 0x00000027 push esp 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, word ptr [esp] 0x0000002f jmp 00007F44817E165Fh 0x00000031 or edx, esi 0x00000033 jbe 00007F44817E16CBh 0x00000035 mov edx, eax 0x00000037 sub esp, 1Ch 0x0000003a jmp 00007F44817E16ADh 0x0000003c mov dword ptr [ebp+04h], eax 0x0000003f and dl, ah 0x00000041 jnl 00007F44817E16AFh 0x00000043 bswap ebx 0x00000045 jmp 00007F44817E1668h 0x00000047 mov al, 8Eh 0x00000049 jmp 00007F44817D487Dh 0x0000004e mov ax, word ptr [esp] 0x00000052 bsr ebx, edx 0x00000055 jp 00007F44817E1663h 0x00000057 btc ax, cx 0x0000005b jmp 00007F44817E16B2h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 618AF6 second address: 618B68 instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp] 0x00000005 retn 0004h 0x00000008 mov ecx, dword ptr [ebp+00h] 0x0000000b lea eax, dword ptr [ebx+ebp] 0x0000000e bts dx, di 0x00000012 jmp 00007F4481241E42h 0x00000017 jle 00007F4481241DFDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 640208 second address: 64036F instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1771h 0x00000007 mov dx, word ptr [esp] 0x0000000b call 00007F44817E1666h 0x00000010 mov dl, ah 0x00000012 mov dword ptr [esp], ebx 0x00000015 xchg dword ptr [esp+04h], ebx 0x00000019 sub esp, 14h 0x0000001c jmp 00007F44817E176Fh 0x00000021 push ebx 0x00000022 mov ah, 64h 0x00000024 lea ebx, dword ptr [ebx+4Fh] 0x00000027 mov dx, ax 0x0000002a stc 0x0000002b stc 0x0000002c jmp 00007F44817E15FDh 0x00000031 pushad 0x00000032 xchg ax, dx 0x00000034 xchg dword ptr [esp+3Ch], ebx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 64075D second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241D75h 0x00000007 jmp 00007F4481241E06h 0x00000009 mov al, F0h 0x0000000b mov word ptr [ebp+00h], bx 0x0000000f not eax 0x00000011 rcr bx, 000Ah 0x00000015 jns 00007F4481241D7Eh 0x00000017 jmp 00007F4481241E37h 0x0000001c bsr eax, ebx 0x0000001f sub esp, 0Fh 0x00000022 lea esp, dword ptr [esp+03h] 0x00000026 jmp 00007F448120AD3Bh 0x0000002b mov eax, 0B0F4634h 0x00000030 jmp 00007F4481241D36h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 64023B second address: 640256 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 mov eax, 1BA171EFh 0x0000000a mov ax, A249h 0x0000000e jmp 00007F44817E16DDh 0x00000010 lea eax, dword ptr [ebx-0000BE75h] 0x00000016 xchg dword ptr [esp], eax 0x00000019 sub esp, 01h 0x0000001c setle dh 0x0000001f mov dl, 2Dh 0x00000021 mov dx, bx 0x00000024 jmp 00007F44817E1656h 0x00000026 sub esp, 0Ah 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d lea eax, dword ptr [eax+25h] 0x00000030 mov edx, esi 0x00000032 xchg dh, dl 0x00000034 xchg dh, dl 0x00000036 jmp 00007F44817E189Ah 0x0000003b lea edx, dword ptr [00000000h+eax*4] 0x00000042 mov dh, byte ptr [esp] 0x00000045 xchg dword ptr [esp+08h], eax 0x00000049 mov eax, dword ptr [esp] 0x0000004c setbe dl 0x0000004f dec dx 0x00000051 jmp 00007F44817E15C9h 0x00000056 clc 0x00000057 push dword ptr [esp+08h] 0x0000005b retn 000Ch 0x0000005e setnle al 0x00000061 xchg al, dh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 641F54 second address: 641F54 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], ecx 0x00000006 jmp 00007F4481241CB1h 0x0000000b cmc 0x0000000c popad 0x0000000d cmc 0x0000000e cmc 0x0000000f shr eax, 10h 0x00000012 call 00007F4481241D83h 0x00000017 jmp 00007F4481241DF7h 0x00000019 lea esp, dword ptr [esp+14h] 0x0000001d test ax, ax 0x00000020 pushad 0x00000021 lea esp, dword ptr [esp+20h] 0x00000025 jmp 00007F4481241D75h 0x00000027 je 00007F4481241C98h 0x0000002d push sp 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F4481241F24h 0x00000038 inc edx 0x00000039 inc edx 0x0000003a dec esi 0x0000003b jmp 00007F4481241D87h 0x0000003d jne 00007F4481241C58h 0x00000043 setb ah 0x00000046 jmp 00007F4481241DE7h 0x00000048 setnle al 0x0000004b mov ax, word ptr [esp] 0x0000004f movzx eax, word ptr [edx] 0x00000052 push ecx 0x00000053 stc 0x00000054 jmp 00007F4481241DCFh 0x00000056 mov byte ptr [esp+02h], cl 0x0000005a jmp 00007F4481241D86h 0x0000005c add ecx, eax 0x0000005e sub esp, 0Eh 0x00000061 mov eax, AE848F68h 0x00000066 lea esp, dword ptr [esp+02h] 0x0000006a jmp 00007F4481241EBDh 0x0000006f pushad 0x00000070 mov ebp, E723975Fh 0x00000075 lea ebp, dword ptr [ecx+edi] 0x00000078 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6575F5 second address: 63E5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E15EBh 0x00000007 inc edi 0x00000008 setnle al 0x0000000b lea edx, dword ptr [eax+ecx] 0x0000000e mov dx, bp 0x00000011 jmp 00007F44817E16BAh 0x00000013 mov dx, word ptr [ebx+esi] 0x00000017 mov bx, word ptr [esp] 0x0000001b cmc 0x0000001c js 00007F44817E1661h 0x0000001e jns 00007F44817E16A0h 0x00000020 lea ebx, dword ptr [ebx+0000E1EEh] 0x00000026 sub ah, ah 0x00000028 jmp 00007F44817E165Ah 0x0000002a mov word ptr [ebp+00h], dx 0x0000002e mov dx, word ptr [esp] 0x00000032 call 00007F44817E1707h 0x00000037 ror edx, 02h 0x0000003a jnbe 00007F44817E164Dh 0x0000003c jbe 00007F44817E1635h 0x0000003e mov bh, al 0x00000040 jmp 00007F44817C866Dh 0x00000045 jmp 00007F44817E1669h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 63DD4F second address: 63DD85 instructions: 0x00000000 rdtsc 0x00000002 btr ax, cx 0x00000006 xchg edx, eax 0x00000008 bsr dx, dx 0x0000000c lea edx, dword ptr [edx+edi] 0x0000000f push dword ptr [esp+44h] 0x00000013 retn 0048h 0x00000016 movzx ebx, byte ptr [edi] 0x00000019 jmp 00007F4481241E96h 0x0000001e lea eax, dword ptr [edx+6Ch] 0x00000021 sub esp, 06h 0x00000024 jl 00007F4481241CA9h 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e call 00007F4481241E13h 0x00000033 mov edx, dword ptr [esp] 0x00000036 mov eax, E9CADE55h 0x0000003b bt edx, edi 0x0000003e mov edx, ecx 0x00000040 inc ah 0x00000042 jmp 00007F4481241D3Ah 0x00000044 xchg dword ptr [esp], ebx 0x00000047 lea edx, dword ptr [00000000h+ebx4] 0x0000004e not dx 0x00000051 bswap edx 0x00000053 lea eax, dword ptr [00000000h+esi4] 0x0000005a pushad 0x0000005b jmp 00007F4481241D73h 0x0000005d lea ebx, dword ptr [ebx-0000003Dh] 0x00000063 sub esp, 1Ch 0x00000066 mov ax, 7715h 0x0000006a jmp 00007F4481241DD8h 0x0000006c pop word ptr [esp+06h] 0x00000071 lea esp, dword ptr [esp+02h] 0x00000075 xchg byte ptr [esp+0Ch], ah 0x00000079 xchg dword ptr [esp+38h], ebx 0x0000007d not ax 0x00000080 mov dx, si 0x00000083 jmp 00007F4481241D73h 0x00000085 sets dl 0x00000088 xchg ax, dx 0x0000008a push dword ptr [esp+38h] 0x0000008e retn 003Ch 0x00000091 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 63E26B second address: 63E3C3 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1701h 0x00000007 lea eax, dword ptr [ecx-00006757h] 0x0000000d mov eax, 1C262CCAh 0x00000012 mov ax, word ptr [esp] 0x00000016 call 00007F44817E16B6h 0x0000001b xchg dword ptr [esp+04h], esi 0x0000001f bswap eax 0x00000021 jmp 00007F44817E1686h 0x00000023 bsr eax, ecx 0x00000026 inc ax 0x00000028 mov dx, di 0x0000002b lea esi, dword ptr [esi+00000092h] 0x00000031 shr dh, cl 0x00000033 bswap edx 0x00000035 jmp 00007F44817E16B2h 0x00000037 bswap eax 0x00000039 xchg dword ptr [esp+04h], esi 0x0000003d xchg dl, dh 0x0000003f mov dx, 17B9h 0x00000043 mov ax, cx 0x00000046 mov ah, byte ptr [esp] 0x00000049 jmp 00007F44817E1658h 0x0000004b not eax 0x0000004d push dword ptr [esp+04h] 0x00000051 retn 0008h 0x00000054 shr eax, cl 0x00000056 mov edx, dword ptr [esp] 0x00000059 xchg al, ah 0x0000005b rcr eax, cl 0x0000005d bswap edx 0x0000005f mov dx, F0D0h 0x00000063 xchg ax, dx 0x00000065 jmp 00007F44817E175Eh 0x0000006a ror bl, 00000000h 0x0000006d js 00007F44817E165Dh 0x0000006f lea edx, dword ptr [esi-7Fh] 0x00000072 jmp 00007F44817E1642h 0x00000074 lea edx, dword ptr [24CC2BE0h] 0x0000007a rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0454 second address: 6D0456 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D05C8 second address: 6D0B63 instructions: 0x00000000 rdtsc 0x00000002 neg dx 0x00000005 mov cx, 4EA1h 0x00000009 pop ax 0x0000000b jmp 00007F44817E1657h 0x0000000d bsf ax, dx 0x00000011 mov di, 6F97h 0x00000015 call 00007F44817E1C2Dh 0x0000001a pop dword ptr [esp+1Bh] 0x0000001e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0B63 second address: 6D0735 instructions: 0x00000000 rdtsc 0x00000002 bsr cx, cx 0x00000006 sub esp, 1Ah 0x00000009 jmp 00007F4481241A6Ch 0x0000000e lea esp, dword ptr [esp+48h] 0x00000012 inc dh 0x00000014 cpuid 0x00000016 mov cx, 6D02h 0x0000001a rol ax, cl 0x0000001d xchg bh, dl 0x0000001f jmp 00007F4481241C87h 0x00000024 stc 0x00000025 not bh 0x00000027 not ecx 0x00000029 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0735 second address: 6D0695 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 mov edx, ecx 0x00000008 jmp 00007F44817E154Eh 0x0000000d stc 0x0000000e call 00007F44817E1664h 0x00000013 bsf ax, si 0x00000017 xchg word ptr [esp], bx 0x0000001b xchg word ptr [esp], cx 0x0000001f mov byte ptr [esp+02h], ch 0x00000023 bswap ebx 0x00000025 jmp 00007F44817E170Dh 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e xchg ch, bl 0x00000030 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D09D3 second address: 6D0A41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pop ecx 0x00000004 xchg esi, ebp 0x00000006 mov di, 7728h 0x0000000a jmp 00007F4481241D7Ch 0x0000000c bts edx, esp 0x0000000f xchg word ptr [esp+1Ch], si 0x00000014 xchg bx, dx 0x00000017 push dword ptr [esp+02h] 0x0000001b jmp 00007F4481241DDCh 0x0000001d sub esp, 05h 0x00000020 call 00007F4481241E44h 0x00000025 neg cx 0x00000028 pop dword ptr [esp+20h] 0x0000002c bsf bp, bp 0x00000030 pop ebp 0x00000031 lea eax, dword ptr [esp+0000EEACh] 0x00000038 jmp 00007F4481241CEEh 0x0000003d mov dword ptr [esp+18h], edi 0x00000041 call 00007F4481241DFBh 0x00000046 clc 0x00000047 bsf ecx, ebx 0x0000004a call 00007F4481241D84h 0x0000004f std 0x00000050 xchg ah, ch 0x00000052 popad 0x00000053 jmp 00007F4481241D86h 0x00000055 pop dword ptr [esp+03h] 0x00000059 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0A41 second address: 6D0AE9 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [esp+eax] 0x00000005 push word ptr [esp+01h] 0x0000000a jmp 00007F44817E16BFh 0x0000000c xchg bp, bx 0x0000000f pop dword ptr [esp] 0x00000012 add esp, 03h 0x00000015 cld 0x00000016 mov word ptr [esp], sp 0x0000001a lea eax, dword ptr [00000000h+edi4] 0x00000021 jmp 00007F44817E1655h 0x00000023 mov byte ptr [esp], cl 0x00000026 mov ebx, dword ptr [esp] 0x00000029 btc si, cx 0x0000002d xchg ch, bh 0x0000002f sub esp, 01h 0x00000032 jmp 00007F44817E1715h 0x00000037 sub esp, 1Eh 0x0000003a call 00007F44817E163Eh 0x0000003f sub esp, 1Ah 0x00000042 popad 0x00000043 neg esi 0x00000045 std 0x00000046 bts dx, sp 0x0000004a jmp 00007F44817E165Fh 0x0000004c lea edi, dword ptr [00000000h+esi4] 0x00000053 xchg word ptr [esp+07h], cx 0x00000058 setl ah 0x0000005b jmp 00007F44817E16AAh 0x0000005d push dx 0x0000005f mov dx, 63C0h 0x00000063 mov ebp, dword ptr [esp+17h] 0x00000067 not dl 0x00000069 sub esp, 05h 0x0000006c xchg word ptr [esp+16h], si 0x00000071 jmp 00007F44817E1656h 0x00000073 btc eax, esi 0x00000076 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0BB7 second address: 6D0BB9 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0BB9 second address: 6D0BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E165Fh 0x00000004 mov dword ptr [esp], eax 0x00000007 cmc 0x00000008 pushad 0x00000009 push word ptr [esp+03h] 0x0000000e mov bp, word ptr [esp+1Fh] 0x00000013 jmp 00007F44817E16D4h 0x00000015 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0CE6 second address: 6D0D0E instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241E23h 0x00000007 lea edx, dword ptr [00000000h+edx*4] 0x0000000e mov ecx, esp 0x00000010 jmp 00007F4481241D50h 0x00000012 pop edx 0x00000013 xchg word ptr [esp+04h], cx 0x00000018 cpuid 0x0000001a xchg word ptr [esp], bx 0x0000001e push word ptr [esp+13h] 0x00000023 add esp, 0Fh 0x00000026 jmp 00007F4481241D76h 0x00000028 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0D0E second address: 6D0D93 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 sub esp, 06h 0x00000007 push word ptr [esp+06h] 0x0000000c jmp 00007F44817E16B6h 0x0000000e sbb edx, 4C9FCF64h 0x00000014 mov bh, dh 0x00000016 mov eax, dword ptr [esp+03h] 0x0000001a lea eax, dword ptr [esp+edx] 0x0000001d xchg byte ptr [esp+07h], dh 0x00000021 jmp 00007F44817E1657h 0x00000023 lea esp, dword ptr [esp] 0x00000026 pop ax 0x00000028 pop si 0x0000002a mov bx, CC7Ch 0x0000002e lea esp, dword ptr [esp+03h] 0x00000032 jmp 00007F44817E16E9h 0x00000034 lea esp, dword ptr [esp] 0x00000037 mov di, bp 0x0000003a rcl ebx, 17h 0x0000003d neg al 0x0000003f lea edi, dword ptr [00000000h+esi*4] 0x00000046 ror ebx, cl 0x00000048 jmp 00007F44817E1646h 0x0000004a add esi, esp 0x0000004c cld 0x0000004d mov dh, byte ptr [esp+07h] 0x00000051 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D102C second address: 6D1047 instructions: 0x00000000 rdtsc 0x00000002 mov dl, 2Eh 0x00000004 pop edx 0x00000005 pushad 0x00000006 pop cx 0x00000008 push dword ptr [esp+10h] 0x0000000c jmp 00007F4481241D6Fh 0x0000000e lea edx, dword ptr [edx+ebp] 0x00000011 and ch, FFFFFFCCh 0x00000014 mov eax, esi 0x00000016 xchg ecx, esi 0x00000018 dec di 0x0000001a sbb ax, 0000B5A1h 0x0000001e jmp 00007F4481241D7Ah 0x00000020 mov byte ptr [esp+14h], dh 0x00000024 add esp, 26h 0x00000027 not ebp 0x00000029 pop word ptr [esp] 0x0000002d mov bl, 13h 0x0000002f jmp 00007F4481241DDAh 0x00000031 mov ebp, 9AAF724Ch 0x00000036 btr bp, si 0x0000003a pop bp 0x0000003c bswap ebp 0x0000003e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D12E9 second address: 6D11B5 instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+0Bh], cx 0x00000007 setbe dl 0x0000000a xchg byte ptr [esp+04h], dl 0x0000000e jmp 00007F44817E1627h 0x00000010 pop dword ptr [esp] 0x00000013 dec edx 0x00000014 add esp, 05h 0x00000017 mov bp, ax 0x0000001a mov cl, 88h 0x0000001c mov edx, dword ptr [esp+03h] 0x00000020 jmp 00007F44817E1603h 0x00000022 push word ptr [esp+01h] 0x00000027 dec cl 0x00000029 lea esp, dword ptr [esp+04h] 0x0000002d bsf edi, ebx 0x00000030 push word ptr [esp+02h] 0x00000035 pop ebx 0x00000036 jmp 00007F44817E1606h 0x00000038 lea edi, dword ptr [00000000h+ebx*4] 0x0000003f not ebp 0x00000041 xchg bh, cl 0x00000043 pop bp 0x00000045 mov bx, BEE2h 0x00000049 mov ax, 565Ah 0x0000004d jmp 00007F44817E1655h 0x0000004f rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5EFC12 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 jmp 00007F4481241E09h 0x00000008 mov esi, dword ptr [esp+34h] 0x0000000c mov ch, dl 0x0000000e call 00007F4481241D7Dh 0x00000013 mov ah, bh 0x00000015 mov ch, dl 0x00000017 jmp 00007F4481241DDAh 0x00000019 lea ebp, dword ptr [esp+0Ch] 0x0000001d lea edi, dword ptr [ecx+esi] 0x00000020 mov bl, DCh 0x00000022 not ax 0x00000025 sub esp, 000000B4h 0x0000002b jmp 00007F4481241D56h 0x0000002d mov edi, esp 0x0000002f call 00007F4481241DC0h 0x00000034 mov word ptr [esp], bx 0x00000038 lea edx, dword ptr [00000000h+ebx4] 0x0000003f mov ecx, esi 0x00000041 jmp 00007F4481241DBDh 0x00000043 mov dx, F2EDh 0x00000047 neg ebx 0x00000049 jc 00007F4481241E1Dh 0x0000004b lea ebx, dword ptr [00000000h+ebp4] 0x00000052 mov ax, 8AE6h 0x00000056 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5EFD44 second address: 5EFD82 instructions: 0x00000000 rdtsc 0x00000002 mov bl, byte ptr [esp] 0x00000005 push sp 0x00000007 mov word ptr [esp], bp 0x0000000b mov ah, dh 0x0000000d push word ptr [esp] 0x00000011 jc 00007F44817E1646h 0x00000013 jmp 00007F44817E166Ah 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 add esi, 565B2E4Fh 0x0000001f mov bx, ax 0x00000022 inc eax 0x00000023 jmp 00007F44817E16DCh 0x00000025 jp 00007F44817E162Eh 0x00000027 bsf edx, ebx 0x0000002a lea eax, dword ptr [ebp-0000FDAEh] 0x00000030 pushad 0x00000031 jmp 00007F44817E16D5h 0x00000033 lea esp, dword ptr [esp+20h] 0x00000037 not esi 0x00000039 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5EFD82 second address: 5EFE06 instructions: 0x00000000 rdtsc 0x00000002 mov bl, CBh 0x00000004 xchg ebx, edx 0x00000006 jmp 00007F4481241E10h 0x00000008 mov eax, ecx 0x0000000a mov ax, word ptr [esp] 0x0000000e bt bx, ax 0x00000012 jc 00007F4481241D28h 0x00000014 mov eax, ecx 0x00000016 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F0912 second address: 5F0EEB instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+50h] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c jmp 00007F44817E16A8h 0x0000000e mov dx, cx 0x00000011 setnl dh 0x00000014 setnp bl 0x00000017 jmp 00007F44817E1661h 0x00000019 cmp ebp, eax 0x0000001b call 00007F44817E1C37h 0x00000020 not dl 0x00000022 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 603B99 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push dword ptr [esp+38h] 0x00000007 retn 003Ch 0x0000000a lea eax, dword ptr [eax+edx] 0x0000000d add ebx, 2AEE4402h 0x00000013 jmp 00007F448122DF54h 0x00000018 mov ecx, esi 0x0000001a jmp 00007F4481241DBDh 0x0000001c mov dx, F2EDh 0x00000020 neg ebx 0x00000022 jc 00007F4481241E1Dh 0x00000024 lea ebx, dword ptr [00000000h+ebp*4] 0x0000002b mov ax, 8AE6h 0x0000002f rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 603E4D second address: 5F76B3 instructions: 0x00000000 rdtsc 0x00000002 bsf ax, bx 0x00000006 jmp 00007F44817E16CBh 0x00000008 adc ax, ax 0x0000000b push dword ptr [esp+14h] 0x0000000f retn 0018h 0x00000012 pop esi 0x00000013 jmp 00007F44817D4E76h 0x00000018 mov ecx, edi 0x0000001a jmp 00007F44817E16BAh 0x0000001c mov edx, dword ptr [esp] 0x0000001f lea ebx, dword ptr [esp+000076EAh] 0x00000026 lea eax, dword ptr [esp+edx] 0x00000029 call 00007F44817E165Dh 0x0000002e mov dx, word ptr [esp+02h] 0x00000033 add esp, 00000000h 0x00000036 jl 00007F44817E2AFAh 0x0000003c jnl 00007F44817E1778h 0x00000042 push word ptr [esp+02h] 0x00000047 mov bh, cl 0x00000049 lea edx, dword ptr [00000000h+esi4] 0x00000050 jmp 00007F44817E15F2h 0x00000055 bsr ebx, ebp 0x00000058 bts ax, dx 0x0000005c jmp 00007F44817E17F1h 0x00000061 neg ah 0x00000063 lea esp, dword ptr [esp+02h] 0x00000067 jmp 00007F44817E14DAh 0x0000006c rol edi, 00000000h 0x0000006f stc 0x00000070 jnl 00007F44817E1666h 0x00000072 pushad 0x00000073 jmp 00007F44817E1686h 0x00000075 sub esp, 06h 0x00000078 lea ebx, dword ptr [00000000h+edi4] 0x0000007f lea esp, dword ptr [esp+02h] 0x00000083 jmp 00007F44817E16C4h 0x00000085 lea esp, dword ptr [esp+28h] 0x00000089 dec edi 0x0000008a lea eax, dword ptr [00000000h+ebx*4] 0x00000091 push eax 0x00000092 mov dx, cx 0x00000095 jmp 00007F44817E1645h 0x00000097 mov word ptr [esp+01h], dx 0x0000009c not al 0x0000009e lea esp, dword ptr [esp+04h] 0x000000a2 add edi, 507E8820h 0x000000a8 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F76B3 second address: 5F7759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE0h 0x00000004 mov edx, dword ptr [esp] 0x00000007 setnb al 0x0000000a bswap edx 0x0000000c rcl dl, cl 0x0000000e jp 00007F4481241D58h 0x00000010 not dl 0x00000012 sub esp, 10h 0x00000015 jmp 00007F4481241E25h 0x0000001a lea esp, dword ptr [esp+10h] 0x0000001e xor edi, 77D48258h 0x00000024 bsf ax, si 0x00000028 jnl 00007F4481241D7Ah 0x0000002a sub esp, 03h 0x0000002d mov ebx, edx 0x0000002f setne bh 0x00000032 xchg bh, dl 0x00000034 lea esp, dword ptr [esp+03h] 0x00000038 jmp 00007F4481241DBCh 0x0000003a xor edi, 60BA760Eh 0x00000040 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F7759 second address: 5F7785 instructions: 0x00000000 rdtsc 0x00000002 btc ax, bx 0x00000006 jmp 00007F44817E16BCh 0x00000008 jno 00007F44817E164Ah 0x0000000a rcl al, cl 0x0000000c add edi, dword ptr [ebp+00h] 0x0000000f mov ax, word ptr [esp] 0x00000013 jmp 00007F44817E1697h 0x00000015 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 601B40 second address: 601B44 instructions: 0x00000000 rdtsc 0x00000002 mov dh, B2h 0x00000004 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 604FB2 second address: 5F4C8A instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 mov ecx, 84CCED5Ah 0x0000000b jmp 00007F44817E163Fh 0x0000000d mov edx, ebp 0x0000000f pop ebx 0x00000010 jmp 00007F44817D1318h 0x00000015 mov ebx, edi 0x00000017 mov ax, word ptr [esp] 0x0000001b xchg eax, edx 0x0000001c mov dl, 3Ah 0x0000001e jmp 00007F44817E165Dh 0x00000020 lea eax, dword ptr [edx+edx] 0x00000023 lea edx, dword ptr [ebx-6DA261F9h] 0x00000029 mov dx, bx 0x0000002c sub esp, 14h 0x0000002f jmp 00007F44817E1696h 0x00000031 jo 00007F44817E1696h 0x00000033 mov edx, dword ptr [esp+05h] 0x00000037 pop dx 0x00000039 jmp 00007F44817E1792h 0x0000003e mov dh, 8Ch 0x00000040 lea esp, dword ptr [esp+02h] 0x00000044 jmp 00007F44817E1582h 0x00000049 lea esp, dword ptr [esp+10h] 0x0000004d sub edi, 128A0F11h 0x00000053 jmp 00007F44817E1709h 0x00000058 rcr cx, 0005h 0x0000005c jp 00007F44817E162Dh 0x0000005e shl al, 1 0x00000060 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F4C8A second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D86h 0x00000004 mov cx, EB63h 0x00000008 jmp 00007F4481241DCEh 0x0000000a ror edi, 00000000h 0x0000000d stc 0x0000000e jle 00007F4481241D86h 0x00000010 lea edx, dword ptr [eax+ecx] 0x00000013 jmp 00007F4481241DF0h 0x00000015 xchg edx, ecx 0x00000017 mov al, byte ptr [esp] 0x0000001a mov dx, word ptr [esp] 0x0000001e jmp 00007F4481241D81h 0x00000020 mov edx, 96F70AFFh 0x00000025 jmp 00007F4481241D75h 0x00000027 add edi, 4B2345C8h 0x0000002d mov ecx, dword ptr [esp] 0x00000030 mov ecx, edx 0x00000032 lea edx, dword ptr [ecx+ebp] 0x00000035 jmp 00007F4481241DEFh 0x00000037 xchg dl, dh 0x00000039 xchg ecx, edx 0x0000003b ror edi, 00000000h 0x0000003e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F6D40 second address: 5F6D45 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+ebp] 0x00000005 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60139C second address: 6014E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D5Eh 0x00000004 sub ebp, 04h 0x00000007 mov dx, sp 0x0000000a add al, C5h 0x0000000c jnle 00007F4481241DF2h 0x0000000e mov eax, esp 0x00000010 jmp 00007F4481241D88h 0x00000012 mov ax, di 0x00000015 jmp 00007F4481241DB7h 0x00000017 mov edx, edi 0x00000019 mov ecx, dword ptr [edx] 0x0000001b mov dh, cl 0x0000001d rcr edx, cl 0x0000001f jmp 00007F44812420C7h 0x00000024 jp 00007F4481241F86h 0x0000002a mov edx, F267AC06h 0x0000002f setnp dl 0x00000032 jmp 00007F4481241B8Ah 0x00000037 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6023D2 second address: 601A3F instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 jmp 00007F44817E0DB0h 0x00000009 add ebp, 04h 0x0000000c lea edx, dword ptr [00000000h+ebp*4] 0x00000013 not ax 0x00000016 push esi 0x00000017 jmp 00007F44817E15C1h 0x0000001c not ah 0x0000001e bsr cx, bx 0x00000022 jnl 00007F44817E1659h 0x00000024 mov si, bx 0x00000027 jmp 00007F44817E1667h 0x00000029 push ebx 0x0000002a mov cx, A66Fh 0x0000002e mov edx, 7C18FE6Fh 0x00000033 mov ah, 72h 0x00000035 xchg eax, ecx 0x00000036 jmp 00007F44817E168Eh 0x00000038 push edi 0x00000039 not bh 0x0000003b sets dh 0x0000003e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 603DFC second address: 603EE8 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [eax+ebx] 0x00000005 jmp 00007F4481241E25h 0x0000000a bsr edx, edx 0x0000000d jo 00007F4481241DEBh 0x0000000f jno 00007F4481241DE9h 0x00000011 mov edi, dword ptr [ebp+00h] 0x00000014 clc 0x00000015 jnc 00007F4481241D70h 0x00000017 jmp 00007F4481241DB6h 0x00000019 xchg ax, dx 0x0000001b jmp 00007F4481241DC2h 0x0000001d add ebp, 04h 0x00000020 mov ah, byte ptr [esp] 0x00000023 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60571F second address: 60581E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, byte ptr [esp+17h] 0x00000007 jmp 00007F44817E169Dh 0x00000009 not eax 0x0000000b jmp 00007F44817E1663h 0x0000000d push edi 0x0000000e xchg ebp, edi 0x00000010 mov bx, F68Fh 0x00000014 neg al 0x00000016 jp 00007F44817E16ADh 0x00000018 jnp 00007F44817E16EBh 0x0000001a jmp 00007F44817E1645h 0x0000001c push esi 0x0000001d mov ecx, esi 0x0000001f mov dh, byte ptr [esp] 0x00000022 pushfd 0x00000023 lea ecx, dword ptr [00000000h+ebp*4] 0x0000002a xchg dl, dh 0x0000002c jmp 00007F44817E16ADh 0x0000002e bsf bp, sp 0x00000032 jnp 00007F44817E16A6h 0x00000034 add esp, 04h 0x00000037 jns 00007F44817E17DAh 0x0000003d jmp 00007F44817E1648h 0x0000003f pop ebp 0x00000040 mov di, word ptr [esp] 0x00000044 pushad 0x00000045 cpuid 0x00000047 mov word ptr [esp+0Eh], bp 0x0000004c jmp 00007F44817E1606h 0x0000004e add esp, 20h 0x00000051 jnp 00007F44817E163Fh 0x00000053 pop esi 0x00000054 mov ebx, esi 0x00000056 xchg edi, eax 0x00000058 jmp 00007F44817E164Fh 0x0000005a bsr ax, cx 0x0000005e jo 00007F44817E1692h 0x00000060 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 604FCA second address: 6050CF instructions: 0x00000000 rdtsc 0x00000002 not edx 0x00000004 jmp 00007F4481241DCFh 0x00000006 push esi 0x00000007 bsr eax, esp 0x0000000a jo 00007F4481241DF5h 0x0000000c mov cl, D6h 0x0000000e mov ecx, dword ptr [esp] 0x00000011 dec esi 0x00000012 jmp 00007F4481241DC7h 0x00000014 push ebx 0x00000015 call 00007F4481241E34h 0x0000001a mov ax, 7417h 0x0000001e bswap edx 0x00000020 bt ecx, edx 0x00000023 pushfd 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6050CF second address: 60503E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A7h 0x00000004 xchg dword ptr [esp+04h], ecx 0x00000008 mov dx, si 0x0000000b mov ebx, esp 0x0000000d not bh 0x0000000f call 00007F44817E165Fh 0x00000014 lea ecx, dword ptr [ecx+01h] 0x00000017 mov ah, byte ptr [esp] 0x0000001a jmp 00007F44817E16B9h 0x0000001c lea esi, dword ptr [00000000h+esi*4] 0x00000023 lea esi, dword ptr [eax+ebp] 0x00000026 btr ax, sp 0x0000002a mov bx, 430Fh 0x0000002e xchg dword ptr [esp+08h], ecx 0x00000032 neg dl 0x00000034 jmp 00007F44817E164Fh 0x00000036 sub esp, 1Ah 0x00000039 lea esp, dword ptr [esp+11h] 0x0000003d pop dword ptr [esp] 0x00000040 xor ebx, 69AE8573h 0x00000046 jmp 00007F44817E1710h 0x0000004b lea esp, dword ptr [esp+01h] 0x0000004f push dword ptr [esp+0Ch] 0x00000053 retn 0010h 0x00000056 stc 0x00000057 ja 00007F44817E17C0h 0x0000005d rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60503E second address: 60518E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241EC2h 0x00000007 mov cx, 032Ah 0x0000000b sub cx, bx 0x0000000e jmp 00007F4481241DB8h 0x00000010 push ebp 0x00000011 lea eax, dword ptr [ecx+edx] 0x00000014 jmp 00007F4481241DA6h 0x00000016 mov eax, dword ptr [esp] 0x00000019 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60518E second address: 6051B3 instructions: 0x00000000 rdtsc 0x00000002 mov dx, E701h 0x00000006 mov cx, dx 0x00000009 xchg ebx, ebp 0x0000000b xchg dl, ah 0x0000000d jmp 00007F44817E1698h 0x0000000f rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F4CDF second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 mov cx, EB63h 0x00000006 jmp 00007F4481241D5Fh 0x00000008 ror edi, 00000000h 0x0000000b stc 0x0000000c jle 00007F4481241D86h 0x0000000e lea edx, dword ptr [eax+ecx] 0x00000011 jmp 00007F4481241DF0h 0x00000013 xchg edx, ecx 0x00000015 mov al, byte ptr [esp] 0x00000018 mov dx, word ptr [esp] 0x0000001c jmp 00007F4481241D81h 0x0000001e mov edx, 96F70AFFh 0x00000023 jmp 00007F4481241D75h 0x00000025 add edi, 4B2345C8h 0x0000002b mov ecx, dword ptr [esp] 0x0000002e mov ecx, edx 0x00000030 lea edx, dword ptr [ecx+ebp] 0x00000033 jmp 00007F4481241DEFh 0x00000035 xchg dl, dh 0x00000037 xchg ecx, edx 0x00000039 ror edi, 00000000h 0x0000003c rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 604854 second address: 604865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16DDh 0x00000004 mov ecx, dword ptr [ebp+00h] 0x00000007 mov edx, esp 0x00000009 seto al 0x0000000c setb dh 0x0000000f jmp 00007F44817E161Ah 0x00000011 add dword ptr [ebp+04h], ecx 0x00000014 xchg ah, dh 0x00000016 mov dl, byte ptr [esp] 0x00000019 mov eax, DB213984h 0x0000001e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6047C6 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [esi-000000EAh] 0x00000008 jmp 00007F4481241D6Bh 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F4481241E45h 0x00000015 jns 00007F4481241D2Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F4481241DBCh 0x00000027 jp 00007F4481241DBAh 0x00000029 pop ebx 0x0000002a jmp 00007F4481241DBDh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F4481241DECh 0x00000039 jbe 00007F4481241D5Ah 0x0000003b pop esi 0x0000003c jmp 00007F448123218Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F4481241D7Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F4481241DB6h 0x0000005d jo 00007F4481241DB6h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F4481241EB2h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F4481241CA2h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F4481241E29h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F4481241D4Dh 0x0000008a shl al, 1 0x0000008c rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60C3F9 second address: 60B418 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 04h 0x00000005 pushfd 0x00000006 pop dx 0x00000008 jmp 00007F44817E1650h 0x0000000a mov eax, dword ptr [esp] 0x0000000d lea esp, dword ptr [esp+02h] 0x00000011 mov dword ptr [ebp+00h], ebx 0x00000014 lea eax, dword ptr [00000000h+eax4] 0x0000001b inc dh 0x0000001d jmp 00007F44817E16B5h 0x0000001f jo 00007F44817E1622h 0x00000021 mov ah, byte ptr [esp] 0x00000024 call 00007F44817E1665h 0x00000029 xor ax, sp 0x0000002c lea eax, dword ptr [esi-000000F8h] 0x00000032 push ax 0x00000034 jmp 00007F44817E1696h 0x00000036 mov edx, B2EBA21Ah 0x0000003b dec edx 0x0000003c lea esp, dword ptr [esp+02h] 0x00000040 xchg dword ptr [esp], ecx 0x00000043 mov dl, BBh 0x00000045 rcl dl, 1 0x00000047 jmp 00007F44817E16B3h 0x00000049 lea edx, dword ptr [00000000h+ebp4] 0x00000050 push esp 0x00000051 xchg dh, dl 0x00000053 lea ecx, dword ptr [ecx-0000104Ah] 0x00000059 mov ax, word ptr [esp] 0x0000005d bt dx, ax 0x00000061 jmp 00007F44817E1652h 0x00000063 rcr ax, cl 0x00000066 rcr ah, cl 0x00000068 xchg dword ptr [esp+04h], ecx 0x0000006c inc dx 0x0000006e jmp 00007F44817E1B33h 0x00000073 lea edx, dword ptr [edi+0000008Eh] 0x00000079 push ax 0x0000007b lea esp, dword ptr [esp] 0x0000007e mov word ptr [esp], ax 0x00000082 lea esp, dword ptr [esp+02h] 0x00000086 push dword ptr [esp+04h] 0x0000008a retn 0008h 0x0000008d mov ax, word ptr [esp] 0x00000091 bsr ebx, edx 0x00000094 jp 00007F44817E1663h 0x00000096 btc ax, cx 0x0000009a jmp 00007F44817E16B2h 0x0000009c rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60B12B second address: 60B154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE4h 0x00000004 lea esp, dword ptr [esp+02h] 0x00000008 xchg dword ptr [esp+04h], ebp 0x0000000c mov ah, byte ptr [esp] 0x0000000f mov dh, 8Eh 0x00000011 xchg edx, eax 0x00000013 lea ebp, dword ptr [ebp+5Dh] 0x00000016 jmp 00007F4481241D71h 0x00000018 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60B154 second address: 60B187 instructions: 0x00000000 rdtsc 0x00000002 mov ax, sp 0x00000005 call 00007F44817E16C2h 0x0000000a sub esp, 11h 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 xchg dword ptr [esp+18h], ebp 0x00000015 add al, 3Ah 0x00000017 jmp 00007F44817E165Dh 0x00000019 neg edx 0x0000001b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60B187 second address: 60B244 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 call 00007F4481241DC0h 0x00000008 push dword ptr [esp+1Ch] 0x0000000c retn 0020h 0x0000000f bts edx, ebp 0x00000012 sub esp, 1Bh 0x00000015 jmp 00007F4481241EE5h 0x0000001a xchg byte ptr [esp+0Bh], dh 0x0000001e xchg dl, al 0x00000020 ror bl, 00000000h 0x00000023 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60B244 second address: 60B1DE instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ebx+edi] 0x00000005 jmp 00007F44817E163Dh 0x00000007 clc 0x00000008 jnbe 00007F44817E1662h 0x0000000a lea eax, dword ptr [00000000h+edi*4] 0x00000011 rol bl, 00000000h 0x00000014 jmp 00007F44817E1660h 0x00000016 sub dh, ah 0x00000018 js 00007F44817E16BDh 0x0000001a btr ax, si 0x0000001e mov dl, byte ptr [esp] 0x00000021 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 603F07 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 bts dx, dx 0x00000006 xchg dword ptr [esp], edi 0x00000009 mov eax, esp 0x0000000b mov eax, edx 0x0000000d btc dx, di 0x00000011 jmp 00007F4481241B5Fh 0x00000016 mov ax, E5E4h 0x0000001a push dword ptr [esp] 0x0000001d retn 0004h 0x00000020 mov ebx, edi 0x00000022 mov ax, word ptr [esp] 0x00000026 xchg eax, edx 0x00000027 mov dl, 3Ah 0x00000029 jmp 00007F4481241D7Dh 0x0000002b lea eax, dword ptr [edx+edx] 0x0000002e lea edx, dword ptr [ebx-6DA261F9h] 0x00000034 mov dx, bx 0x00000037 sub esp, 14h 0x0000003a jmp 00007F4481241DB6h 0x0000003c jo 00007F4481241DB6h 0x0000003e mov edx, dword ptr [esp+05h] 0x00000042 pop dx 0x00000044 jmp 00007F4481241EB2h 0x00000049 mov dh, 8Ch 0x0000004b lea esp, dword ptr [esp+02h] 0x0000004f jmp 00007F4481241CA2h 0x00000054 lea esp, dword ptr [esp+10h] 0x00000058 sub edi, 128A0F11h 0x0000005e jmp 00007F4481241E29h 0x00000063 rcr cx, 0005h 0x00000067 jp 00007F4481241D4Dh 0x00000069 shl al, 1 0x0000006b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 607D80 second address: 607B82 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 call 00007F44817E148Dh 0x0000000a setne dh 0x0000000d mov ecx, ebp 0x0000000f mov dh, 9Bh 0x00000011 mov dl, 24h 0x00000013 bswap edx 0x00000015 jmp 00007F44817E165Fh 0x00000017 xchg dword ptr [esp], ebx 0x0000001a lea ecx, dword ptr [edi+41h] 0x0000001d rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 607B82 second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 mov edx, F46DAA9Dh 0x00000007 inc ch 0x00000009 jmp 00007F4481241DB4h 0x0000000b lea ebx, dword ptr [ebx-000001C5h] 0x00000011 mov dx, 50EEh 0x00000015 bsr cx, di 0x00000019 call 00007F4481241E16h 0x0000001e stc 0x0000001f pop word ptr [esp] 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 jmp 00007F4481241D65h 0x00000029 xchg dword ptr [esp], ebx 0x0000002c xchg cl, dh 0x0000002e xchg cx, dx 0x00000031 mov cx, word ptr [esp] 0x00000035 push dword ptr [esp] 0x00000038 retn 0004h 0x0000003b sub ebp, 02h 0x0000003e jmp 00007F4481241DA6h 0x00000040 neg dl 0x00000042 jo 00007F4481241DD3h 0x00000044 mov eax, ecx 0x00000046 xchg edx, eax 0x00000048 mov dh, 4Fh 0x0000004a jmp 00007F4481241F01h 0x0000004f mov cl, byte ptr [edi] 0x00000051 not dl 0x00000053 bswap edx 0x00000055 setb dl 0x00000058 neg ah 0x0000005a jmp 00007F4481241CA0h 0x0000005f jng 00007F4481241E3Bh 0x00000065 pushfd 0x00000066 mov al, byte ptr [esp+03h] 0x0000006a xchg word ptr [esp], ax 0x0000006e btc ax, dx 0x00000072 pop eax 0x00000073 sub esp, 0Bh 0x00000076 jmp 00007F4481241D24h 0x00000078 push dword ptr [esp+06h] 0x0000007c jnp 00007F4481241D79h 0x0000007e dec dx 0x00000080 lea esp, dword ptr [esp+03h] 0x00000084 jmp 00007F4481241D7Dh 0x00000086 sub cl, bl 0x00000088 xchg eax, edx 0x00000089 mov al, 17h 0x0000008b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60476F second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A2h 0x00000004 lea esi, dword ptr [esi-000000EAh] 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F44817E1725h 0x00000015 jns 00007F44817E160Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F44817E169Ch 0x00000027 jp 00007F44817E169Ah 0x00000029 pop ebx 0x0000002a jmp 00007F44817E169Dh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F44817E16CCh 0x00000039 jbe 00007F44817E163Ah 0x0000003b pop esi 0x0000003c jmp 00007F44817D1A6Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F44817E165Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F44817E1696h 0x0000005d jo 00007F44817E1696h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F44817E1792h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F44817E1582h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F44817E1709h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F44817E162Dh 0x0000008a shl al, 1 0x0000008c rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 610C59 second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DFAh 0x00000004 mov dh, dl 0x00000006 jmp 00007F448123A8A9h 0x0000000b mov eax, 0B0F4634h 0x00000010 jmp 00007F4481241D36h 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 607B5F second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 jmp 00007F44817E16E1h 0x00000007 sub ebp, 02h 0x0000000a jmp 00007F44817E1686h 0x0000000c neg dl 0x0000000e jo 00007F44817E16B3h 0x00000010 mov eax, ecx 0x00000012 xchg edx, eax 0x00000014 mov dh, 4Fh 0x00000016 jmp 00007F44817E17E1h 0x0000001b mov cl, byte ptr [edi] 0x0000001d not dl 0x0000001f bswap edx 0x00000021 setb dl 0x00000024 neg ah 0x00000026 jmp 00007F44817E1580h 0x0000002b jng 00007F44817E171Bh 0x00000031 pushfd 0x00000032 mov al, byte ptr [esp+03h] 0x00000036 xchg word ptr [esp], ax 0x0000003a btc ax, dx 0x0000003e pop eax 0x0000003f sub esp, 0Bh 0x00000042 jmp 00007F44817E1604h 0x00000044 push dword ptr [esp+06h] 0x00000048 jnp 00007F44817E1659h 0x0000004a dec dx 0x0000004c lea esp, dword ptr [esp+03h] 0x00000050 jmp 00007F44817E165Dh 0x00000052 sub cl, bl 0x00000054 xchg eax, edx 0x00000055 mov al, 17h 0x00000057 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F4B9A second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea ebp, dword ptr [esp] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c mov bx, B92Bh 0x00000010 setnl dh 0x00000013 jmp 00007F4481241D77h 0x00000015 mov si, ax 0x00000018 jmp 00007F4481241DC8h 0x0000001a sub esp, 000000C0h 0x00000020 jmp 00007F4481241DD7h 0x00000022 mov esi, esp 0x00000024 sub eax, 56CA30D9h 0x00000029 jne 00007F4481241D83h 0x0000002b mov bx, di 0x0000002e jmp 00007F4481241DDBh 0x00000030 lea ebx, dword ptr [ebx-3Bh] 0x00000033 mov ebx, edi 0x00000035 mov ax, word ptr [esp] 0x00000039 xchg eax, edx 0x0000003a mov dl, 3Ah 0x0000003c jmp 00007F4481241D7Dh 0x0000003e lea eax, dword ptr [edx+edx] 0x00000041 lea edx, dword ptr [ebx-6DA261F9h] 0x00000047 mov dx, bx 0x0000004a sub esp, 14h 0x0000004d jmp 00007F4481241DB6h 0x0000004f jo 00007F4481241DB6h 0x00000051 mov edx, dword ptr [esp+05h] 0x00000055 pop dx 0x00000057 jmp 00007F4481241EB2h 0x0000005c mov dh, 8Ch 0x0000005e lea esp, dword ptr [esp+02h] 0x00000062 jmp 00007F4481241CA2h 0x00000067 lea esp, dword ptr [esp+10h] 0x0000006b sub edi, 128A0F11h 0x00000071 jmp 00007F4481241E29h 0x00000076 rcr cx, 0005h 0x0000007a jp 00007F4481241D4Dh 0x0000007c shl al, 1 0x0000007e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6068A9 second address: 60687C instructions: 0x00000000 rdtsc 0x00000002 sub cx, bx 0x00000005 jmp 00007F44817E164Ah 0x00000007 mov dx, word ptr [esp] 0x0000000b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 606B01 second address: 606B35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB2h 0x00000004 lea esp, dword ptr [esp+03h] 0x00000008 jmp 00007F4481241DB8h 0x0000000a rol cx, 0000h 0x0000000e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 606B35 second address: 606C59 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [00000000h+ebp*4] 0x00000009 mov eax, edx 0x0000000b jmp 00007F44817E16BDh 0x0000000d mov eax, edx 0x0000000f lea esp, dword ptr [esp+04h] 0x00000013 not cx 0x00000016 rcl ah, cl 0x00000018 jnp 00007F44817E163Ah 0x0000001a jmp 00007F44817E16A5h 0x0000001c mov dl, cl 0x0000001e cmc 0x0000001f sub edx, ebx 0x00000021 jmp 00007F44817E1658h 0x00000023 add cx, 46A5h 0x00000028 mov dl, byte ptr [esp] 0x0000002b xor edx, AB5782EBh 0x00000031 jmp 00007F44817E16FCh 0x00000033 jne 00007F44817E1643h 0x00000035 mov dh, 44h 0x00000037 mov dx, BF5Ch 0x0000003b call 00007F44817E16A1h 0x00000040 lea eax, dword ptr [ebx+ebp] 0x00000043 jmp 00007F44817E1661h 0x00000045 lea esp, dword ptr [esp+04h] 0x00000049 xor cx, EF15h 0x0000004e lea eax, dword ptr [esi-0000C2B9h] 0x00000054 mov al, ah 0x00000056 jmp 00007F44817E16ABh 0x00000058 pushfd 0x00000059 mov dl, bh 0x0000005b xchg byte ptr [esp], al 0x0000005e bsf edx, esp 0x00000061 jne 00007F44817E16B6h 0x00000063 mov dword ptr [esp], ecx 0x00000066 jmp 00007F44817E16B9h 0x00000068 lea esp, dword ptr [esp+04h] 0x0000006c inc cx 0x0000006e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 606C59 second address: 606C5B instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 64C1E3 second address: 64C2CE instructions: 0x00000000 rdtsc 0x00000002 btr ebx, ebx 0x00000005 jno 00007F44817E16AFh 0x00000007 cmc 0x00000008 jmp 00007F44817E1669h 0x0000000a mov ebx, 1F08C55Dh 0x0000000f jmp 00007F44817E1694h 0x00000011 sub ebp, 08h 0x00000014 setns bl 0x00000017 sub esp, 1Ch 0x0000001a jmp 00007F44817E16CCh 0x0000001c jns 00007F44817E163Ah 0x0000001e pop dword ptr [esp+11h] 0x00000022 mov bh, byte ptr [esp+14h] 0x00000026 jmp 00007F44817E16A8h 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, E17Ah 0x0000002f mov edx, 6E64272Bh 0x00000034 sub esp, 18h 0x00000037 jmp 00007F44817E1734h 0x0000003c ja 00007F44817E1712h 0x00000042 mov edx, dword ptr [esp+0Eh] 0x00000046 mov dword ptr [ebp+04h], eax 0x00000049 mov eax, ebp 0x0000004b jmp 00007F44817E1597h 0x00000050 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5E4613 second address: 5E47B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov byte ptr [esp+0Fh], ah 0x00000007 jmp 00007F4481241DEBh 0x00000009 sub ebp, 08h 0x0000000c call 00007F4481241D87h 0x00000011 push word ptr [esp+02h] 0x00000016 jnl 00007F4481241DD7h 0x00000018 lea esp, dword ptr [esp+02h] 0x0000001c jmp 00007F4481241D7Eh 0x0000001e mov dword ptr [ebp+00h], edx 0x00000021 lea edx, dword ptr [00000000h+ebx*4] 0x00000028 clc 0x00000029 js 00007F4481241DCDh 0x0000002b xchg dl, dh 0x0000002d jmp 00007F4481241E1Eh 0x0000002f xchg eax, ecx 0x00000030 mov dx, 7D53h 0x00000034 bswap edx 0x00000036 mov dh, dl 0x00000038 jmp 00007F4481241D7Ch 0x0000003a mov dword ptr [ebp+04h], ecx 0x0000003d lea edx, dword ptr [eax+ecx] 0x00000040 dec ecx 0x00000041 jno 00007F4481241D83h 0x00000043 mov cl, 71h 0x00000045 jmp 00007F4481241DEEh 0x00000047 jmp 00007F4481241E2Ah 0x0000004c mov ecx, dword ptr [esp] 0x0000004f bswap eax 0x00000051 lea ecx, dword ptr [esi+50h] 0x00000054 bt ax, di 0x00000058 jnp 00007F4481241D65h 0x0000005a mov ax, 5EB0h 0x0000005e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 606615 second address: 6065B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E161Fh 0x00000004 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60DA0E second address: 60DADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D73h 0x00000004 lea eax, dword ptr [00000000h+eax4] 0x0000000b lea eax, dword ptr [00000000h+eax4] 0x00000012 jmp 00007F4481241DC1h 0x00000014 ror bx, 0000h 0x00000018 mov dh, byte ptr [esp] 0x0000001b mov ax, word ptr [esp] 0x0000001f neg ax 0x00000022 jl 00007F4481242C6Fh 0x00000028 mov ax, 9EF1h 0x0000002c xchg dx, ax 0x0000002f mov dh, 93h 0x00000031 jmp 00007F4481241DEBh 0x00000033 mov dx, DA80h 0x00000037 jmp 00007F4481241E2Dh 0x0000003c inc bx 0x0000003e btc edx, edx 0x00000041 jnc 00007F4481241D63h 0x00000043 setb al 0x00000046 not dh 0x00000048 bt edx, eax 0x0000004b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 655636 second address: 655647 instructions: 0x00000000 rdtsc 0x00000002 shr cx, cl 0x00000005 jl 00007F44817E1665h 0x00000007 jnl 00007F44817E168Ah 0x00000009 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60F361 second address: 60F346 instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebp 0x00000005 mov dx, 0278h 0x00000009 jmp 00007F4481241D79h 0x0000000b neg ax 0x0000000e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 659584 second address: 62E2AD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+18h], ebx 0x00000006 jmp 00007F44817E1686h 0x00000008 lea esp, dword ptr [esp+04h] 0x0000000c popad 0x0000000d lea ecx, dword ptr [ecx-56ECA26Eh] 0x00000013 mov ecx, 9F0203F6h 0x00000018 lea ecx, dword ptr [esp+edi] 0x0000001b call 00007F44817E16A8h 0x00000020 jmp 00007F44817E166Ah 0x00000022 lea esp, dword ptr [esp+04h] 0x00000026 lea ecx, dword ptr [esp+74h] 0x0000002a jmp 00007F44817E1690h 0x0000002c call 00007F448178778Ch 0x00000031 jmp 00007F44817C5DEEh 0x00000036 jmp 00007F44817E1654h 0x0000003b jmp 00007F44817FE1C9h 0x00000040 push esi 0x00000041 jmp 00007F448180EFBFh 0x00000046 pushad 0x00000047 lea ebp, dword ptr [ebp+25A1C75Dh] 0x0000004d not ebx 0x0000004f rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 656379 second address: 65661E instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebx+000000B6h] 0x00000008 call 00007F4481241E3Bh 0x0000000d mov edx, dword ptr [ebp+00h] 0x00000010 neg ebx 0x00000012 jnc 00007F4481241E25h 0x00000018 lea eax, dword ptr [00000000h+esi4] 0x0000001f jmp 00007F4481241EB7h 0x00000024 lea ebx, dword ptr [00000000h+edi4] 0x0000002b xchg ah, al 0x0000002d jmp 00007F4481241D81h 0x0000002f add ebp, 02h 0x00000032 shl bx, cl 0x00000035 jo 00007F4481241E7Ah 0x0000003b bsf ax, si 0x0000003f jmp 00007F4481241DCEh 0x00000041 sub esp, 05h 0x00000044 cmc 0x00000045 lea esp, dword ptr [esp+01h] 0x00000049 jmp 00007F4481241DCAh 0x0000004b jmp 00007F4481241D78h 0x0000004d mov al, byte ptr [edx] 0x00000050 mov dx, cx 0x00000053 xchg dh, dl 0x00000055 bsr edx, edi 0x00000058 jns 00007F4481241DD5h 0x0000005a mov bh, byte ptr [esp] 0x0000005d mov word ptr [ebp+00h], ax 0x00000061 dec dx 0x00000063 jnbe 00007F4481241DBCh 0x00000065 rol dx, 0007h 0x00000069 call 00007F4481241DD5h 0x0000006e mov edx, dword ptr [esp] 0x00000071 shl edx, 1 0x00000073 mov bx, 859Dh 0x00000077 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 65661E second address: 656620 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 637B15 second address: 637B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB4h 0x00000004 pushfd 0x00000005 pop dword ptr [ebp+00h] 0x00000008 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 607F6E second address: 608024 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1665h 0x00000007 mov dh, ah 0x00000009 mov edx, dword ptr [esp+01h] 0x0000000d push dword ptr [esp+24h] 0x00000011 retn 0028h 0x00000014 bt edx, ecx 0x00000017 btr ax, si 0x0000001b setl dh 0x0000001e jmp 00007F44817E16F6h 0x00000020 not cl 0x00000022 not dx 0x00000025 lea edx, dword ptr [00000000h+edx*4] 0x0000002c push bx 0x0000002e bsr dx, si 0x00000032 jbe 00007F44817E15FAh 0x00000038 pop dx 0x0000003a jmp 00007F44817E169Ah 0x0000003c add cl, FFFFFFA5h 0x0000003f bts dx, sp 0x00000043 jmp 00007F44817E16A8h 0x00000045 jc 00007F44817E165Eh 0x00000047 inc dl 0x00000049 xchg dx, ax 0x0000004c mov al, byte ptr [esp] 0x0000004f clc 0x00000050 not dx 0x00000053 mov ax, si 0x00000056 jmp 00007F44817E16A9h 0x00000058 xor cl, 00000015h 0x0000005b bswap edx 0x0000005d adc ax, dx 0x00000060 jns 00007F44817E16B4h 0x00000062 js 00007F44817E169Ch 0x00000064 pushfd 0x00000065 mov dword ptr [esp], ebx 0x00000068 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 657A01 second address: 658F1B instructions: 0x00000000 rdtsc 0x00000002 rcr bh, cl 0x00000004 mov bh, byte ptr [esp] 0x00000007 xchg dword ptr [esp], edi 0x0000000a jmp 00007F44812432ADh 0x0000000f mov dl, byte ptr [esp] 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5E245C second address: 60B3EC instructions: 0x00000000 rdtsc 0x00000002 mov bx, 4BB0h 0x00000006 mov bx, si 0x00000009 btr bx, dx 0x0000000d jmp 00007F4481817380h 0x00000012 jnl 00007F44817AB99Fh 0x00000018 lea ebx, dword ptr [00000000h+esi*4] 0x0000001f jmp 00007F448181738Dh 0x00000024 sub ebp, 08h 0x00000027 push esp 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, word ptr [esp] 0x0000002f jmp 00007F44817E165Fh 0x00000031 or edx, esi 0x00000033 jbe 00007F44817E16CBh 0x00000035 mov edx, eax 0x00000037 sub esp, 1Ch 0x0000003a jmp 00007F44817E16ADh 0x0000003c mov dword ptr [ebp+04h], eax 0x0000003f and dl, ah 0x00000041 jnl 00007F44817E16AFh 0x00000043 bswap ebx 0x00000045 mov al, 8Eh 0x00000047 jmp 00007F44817D4892h 0x0000004c mov ax, word ptr [esp] 0x00000050 bsr ebx, edx 0x00000053 jp 00007F44817E1663h 0x00000055 btc ax, cx 0x00000059 jmp 00007F44817E16A5h 0x0000005b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 618AF6 second address: 618B68 instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp] 0x00000005 retn 0004h 0x00000008 mov ecx, dword ptr [ebp+00h] 0x0000000b lea eax, dword ptr [ebx+ebp] 0x0000000e bts dx, di 0x00000012 jmp 00007F4481241E42h 0x00000017 jle 00007F4481241DFDh 0x00000019 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 640208 second address: 64036F instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1771h 0x00000007 mov dx, word ptr [esp] 0x0000000b call 00007F44817E1666h 0x00000010 mov dl, ah 0x00000012 mov dword ptr [esp], ebx 0x00000015 xchg dword ptr [esp+04h], ebx 0x00000019 sub esp, 14h 0x0000001c jmp 00007F44817E176Fh 0x00000021 push ebx 0x00000022 mov ah, 64h 0x00000024 lea ebx, dword ptr [ebx+4Fh] 0x00000027 mov dx, ax 0x0000002a stc 0x0000002b stc 0x0000002c jmp 00007F44817E15FDh 0x00000031 pushad 0x00000032 xchg ax, dx 0x00000034 xchg dword ptr [esp+3Ch], ebx 0x00000038 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 64075D second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241D75h 0x00000007 jmp 00007F4481241E06h 0x00000009 mov al, F0h 0x0000000b mov word ptr [ebp+00h], bx 0x0000000f not eax 0x00000011 rcr bx, 000Ah 0x00000015 jns 00007F4481241D7Eh 0x00000017 jmp 00007F4481241E37h 0x0000001c bsr eax, ebx 0x0000001f sub esp, 0Fh 0x00000022 lea esp, dword ptr [esp+03h] 0x00000026 jmp 00007F448120AD3Bh 0x0000002b mov eax, 0B0F4634h 0x00000030 jmp 00007F4481241D36h 0x00000032 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 64023B second address: 640256 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 mov eax, 1BA171EFh 0x0000000a mov ax, A249h 0x0000000e jmp 00007F44817E16DDh 0x00000010 lea eax, dword ptr [ebx-0000BE75h] 0x00000016 xchg dword ptr [esp], eax 0x00000019 sub esp, 01h 0x0000001c setle dh 0x0000001f mov dl, 2Dh 0x00000021 mov dx, bx 0x00000024 jmp 00007F44817E1656h 0x00000026 sub esp, 0Ah 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d lea eax, dword ptr [eax+25h] 0x00000030 mov edx, esi 0x00000032 xchg dh, dl 0x00000034 xchg dh, dl 0x00000036 jmp 00007F44817E189Ah 0x0000003b lea edx, dword ptr [00000000h+eax*4] 0x00000042 mov dh, byte ptr [esp] 0x00000045 xchg dword ptr [esp+08h], eax 0x00000049 mov eax, dword ptr [esp] 0x0000004c setbe dl 0x0000004f dec dx 0x00000051 jmp 00007F44817E15C9h 0x00000056 clc 0x00000057 push dword ptr [esp+08h] 0x0000005b retn 000Ch 0x0000005e setnle al 0x00000061 xchg al, dh 0x00000063 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 641F54 second address: 641F54 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], ecx 0x00000006 jmp 00007F4481241CB1h 0x0000000b cmc 0x0000000c popad 0x0000000d cmc 0x0000000e cmc 0x0000000f shr eax, 10h 0x00000012 call 00007F4481241D83h 0x00000017 jmp 00007F4481241DF7h 0x00000019 lea esp, dword ptr [esp+14h] 0x0000001d test ax, ax 0x00000020 pushad 0x00000021 lea esp, dword ptr [esp+20h] 0x00000025 jmp 00007F4481241D75h 0x00000027 je 00007F4481241C98h 0x0000002d push sp 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F4481241F24h 0x00000038 inc edx 0x00000039 inc edx 0x0000003a dec esi 0x0000003b jmp 00007F4481241D87h 0x0000003d jne 00007F4481241C58h 0x00000043 setb ah 0x00000046 jmp 00007F4481241DE7h 0x00000048 setnle al 0x0000004b mov ax, word ptr [esp] 0x0000004f movzx eax, word ptr [edx] 0x00000052 push ecx 0x00000053 stc 0x00000054 jmp 00007F4481241DCFh 0x00000056 mov byte ptr [esp+02h], cl 0x0000005a jmp 00007F4481241D86h 0x0000005c add ecx, eax 0x0000005e sub esp, 0Eh 0x00000061 mov eax, AE848F68h 0x00000066 lea esp, dword ptr [esp+02h] 0x0000006a jmp 00007F4481241EBDh 0x0000006f pushad 0x00000070 mov ebp, E723975Fh 0x00000075 lea ebp, dword ptr [ecx+edi] 0x00000078 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6575F5 second address: 63E5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E15EBh 0x00000007 inc edi 0x00000008 setnle al 0x0000000b lea edx, dword ptr [eax+ecx] 0x0000000e mov dx, bp 0x00000011 jmp 00007F44817E16BAh 0x00000013 mov dx, word ptr [ebx+esi] 0x00000017 mov bx, word ptr [esp] 0x0000001b cmc 0x0000001c js 00007F44817E1661h 0x0000001e jns 00007F44817E16A0h 0x00000020 lea ebx, dword ptr [ebx+0000E1EEh] 0x00000026 sub ah, ah 0x00000028 jmp 00007F44817E165Ah 0x0000002a mov word ptr [ebp+00h], dx 0x0000002e mov dx, word ptr [esp] 0x00000032 call 00007F44817E1707h 0x00000037 ror edx, 02h 0x0000003a jnbe 00007F44817E164Dh 0x0000003c jbe 00007F44817E1635h 0x0000003e mov bh, al 0x00000040 jmp 00007F44817C866Dh 0x00000045 jmp 00007F44817E1669h 0x00000047 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 63DD4F second address: 63DD85 instructions: 0x00000000 rdtsc 0x00000002 btr ax, cx 0x00000006 xchg edx, eax 0x00000008 bsr dx, dx 0x0000000c lea edx, dword ptr [edx+edi] 0x0000000f push dword ptr [esp+44h] 0x00000013 retn 0048h 0x00000016 movzx ebx, byte ptr [edi] 0x00000019 jmp 00007F4481241E96h 0x0000001e lea eax, dword ptr [edx+6Ch] 0x00000021 sub esp, 06h 0x00000024 jl 00007F4481241CA9h 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e call 00007F4481241E13h 0x00000033 mov edx, dword ptr [esp] 0x00000036 mov eax, E9CADE55h 0x0000003b bt edx, edi 0x0000003e mov edx, ecx 0x00000040 inc ah 0x00000042 jmp 00007F4481241D3Ah 0x00000044 xchg dword ptr [esp], ebx 0x00000047 lea edx, dword ptr [00000000h+ebx4] 0x0000004e not dx 0x00000051 bswap edx 0x00000053 lea eax, dword ptr [00000000h+esi4] 0x0000005a pushad 0x0000005b jmp 00007F4481241D73h 0x0000005d lea ebx, dword ptr [ebx-0000003Dh] 0x00000063 sub esp, 1Ch 0x00000066 mov ax, 7715h 0x0000006a jmp 00007F4481241DD8h 0x0000006c pop word ptr [esp+06h] 0x00000071 lea esp, dword ptr [esp+02h] 0x00000075 xchg byte ptr [esp+0Ch], ah 0x00000079 xchg dword ptr [esp+38h], ebx 0x0000007d not ax 0x00000080 mov dx, si 0x00000083 jmp 00007F4481241D73h 0x00000085 sets dl 0x00000088 xchg ax, dx 0x0000008a push dword ptr [esp+38h] 0x0000008e retn 003Ch 0x00000091 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 63E26B second address: 63E3C3 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1701h 0x00000007 lea eax, dword ptr [ecx-00006757h] 0x0000000d mov eax, 1C262CCAh 0x00000012 mov ax, word ptr [esp] 0x00000016 call 00007F44817E16B6h 0x0000001b xchg dword ptr [esp+04h], esi 0x0000001f bswap eax 0x00000021 jmp 00007F44817E1686h 0x00000023 bsr eax, ecx 0x00000026 inc ax 0x00000028 mov dx, di 0x0000002b lea esi, dword ptr [esi+00000092h] 0x00000031 shr dh, cl 0x00000033 bswap edx 0x00000035 jmp 00007F44817E16B2h 0x00000037 bswap eax 0x00000039 xchg dword ptr [esp+04h], esi 0x0000003d xchg dl, dh 0x0000003f mov dx, 17B9h 0x00000043 mov ax, cx 0x00000046 mov ah, byte ptr [esp] 0x00000049 jmp 00007F44817E1658h 0x0000004b not eax 0x0000004d push dword ptr [esp+04h] 0x00000051 retn 0008h 0x00000054 shr eax, cl 0x00000056 mov edx, dword ptr [esp] 0x00000059 xchg al, ah 0x0000005b rcr eax, cl 0x0000005d bswap edx 0x0000005f mov dx, F0D0h 0x00000063 xchg ax, dx 0x00000065 jmp 00007F44817E175Eh 0x0000006a ror bl, 00000000h 0x0000006d js 00007F44817E165Dh 0x0000006f lea edx, dword ptr [esi-7Fh] 0x00000072 jmp 00007F44817E1642h 0x00000074 lea edx, dword ptr [24CC2BE0h] 0x0000007a rdtsc

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_006C2039 rdtsc

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\Dtldt.exe	API coverage: 1.9 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001A4A0

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	0_2_100090A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,	0_2_10026300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,	0_2_10008570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_10008740

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_100170E0 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,free,free,free,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,lstrcpyA,

0_2_100170E0

Source: Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Anti Debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_006C2039 rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\Dtldt.exe

Code function: 3_2_01401053 LdrInitializeThunk,

3_2_01401053

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10014210 BlockInput,BlockInput,InterlockedExchange,BlockInput,InterlockedExchange,InterlockedExchange,

0_2_10014210

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10012640 sprintf,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegDeleteKeyA,RegDeleteValueA,

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120F122 mov eax, dword ptr fs:[00000030h]	3_2_0120F122
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120F122 mov ecx, dword ptr fs:[00000030h]	3_2_0120F122
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229132 mov eax, dword ptr fs:[00000030h]	3_2_01229132
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229132 mov ecx, dword ptr fs:[00000030h]	3_2_01229132
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241133 mov eax, dword ptr fs:[00000030h]	3_2_01241133
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240103 mov eax, dword ptr fs:[00000030h]	3_2_01240103
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240103 mov eax, dword ptr fs:[00000030h]	3_2_01240103
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C190 mov eax, dword ptr fs:[00000030h]	3_2_0120C190
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C190 mov eax, dword ptr fs:[00000030h]	3_2_0120C190
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]	3_2_012121E5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]	3_2_012121E5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]	3_2_012121E5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]	3_2_012121E5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ED1FE mov eax, dword ptr fs:[00000030h]	3_2_011ED1FE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ED1FE mov eax, dword ptr fs:[00000030h]	3_2_011ED1FE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01212019 mov eax, dword ptr fs:[00000030h]	3_2_01212019
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241066 mov eax, dword ptr fs:[00000030h]	3_2_01241066
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]	3_2_01211042
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]	3_2_01211042
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]	3_2_01211042
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]	3_2_01211042
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012250B6 mov eax, dword ptr fs:[00000030h]	3_2_012250B6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01238088 mov eax, dword ptr fs:[00000030h]	3_2_01238088
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01238088 mov eax, dword ptr fs:[00000030h]	3_2_01238088
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01238088 mov eax, dword ptr fs:[00000030h]	3_2_01238088
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122309E mov ecx, dword ptr fs:[00000030h]	3_2_0122309E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123D0FC mov eax, dword ptr fs:[00000030h]	3_2_0123D0FC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123D0FC mov eax, dword ptr fs:[00000030h]	3_2_0123D0FC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E20C1 mov eax, dword ptr fs:[00000030h]	3_2_011E20C1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012370C4 mov eax, dword ptr fs:[00000030h]	3_2_012370C4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012370C4 mov eax, dword ptr fs:[00000030h]	3_2_012370C4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov ecx, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov ecx, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220322 mov eax, dword ptr fs:[00000030h]	3_2_01220322
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220322 mov eax, dword ptr fs:[00000030h]	3_2_01220322
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]	3_2_0120C312
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]	3_2_0120C312
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]	3_2_0120C312
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]	3_2_0120C312
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120B365 mov ecx, dword ptr fs:[00000030h]	3_2_0120B365
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120B365 mov eax, dword ptr fs:[00000030h]	3_2_0120B365
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01225342 mov eax, dword ptr fs:[00000030h]	3_2_01225342
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01225342 mov eax, dword ptr fs:[00000030h]	3_2_01225342
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F350 mov eax, dword ptr fs:[00000030h]	3_2_0121F350
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F350 mov eax, dword ptr fs:[00000030h]	3_2_0121F350
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123D354 mov eax, dword ptr fs:[00000030h]	3_2_0123D354
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123D354 mov eax, dword ptr fs:[00000030h]	3_2_0123D354
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B382 mov eax, dword ptr fs:[00000030h]	3_2_0122B382
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B382 mov ecx, dword ptr fs:[00000030h]	3_2_0122B382
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123F391 mov eax, dword ptr fs:[00000030h]	3_2_0123F391
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123F391 mov ecx, dword ptr fs:[00000030h]	3_2_0123F391
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012373F2 mov eax, dword ptr fs:[00000030h]	3_2_012373F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012243DE mov eax, dword ptr fs:[00000030h]	3_2_012243DE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012243DE mov eax, dword ptr fs:[00000030h]	3_2_012243DE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F202 mov eax, dword ptr fs:[00000030h]	3_2_0121F202
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241200 mov eax, dword ptr fs:[00000030h]	3_2_01241200
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241200 mov eax, dword ptr fs:[00000030h]	3_2_01241200
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241200 mov eax, dword ptr fs:[00000030h]	3_2_01241200
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F262 mov eax, dword ptr fs:[00000030h]	3_2_0121F262
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F262 mov eax, dword ptr fs:[00000030h]	3_2_0121F262
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov ecx, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DD2C9 mov eax, dword ptr fs:[00000030h]	3_2_011DD2C9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DD2C9 mov ecx, dword ptr fs:[00000030h]	3_2_011DD2C9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012202C2 mov eax, dword ptr fs:[00000030h]	3_2_012202C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01213530 mov eax, dword ptr fs:[00000030h]	3_2_01213530
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01213530 mov eax, dword ptr fs:[00000030h]	3_2_01213530
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120B509 mov ecx, dword ptr fs:[00000030h]	3_2_0120B509
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120B509 mov eax, dword ptr fs:[00000030h]	3_2_0120B509
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236549 mov eax, dword ptr fs:[00000030h]	3_2_01236549
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]	3_2_01211552
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]	3_2_01211552
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]	3_2_01211552
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]	3_2_01211552
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov ecx, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD5A3 mov eax, dword ptr fs:[00000030h]	3_2_011FD5A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD5A3 mov eax, dword ptr fs:[00000030h]	3_2_011FD5A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD5A3 mov eax, dword ptr fs:[00000030h]	3_2_011FD5A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220422 mov eax, dword ptr fs:[00000030h]	3_2_01220422
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01237436 mov eax, dword ptr fs:[00000030h]	3_2_01237436
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01237436 mov eax, dword ptr fs:[00000030h]	3_2_01237436
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E1455 mov eax, dword ptr fs:[00000030h]	3_2_011E1455
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E0449 mov eax, dword ptr fs:[00000030h]	3_2_011E0449
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FF478 mov eax, dword ptr fs:[00000030h]	3_2_011FF478
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FF478 mov eax, dword ptr fs:[00000030h]	3_2_011FF478
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FF478 mov eax, dword ptr fs:[00000030h]	3_2_011FF478
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122144D mov eax, dword ptr fs:[00000030h]	3_2_0122144D
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B4A2 mov eax, dword ptr fs:[00000030h]	3_2_0122B4A2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012214B3 mov eax, dword ptr fs:[00000030h]	3_2_012214B3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012344BC mov eax, dword ptr fs:[00000030h]	3_2_012344BC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012344BC mov eax, dword ptr fs:[00000030h]	3_2_012344BC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012344BC mov eax, dword ptr fs:[00000030h]	3_2_012344BC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E54A3 mov esi, dword ptr fs:[00000030h]	3_2_011E54A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012264F2 mov ecx, dword ptr fs:[00000030h]	3_2_012264F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E04C8 mov eax, dword ptr fs:[00000030h]	3_2_011E04C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E04C8 mov eax, dword ptr fs:[00000030h]	3_2_011E04C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0121F4D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F4D0 mov ecx, dword ptr fs:[00000030h]	3_2_0121F4D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012364DB mov eax, dword ptr fs:[00000030h]	3_2_012364DB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012364DB mov eax, dword ptr fs:[00000030h]	3_2_012364DB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012364DB mov eax, dword ptr fs:[00000030h]	3_2_012364DB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E04E2 mov eax, dword ptr fs:[00000030h]	3_2_011E04E2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E04E2 mov eax, dword ptr fs:[00000030h]	3_2_011E04E2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E1713 mov eax, dword ptr fs:[00000030h]	3_2_011E1713
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E1713 mov eax, dword ptr fs:[00000030h]	3_2_011E1713
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E1713 mov eax, dword ptr fs:[00000030h]	3_2_011E1713
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE712 mov eax, dword ptr fs:[00000030h]	3_2_011FE712
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE712 mov eax, dword ptr fs:[00000030h]	3_2_011FE712
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE712 mov eax, dword ptr fs:[00000030h]	3_2_011FE712
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E574E mov eax, dword ptr fs:[00000030h]	3_2_011E574E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E574E mov ecx, dword ptr fs:[00000030h]	3_2_011E574E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01223753 mov eax, dword ptr fs:[00000030h]	3_2_01223753
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01214755 mov eax, dword ptr fs:[00000030h]	3_2_01214755
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01214755 mov eax, dword ptr fs:[00000030h]	3_2_01214755
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012077A2 mov eax, dword ptr fs:[00000030h]	3_2_012077A2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012077A2 mov eax, dword ptr fs:[00000030h]	3_2_012077A2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F782 mov eax, dword ptr fs:[00000030h]	3_2_0121F782
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F782 mov eax, dword ptr fs:[00000030h]	3_2_0121F782
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F782 mov eax, dword ptr fs:[00000030h]	3_2_0121F782
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F782 mov ecx, dword ptr fs:[00000030h]	3_2_0121F782
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD7B2 mov eax, dword ptr fs:[00000030h]	3_2_011FD7B2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD7B2 mov ecx, dword ptr fs:[00000030h]	3_2_011FD7B2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD7B2 mov eax, dword ptr fs:[00000030h]	3_2_011FD7B2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123E7F2 mov ecx, dword ptr fs:[00000030h]	3_2_0123E7F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012247D2 mov eax, dword ptr fs:[00000030h]	3_2_012247D2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012247D2 mov ecx, dword ptr fs:[00000030h]	3_2_012247D2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012347DB mov eax, dword ptr fs:[00000030h]	3_2_012347DB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123B7DA mov eax, dword ptr fs:[00000030h]	3_2_0123B7DA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov ecx, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236623 mov eax, dword ptr fs:[00000030h]	3_2_01236623
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]	3_2_0120C621
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]	3_2_0120C621
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]	3_2_0120C621
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]	3_2_0120C621
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123B671 mov eax, dword ptr fs:[00000030h]	3_2_0123B671
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov ecx, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122D6A2 mov eax, dword ptr fs:[00000030h]	3_2_0122D6A2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012076AF mov eax, dword ptr fs:[00000030h]	3_2_012076AF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224682 mov eax, dword ptr fs:[00000030h]	3_2_01224682
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224682 mov ecx, dword ptr fs:[00000030h]	3_2_01224682
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C689 mov eax, dword ptr fs:[00000030h]	3_2_0120C689
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C689 mov eax, dword ptr fs:[00000030h]	3_2_0120C689
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123468C mov eax, dword ptr fs:[00000030h]	3_2_0123468C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012116EE mov eax, dword ptr fs:[00000030h]	3_2_012116EE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012116EE mov eax, dword ptr fs:[00000030h]	3_2_012116EE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012366FD mov eax, dword ptr fs:[00000030h]	3_2_012366FD
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012036C0 mov eax, dword ptr fs:[00000030h]	3_2_012036C0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012236C8 mov eax, dword ptr fs:[00000030h]	3_2_012236C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012236C8 mov eax, dword ptr fs:[00000030h]	3_2_012236C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012236C8 mov eax, dword ptr fs:[00000030h]	3_2_012236C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011EC6F2 mov ecx, dword ptr fs:[00000030h]	3_2_011EC6F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C6CF mov eax, dword ptr fs:[00000030h]	3_2_0120C6CF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C6CF mov eax, dword ptr fs:[00000030h]	3_2_0120C6CF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C6CF mov ecx, dword ptr fs:[00000030h]	3_2_0120C6CF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov ecx, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F6D6 mov eax, dword ptr fs:[00000030h]	3_2_0121F6D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F6D6 mov ecx, dword ptr fs:[00000030h]	3_2_0121F6D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F931 mov eax, dword ptr fs:[00000030h]	3_2_0121F931
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E6902 mov eax, dword ptr fs:[00000030h]	3_2_011E6902
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]	3_2_0124090F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]	3_2_0124090F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]	3_2_0124090F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]	3_2_0124090F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211912 mov eax, dword ptr fs:[00000030h]	3_2_01211912
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123696C mov eax, dword ptr fs:[00000030h]	3_2_0123696C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121E9AF mov eax, dword ptr fs:[00000030h]	3_2_0121E9AF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121E9AF mov eax, dword ptr fs:[00000030h]	3_2_0121E9AF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F9B6 mov eax, dword ptr fs:[00000030h]	3_2_0121F9B6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE982 mov eax, dword ptr fs:[00000030h]	3_2_011FE982
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE982 mov ecx, dword ptr fs:[00000030h]	3_2_011FE982
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE982 mov eax, dword ptr fs:[00000030h]	3_2_011FE982
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121D9D8 mov eax, dword ptr fs:[00000030h]	3_2_0121D9D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122D822 mov eax, dword ptr fs:[00000030h]	3_2_0122D822
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240822 mov eax, dword ptr fs:[00000030h]	3_2_01240822
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240822 mov eax, dword ptr fs:[00000030h]	3_2_01240822
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123F82F mov eax, dword ptr fs:[00000030h]	3_2_0123F82F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211862 mov eax, dword ptr fs:[00000030h]	3_2_01211862
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121D862 mov eax, dword ptr fs:[00000030h]	3_2_0121D862
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FF882 mov eax, dword ptr fs:[00000030h]	3_2_011FF882
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012368BE mov eax, dword ptr fs:[00000030h]	3_2_012368BE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012368BE mov eax, dword ptr fs:[00000030h]	3_2_012368BE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122D892 mov eax, dword ptr fs:[00000030h]	3_2_0122D892
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121D89C mov eax, dword ptr fs:[00000030h]	3_2_0121D89C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]	3_2_012108C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]	3_2_012108C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]	3_2_012108C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]	3_2_012108C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011EBB1D mov eax, dword ptr fs:[00000030h]	3_2_011EBB1D
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236B2A mov eax, dword ptr fs:[00000030h]	3_2_01236B2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236B2A mov eax, dword ptr fs:[00000030h]	3_2_01236B2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDB30 mov eax, dword ptr fs:[00000030h]	3_2_011DDB30
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01207B10 mov eax, dword ptr fs:[00000030h]	3_2_01207B10
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01207B10 mov eax, dword ptr fs:[00000030h]	3_2_01207B10
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DB63 mov eax, dword ptr fs:[00000030h]	3_2_0121DB63
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DB63 mov eax, dword ptr fs:[00000030h]	3_2_0121DB63
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123BB6A mov eax, dword ptr fs:[00000030h]	3_2_0123BB6A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123BB6A mov eax, dword ptr fs:[00000030h]	3_2_0123BB6A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240B7B mov eax, dword ptr fs:[00000030h]	3_2_01240B7B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240B7B mov eax, dword ptr fs:[00000030h]	3_2_01240B7B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01228B42 mov ecx, dword ptr fs:[00000030h]	3_2_01228B42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210B42 mov eax, dword ptr fs:[00000030h]	3_2_01210B42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210B42 mov eax, dword ptr fs:[00000030h]	3_2_01210B42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01215B42 mov eax, dword ptr fs:[00000030h]	3_2_01215B42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224BA2 mov eax, dword ptr fs:[00000030h]	3_2_01224BA2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224BA2 mov ecx, dword ptr fs:[00000030h]	3_2_01224BA2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01238BB3 mov eax, dword ptr fs:[00000030h]	3_2_01238BB3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120EBB7 mov eax, dword ptr fs:[00000030h]	3_2_0120EBB7
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECBDC mov eax, dword ptr fs:[00000030h]	3_2_011ECBDC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122ABD8 mov eax, dword ptr fs:[00000030h]	3_2_0122ABD8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECA3F mov eax, dword ptr fs:[00000030h]	3_2_011ECA3F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECA3F mov ecx, dword ptr fs:[00000030h]	3_2_011ECA3F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECA3F mov eax, dword ptr fs:[00000030h]	3_2_011ECA3F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FA11 mov eax, dword ptr fs:[00000030h]	3_2_0123FA11
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FA11 mov eax, dword ptr fs:[00000030h]	3_2_0123FA11
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E4A22 mov eax, dword ptr fs:[00000030h]	3_2_011E4A22
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E4A22 mov ecx, dword ptr fs:[00000030h]	3_2_011E4A22
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CA71 mov eax, dword ptr fs:[00000030h]	3_2_0122CA71
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DA77 mov eax, dword ptr fs:[00000030h]	3_2_0121DA77
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DA77 mov ecx, dword ptr fs:[00000030h]	3_2_0121DA77
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224A52 mov eax, dword ptr fs:[00000030h]	3_2_01224A52
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224A52 mov ecx, dword ptr fs:[00000030h]	3_2_01224A52
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240AA5 mov eax, dword ptr fs:[00000030h]	3_2_01240AA5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240AA5 mov eax, dword ptr fs:[00000030h]	3_2_01240AA5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01219AB6 mov eax, dword ptr fs:[00000030h]	3_2_01219AB6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01219AB6 mov ecx, dword ptr fs:[00000030h]	3_2_01219AB6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]	3_2_0123CA86
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]	3_2_0123CA86
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]	3_2_0123CA86
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]	3_2_0123CA86
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FA94 mov eax, dword ptr fs:[00000030h]	3_2_0121FA94
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FA94 mov eax, dword ptr fs:[00000030h]	3_2_0121FA94
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122DAC2 mov eax, dword ptr fs:[00000030h]	3_2_0122DAC2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121ED32 mov eax, dword ptr fs:[00000030h]	3_2_0121ED32
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov ecx, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121ED72 mov eax, dword ptr fs:[00000030h]	3_2_0121ED72
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123DDB4 mov eax, dword ptr fs:[00000030h]	3_2_0123DDB4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CDF9 mov eax, dword ptr fs:[00000030h]	3_2_0120CDF9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CDF9 mov eax, dword ptr fs:[00000030h]	3_2_0120CDF9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CDF9 mov eax, dword ptr fs:[00000030h]	3_2_0120CDF9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]	3_2_01240DF8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]	3_2_01240DF8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]	3_2_01240DF8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]	3_2_01240DF8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121EC32 mov eax, dword ptr fs:[00000030h]	3_2_0121EC32
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229C02 mov ecx, dword ptr fs:[00000030h]	3_2_01229C02
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122DC02 mov eax, dword ptr fs:[00000030h]	3_2_0122DC02
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123EC12 mov eax, dword ptr fs:[00000030h]	3_2_0123EC12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123EC12 mov ecx, dword ptr fs:[00000030h]	3_2_0123EC12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CC6F mov eax, dword ptr fs:[00000030h]	3_2_0120CC6F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CC6F mov eax, dword ptr fs:[00000030h]	3_2_0120CC6F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CC6F mov ecx, dword ptr fs:[00000030h]	3_2_0120CC6F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229C42 mov eax, dword ptr fs:[00000030h]	3_2_01229C42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]	3_2_011DDC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]	3_2_011DDC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]	3_2_011DDC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]	3_2_011DDC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]	3_2_0120DC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]	3_2_0120DC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]	3_2_0120DC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]	3_2_0120DC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01233CE7 mov eax, dword ptr fs:[00000030h]	3_2_01233CE7
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01233CE7 mov eax, dword ptr fs:[00000030h]	3_2_01233CE7
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229CD2 mov ecx, dword ptr fs:[00000030h]	3_2_01229CD2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CCD8 mov eax, dword ptr fs:[00000030h]	3_2_0123CCD8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CCD8 mov eax, dword ptr fs:[00000030h]	3_2_0123CCD8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FF22 mov eax, dword ptr fs:[00000030h]	3_2_0121FF22
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FF22 mov eax, dword ptr fs:[00000030h]	3_2_0121FF22
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122DF3E mov eax, dword ptr fs:[00000030h]	3_2_0122DF3E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FDF32 mov eax, dword ptr fs:[00000030h]	3_2_011FDF32
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FDF32 mov ecx, dword ptr fs:[00000030h]	3_2_011FDF32
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211F12 mov eax, dword ptr fs:[00000030h]	3_2_01211F12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01228F63 mov eax, dword ptr fs:[00000030h]	3_2_01228F63
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01228F63 mov ecx, dword ptr fs:[00000030h]	3_2_01228F63
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01202F62 mov eax, dword ptr fs:[00000030h]	3_2_01202F62
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECF59 mov eax, dword ptr fs:[00000030h]	3_2_011ECF59
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECF59 mov eax, dword ptr fs:[00000030h]	3_2_011ECF59
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CF6B mov eax, dword ptr fs:[00000030h]	3_2_0123CF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov ecx, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FF7A mov eax, dword ptr fs:[00000030h]	3_2_0123FF7A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FF7A mov eax, dword ptr fs:[00000030h]	3_2_0123FF7A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01223FB4 mov eax, dword ptr fs:[00000030h]	3_2_01223FB4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01223FB4 mov eax, dword ptr fs:[00000030h]	3_2_01223FB4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01223FB4 mov eax, dword ptr fs:[00000030h]	3_2_01223FB4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]	3_2_0120BFBA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]	3_2_0120BFBA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]	3_2_0120BFBA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]	3_2_0120BFBA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204FE1 mov ecx, dword ptr fs:[00000030h]	3_2_01204FE1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204FE1 mov eax, dword ptr fs:[00000030h]	3_2_01204FE1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236FE5 mov eax, dword ptr fs:[00000030h]	3_2_01236FE5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236FE5 mov eax, dword ptr fs:[00000030h]	3_2_01236FE5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FFD2 mov eax, dword ptr fs:[00000030h]	3_2_0121FFD2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FFD2 mov eax, dword ptr fs:[00000030h]	3_2_0121FFD2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01232E79 mov eax, dword ptr fs:[00000030h]	3_2_01232E79
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01232E79 mov ecx, dword ptr fs:[00000030h]	3_2_01232E79
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FE4C mov eax, dword ptr fs:[00000030h]	3_2_0123FE4C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120EEA2 mov eax, dword ptr fs:[00000030h]	3_2_0120EEA2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120EEA2 mov ecx, dword ptr fs:[00000030h]	3_2_0120EEA2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DEB2 mov eax, dword ptr fs:[00000030h]	3_2_0120DEB2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DEB2 mov eax, dword ptr fs:[00000030h]	3_2_0120DEB2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DEB2 mov eax, dword ptr fs:[00000030h]	3_2_0120DEB2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01227E82 mov eax, dword ptr fs:[00000030h]	3_2_01227E82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01227E82 mov eax, dword ptr fs:[00000030h]	3_2_01227E82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CE89 mov eax, dword ptr fs:[00000030h]	3_2_0123CE89
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123AE90 mov eax, dword ptr fs:[00000030h]	3_2_0123AE90
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01237E96 mov eax, dword ptr fs:[00000030h]	3_2_01237E96
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0145614B mov eax, dword ptr fs:[00000030h]	3_2_0145614B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148415B mov eax, dword ptr fs:[00000030h]	3_2_0148415B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148415B mov ecx, dword ptr fs:[00000030h]	3_2_0148415B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0143B163 mov eax, dword ptr fs:[00000030h]	3_2_0143B163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0143B163 mov eax, dword ptr fs:[00000030h]	3_2_0143B163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013EA116 mov eax, dword ptr fs:[00000030h]	3_2_013EA116
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0149317C mov eax, dword ptr fs:[00000030h]	3_2_0149317C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01465101 mov ebx, dword ptr fs:[00000030h]	3_2_01465101
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01465101 mov eax, dword ptr fs:[00000030h]	3_2_01465101
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01493103 mov eax, dword ptr fs:[00000030h]	3_2_01493103
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0143B113 mov ecx, dword ptr fs:[00000030h]	3_2_0143B113
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0143F111 mov eax, dword ptr fs:[00000030h]	3_2_0143F111
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0144B123 mov eax, dword ptr fs:[00000030h]	3_2_0144B123
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0144B123 mov eax, dword ptr fs:[00000030h]	3_2_0144B123
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014951C3 mov eax, dword ptr fs:[00000030h]	3_2_014951C3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014511E3 mov eax, dword ptr fs:[00000030h]	3_2_014511E3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014511E3 mov eax, dword ptr fs:[00000030h]	3_2_014511E3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014511E3 mov eax, dword ptr fs:[00000030h]	3_2_014511E3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013BA193 mov eax, dword ptr fs:[00000030h]	3_2_013BA193
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013C618C mov eax, dword ptr fs:[00000030h]	3_2_013C618C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014931F5 mov eax, dword ptr fs:[00000030h]	3_2_014931F5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B8186 mov ecx, dword ptr fs:[00000030h]	3_2_013B8186
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014561FB mov eax, dword ptr fs:[00000030h]	3_2_014561FB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01440181 mov eax, dword ptr fs:[00000030h]	3_2_01440181
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01444183 mov eax, dword ptr fs:[00000030h]	3_2_01444183
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]	3_2_013B71EB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]	3_2_013B71EB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]	3_2_013B71EB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]	3_2_013B71EB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013EE1C7 mov eax, dword ptr fs:[00000030h]	3_2_013EE1C7
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB mov ecx, dword ptr fs:[00000030h]	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB mov eax, dword ptr fs:[00000030h]	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB mov eax, dword ptr fs:[00000030h]	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB mov eax, dword ptr fs:[00000030h]	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0147E1B8 mov eax, dword ptr fs:[00000030h]	3_2_0147E1B8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013BE033 mov edi, dword ptr fs:[00000030h]	3_2_013BE033
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0140005B mov eax, dword ptr fs:[00000030h]	3_2_0140005B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01492063 mov eax, dword ptr fs:[00000030h]	3_2_01492063
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0144207A mov eax, dword ptr fs:[00000030h]	3_2_0144207A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0149300B mov eax, dword ptr fs:[00000030h]	3_2_0149300B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013F0070 mov eax, dword ptr fs:[00000030h]	3_2_013F0070
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013F0070 mov eax, dword ptr fs:[00000030h]	3_2_013F0070
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013F0070 mov eax, dword ptr fs:[00000030h]	3_2_013F0070
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013C106B mov eax, dword ptr fs:[00000030h]	3_2_013C106B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013C106B mov eax, dword ptr fs:[00000030h]	3_2_013C106B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013C106B mov eax, dword ptr fs:[00000030h]	3_2_013C106B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013FA053 mov eax, dword ptr fs:[00000030h]	3_2_013FA053
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01462033 mov eax, dword ptr fs:[00000030h]	3_2_01462033
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01462033 mov eax, dword ptr fs:[00000030h]	3_2_01462033
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]	3_2_013DC0B9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]	3_2_013DC0B9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]	3_2_013DC0B9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]	3_2_013DC0B9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014540D3 mov eax, dword ptr fs:[00000030h]	3_2_014540D3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]	3_2_014870E1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]	3_2_014870E1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]	3_2_014870E1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]	3_2_014870E1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014440F3 mov eax, dword ptr fs:[00000030h]	3_2_014440F3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10006010 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

0_2_10006010

HIPS / PFW / Operating System Protection Evasion

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,		0_2_1000C680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,		0_2_1000C680

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10014650 mouse_event,GetDeviceCaps,_ftol,GetDeviceCaps,_ftol,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,mouse_event,mouse_event,

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Contains functionality to query CPU information (cpuid)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndProgman%s.exerunasexplorer.exeSeDebugPrivilegecmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255BITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilege
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_006B24D6 cpuid

0_2_006B24D6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001ADE0 sprintf,sprintf,GetLocalTime,sprintf,

0_2_1001ADE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Contains functionality to modify windows services which are used for security filtering and protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001C850 GetModuleFileNameA,_strnicmp,CopyFileA,SetFileAttributesA,Sleep,GetVersionExA,UnlockServiceDatabase,GetLastError,

0_2_1001C850

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10022310 OpenServiceA 00000000,sharedaccess,000F01FF

0_2_10022310

AV process strings found (often used to terminate AV products)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: acs.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vsserv.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: avcenter.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: kxetray.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: avp.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: cfp.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: KSafeTray.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: rtvscan.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 360tray.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ashDisp.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: TMBMSRV.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: avgwdsvc.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: AYAgent.aye
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: RavMonD.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Mcshield.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR

Yara detected Mimikatz

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1001F0C0 socket,bind,getsockname,inet_addr,		0_2_1001F0C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1001F470 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,		0_2_1001F470

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
206.238.196.240	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack

Malware Configuration Extractor: GhostRat {"C2 url": "206.238.196.240"}

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\Dtldt.exe	ReversingLabs: Detection: 57%
Source: C:\Windows\SysWOW64\Dtldt.exe	Virustotal: Detection: 57%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Virustotal: Detection: 57%			Perma Link

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\Dtldt.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: iphlpapi.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: wuser32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	0_2_100090A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,	0_2_10026300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,	0_2_10008570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_10008740

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 4x nop then mov al, byte ptr [esp+04h]	0_2_00401130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 4x nop then sub esp, 34h	0_2_00408690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 4x nop then mov eax, 00431900h	0_2_00401750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_10029700
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 4x nop then mov al, byte ptr [esp+04h]	3_2_00401130
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 4x nop then sub esp, 34h	3_2_00408690
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 4x nop then mov eax, 00431900h	3_2_00401750

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 206.238.196.240

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001F010 recv,

0_2_1001F010

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ptlogin2.qun.qq.com%s
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	String found in binary or memory: http://ptlogin2.qun.qq.com%sAccept-Language:
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://qun.qq.com%s
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	String found in binary or memory: http://qun.qq.com%sAccept-Language:
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.appspeed.com/
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000056B000.00000040.00000001.01000000.00000003.sdmp, Dtldt.exe, 00000003.00000002.2765217331.0000000000401000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.appspeed.com/support
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	String found in binary or memory: https://localhost.ptlogin2.qq.com:4301%sAccept-Language:
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ssl.ptlogin2.qq.com%s
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	String found in binary or memory: https://ssl.ptlogin2.qq.com%sAccept-Language:
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

Creates a DirectInput object (often for capturing keystrokes)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_5fb39f51-4

Installs a raw input device (often for capturing keystrokes)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_98995968-a

Yara detected Keylogger Generic

Source: Yara match	File source: 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dtldt.exe PID: 5708, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Detects PCRat / Gh0st Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Detects PCRat / Gh0st Author: ditekSHen
Source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR	Matched rule: Identifies a variant of Gh0st Rat Author: unknown

PE file has a writeable .text section

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dtldt.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\Dtldt.exe

Code function: 3_2_014961E5 NtQueryVirtualMemory,

3_2_014961E5

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1000C570: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1000E010 ExitWindowsEx,		0_2_1000E010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1000C570 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,		0_2_1000C570

Creates files inside the system directory

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	File created: C:\Windows\SysWOW64\Dtldt.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	File created: C:\Windows\SysWOW64\Dtldt.exe:Zone.Identifier:$DATA			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10093080	0_2_10093080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100240A0	0_2_100240A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100170E0	0_2_100170E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1007A180	0_2_1007A180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10057190	0_2_10057190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1008F1A0	0_2_1008F1A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10037260	0_2_10037260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1007A430	0_2_1007A430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10092470	0_2_10092470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10055490	0_2_10055490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1008F4D0	0_2_1008F4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100904D0	0_2_100904D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100334E0	0_2_100334E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10056580	0_2_10056580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10013720	0_2_10013720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10053740	0_2_10053740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1007C7B0	0_2_1007C7B0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01219013	3_2_01219013
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121E457	3_2_0121E457
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120677E	3_2_0120677E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121A786	3_2_0121A786
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DDB8	3_2_0121DDB8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0147D16F	3_2_0147D16F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014561FB	3_2_014561FB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148518C	3_2_0148518C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148D183	3_2_0148D183
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0144D043	3_2_0144D043
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148E054	3_2_0148E054
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01392078	3_2_01392078
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01392075	3_2_01392075
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DB083	3_2_013DB083
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01413080	3_2_01413080
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014600A3	3_2_014600A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0147F3D0	3_2_0147F3D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146F390	3_2_0146F390
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148E24D	3_2_0148E24D
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01482245	3_2_01482245
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01490251	3_2_01490251
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148626F	3_2_0148626F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013BD215	3_2_013BD215
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0149920E	3_2_0149920E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0140320F	3_2_0140320F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0147C599	3_2_0147C599
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01208119	3_2_01208119
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01209A3F	3_2_01209A3F

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 005E4080 appears 243 times
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 011F111A appears 50 times
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 0042E744 appears 37 times
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 005E62BC appears 202 times
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: String function: 005E50A1 appears 38 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: String function: 005E4080 appears 243 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: String function: 0042E744 appears 38 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: String function: 005E62BC appears 202 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: String function: 005E50A1 appears 38 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Dtldt.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000266B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002D0A000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002DF7000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiphlpapi.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.00000000026B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.0000000002876000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
Source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dtldt.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@0/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_100174F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,

0_2_100174F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

0_2_100240A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

0_2_10025030

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10016340 CoInitialize,CoCreateInstance,SysFreeString,SysFreeString,CoUninitialize,

0_2_10016340

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Virustotal: Detection: 57%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Detected unpacking (changes PE section rights)

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\Dtldt.exe C:\Windows\SysWOW64\Dtldt.exe -auto
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Static file information: File size 2138112 > 1048576

Source:	Binary string: iphlpapi.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.000000000295D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737813880.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.00000000015AD000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2176673726.0000000002595000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738210455.000000000274A000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, Dtldt.exe, 00000003.00000002.2765974856.000000000138F000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2547677887.00000000011D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: wuser32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738464898.0000000002B2A000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2193951462.00000000028F8000.00000004.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766198153.0000000001768000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2203627286.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738078655.000000000261B000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2765864348.000000000124D000.00000040.00000020.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2587097240.0000000001115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738368938.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766112395.0000000001540000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000003.2601733459.0000000001548000.00000004.00000800.00020000.00000000.sdmp, Dtldt.exe, 00000003.00000002.2766352239.0000000001995000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Unpacked PE file: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
Source: C:\Windows\SysWOW64\Dtldt.exe	Unpacked PE file: 3.2.Dtldt.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10012640 sprintf,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegDeleteKeyA,RegDeleteValueA,

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .sedata

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: section name: .sedata
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: section name: .sedata
Source: Dtldt.exe.0.dr	Static PE information: section name: .sedata
Source: Dtldt.exe.0.dr	Static PE information: section name: .sedata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_00691046 pushfd ; mov dword ptr [esp], edi	0_2_00691063
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_00694059 pushfd ; mov dword ptr [esp], esp	0_2_0069405A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_00401000 pushad ; retn 0008h	0_2_0040101D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A2012 push eax; retf	0_2_006A2001
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0069F10A push edx; mov dword ptr [esp], ebp	0_2_0069F5A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0069320C pushfd ; mov dword ptr [esp], ebx	0_2_006936F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006992BF push esp; mov dword ptr [esp], ecx	0_2_00699299
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F73F0 pushad ; mov dword ptr [esp], edx	0_2_005F74F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F7451 pushad ; mov dword ptr [esp], edx	0_2_005F74F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A7441 push ss; retf	0_2_006A748A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0069F405 push ss; retf	0_2_0069F41D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F7424 pushad ; mov dword ptr [esp], edx	0_2_005F74F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A44EF pushfd ; mov dword ptr [esp], edx	0_2_006A45A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F74C5 pushad ; mov dword ptr [esp], edx	0_2_005F74F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006094D7 push dword ptr [esp+18h]; retn 001Ch	0_2_0060950E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A856B push 294E1ACBh; ret	0_2_006A853E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A455C pushfd ; mov dword ptr [esp], edx	0_2_006A45A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_00609528 push dword ptr [esp+18h]; retn 001Ch	0_2_0060950E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0069953E push word ptr [esp]; mov dword ptr [esp], ebp	0_2_00699564
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A9586 push word ptr [esp+02h]; mov dword ptr [esp], edi	0_2_006A958B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0042E5B0 push eax; ret	0_2_0042E5DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F062D push dword ptr [esp+24h]; retn 0028h	0_2_005F063A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A2613 push ss; retf	0_2_006A25E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006AB693 push word ptr [esp]; mov dword ptr [esp], ecx	0_2_006AB799
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0042E744 push eax; ret	0_2_0042E762
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006A9763 push ss; retf	0_2_006A97C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F0731 push dword ptr [esp+04h]; retn 0008h	0_2_005F0750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006B37D1 push word ptr [esp+01h]; mov dword ptr [esp], eax	0_2_006B38C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_0064D829 push dword ptr [esp+24h]; retn 0028h	0_2_0064D82E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_006C781D push esp; mov dword ptr [esp], edx	0_2_006C781E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_005F4955 push dword ptr [esp+28h]; retn 002Ch	0_2_005F48F6

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: section name: .text entropy: 7.998061242856676
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Static PE information: section name: .sedata entropy: 7.487891420444405
Source: Dtldt.exe.0.dr	Static PE information: section name: .text entropy: 7.998061242856676
Source: Dtldt.exe.0.dr	Static PE information: section name: .sedata entropy: 7.487891420444405

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE0

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\SysWOW64\Dtldt.exe

Contains functionality to create new users

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10021440 lstrlenA,lstrlenA,lstrlenA,lstrlenA,NetUserAdd,#825,#825,wcscpy,#825,#825,NetLocalGroupAddMembers,#825,LocalFree,

0_2_10021440

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

File created: C:\Windows\SysWOW64\Dtldt.exe

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

File created: C:\Windows\SysWOW64\Dtldt.exe

Boot Survival

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Contains functionality to clear windows event logs (to hide its activities)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1000C4C0 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,

0_2_1000C4C0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

0_2_10001140

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001A4A0

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0454 second address: 6D0456 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D05C8 second address: 6D0B63 instructions: 0x00000000 rdtsc 0x00000002 neg dx 0x00000005 mov cx, 4EA1h 0x00000009 pop ax 0x0000000b jmp 00007F44817E1657h 0x0000000d bsf ax, dx 0x00000011 mov di, 6F97h 0x00000015 call 00007F44817E1C2Dh 0x0000001a pop dword ptr [esp+1Bh] 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0B63 second address: 6D0735 instructions: 0x00000000 rdtsc 0x00000002 bsr cx, cx 0x00000006 sub esp, 1Ah 0x00000009 jmp 00007F4481241A6Ch 0x0000000e lea esp, dword ptr [esp+48h] 0x00000012 inc dh 0x00000014 cpuid 0x00000016 mov cx, 6D02h 0x0000001a rol ax, cl 0x0000001d xchg bh, dl 0x0000001f jmp 00007F4481241C87h 0x00000024 stc 0x00000025 not bh 0x00000027 not ecx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0735 second address: 6D0695 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 mov edx, ecx 0x00000008 jmp 00007F44817E154Eh 0x0000000d stc 0x0000000e call 00007F44817E1664h 0x00000013 bsf ax, si 0x00000017 xchg word ptr [esp], bx 0x0000001b xchg word ptr [esp], cx 0x0000001f mov byte ptr [esp+02h], ch 0x00000023 bswap ebx 0x00000025 jmp 00007F44817E170Dh 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e xchg ch, bl 0x00000030 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D09D3 second address: 6D0A41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pop ecx 0x00000004 xchg esi, ebp 0x00000006 mov di, 7728h 0x0000000a jmp 00007F4481241D7Ch 0x0000000c bts edx, esp 0x0000000f xchg word ptr [esp+1Ch], si 0x00000014 xchg bx, dx 0x00000017 push dword ptr [esp+02h] 0x0000001b jmp 00007F4481241DDCh 0x0000001d sub esp, 05h 0x00000020 call 00007F4481241E44h 0x00000025 neg cx 0x00000028 pop dword ptr [esp+20h] 0x0000002c bsf bp, bp 0x00000030 pop ebp 0x00000031 lea eax, dword ptr [esp+0000EEACh] 0x00000038 jmp 00007F4481241CEEh 0x0000003d mov dword ptr [esp+18h], edi 0x00000041 call 00007F4481241DFBh 0x00000046 clc 0x00000047 bsf ecx, ebx 0x0000004a call 00007F4481241D84h 0x0000004f std 0x00000050 xchg ah, ch 0x00000052 popad 0x00000053 jmp 00007F4481241D86h 0x00000055 pop dword ptr [esp+03h] 0x00000059 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0A41 second address: 6D0AE9 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [esp+eax] 0x00000005 push word ptr [esp+01h] 0x0000000a jmp 00007F44817E16BFh 0x0000000c xchg bp, bx 0x0000000f pop dword ptr [esp] 0x00000012 add esp, 03h 0x00000015 cld 0x00000016 mov word ptr [esp], sp 0x0000001a lea eax, dword ptr [00000000h+edi4] 0x00000021 jmp 00007F44817E1655h 0x00000023 mov byte ptr [esp], cl 0x00000026 mov ebx, dword ptr [esp] 0x00000029 btc si, cx 0x0000002d xchg ch, bh 0x0000002f sub esp, 01h 0x00000032 jmp 00007F44817E1715h 0x00000037 sub esp, 1Eh 0x0000003a call 00007F44817E163Eh 0x0000003f sub esp, 1Ah 0x00000042 popad 0x00000043 neg esi 0x00000045 std 0x00000046 bts dx, sp 0x0000004a jmp 00007F44817E165Fh 0x0000004c lea edi, dword ptr [00000000h+esi4] 0x00000053 xchg word ptr [esp+07h], cx 0x00000058 setl ah 0x0000005b jmp 00007F44817E16AAh 0x0000005d push dx 0x0000005f mov dx, 63C0h 0x00000063 mov ebp, dword ptr [esp+17h] 0x00000067 not dl 0x00000069 sub esp, 05h 0x0000006c xchg word ptr [esp+16h], si 0x00000071 jmp 00007F44817E1656h 0x00000073 btc eax, esi 0x00000076 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0BB7 second address: 6D0BB9 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0BB9 second address: 6D0BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E165Fh 0x00000004 mov dword ptr [esp], eax 0x00000007 cmc 0x00000008 pushad 0x00000009 push word ptr [esp+03h] 0x0000000e mov bp, word ptr [esp+1Fh] 0x00000013 jmp 00007F44817E16D4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0CE6 second address: 6D0D0E instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241E23h 0x00000007 lea edx, dword ptr [00000000h+edx*4] 0x0000000e mov ecx, esp 0x00000010 jmp 00007F4481241D50h 0x00000012 pop edx 0x00000013 xchg word ptr [esp+04h], cx 0x00000018 cpuid 0x0000001a xchg word ptr [esp], bx 0x0000001e push word ptr [esp+13h] 0x00000023 add esp, 0Fh 0x00000026 jmp 00007F4481241D76h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D0D0E second address: 6D0D93 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 sub esp, 06h 0x00000007 push word ptr [esp+06h] 0x0000000c jmp 00007F44817E16B6h 0x0000000e sbb edx, 4C9FCF64h 0x00000014 mov bh, dh 0x00000016 mov eax, dword ptr [esp+03h] 0x0000001a lea eax, dword ptr [esp+edx] 0x0000001d xchg byte ptr [esp+07h], dh 0x00000021 jmp 00007F44817E1657h 0x00000023 lea esp, dword ptr [esp] 0x00000026 pop ax 0x00000028 pop si 0x0000002a mov bx, CC7Ch 0x0000002e lea esp, dword ptr [esp+03h] 0x00000032 jmp 00007F44817E16E9h 0x00000034 lea esp, dword ptr [esp] 0x00000037 mov di, bp 0x0000003a rcl ebx, 17h 0x0000003d neg al 0x0000003f lea edi, dword ptr [00000000h+esi*4] 0x00000046 ror ebx, cl 0x00000048 jmp 00007F44817E1646h 0x0000004a add esi, esp 0x0000004c cld 0x0000004d mov dh, byte ptr [esp+07h] 0x00000051 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D102C second address: 6D1047 instructions: 0x00000000 rdtsc 0x00000002 mov dl, 2Eh 0x00000004 pop edx 0x00000005 pushad 0x00000006 pop cx 0x00000008 push dword ptr [esp+10h] 0x0000000c jmp 00007F4481241D6Fh 0x0000000e lea edx, dword ptr [edx+ebp] 0x00000011 and ch, FFFFFFCCh 0x00000014 mov eax, esi 0x00000016 xchg ecx, esi 0x00000018 dec di 0x0000001a sbb ax, 0000B5A1h 0x0000001e jmp 00007F4481241D7Ah 0x00000020 mov byte ptr [esp+14h], dh 0x00000024 add esp, 26h 0x00000027 not ebp 0x00000029 pop word ptr [esp] 0x0000002d mov bl, 13h 0x0000002f jmp 00007F4481241DDAh 0x00000031 mov ebp, 9AAF724Ch 0x00000036 btr bp, si 0x0000003a pop bp 0x0000003c bswap ebp 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6D12E9 second address: 6D11B5 instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+0Bh], cx 0x00000007 setbe dl 0x0000000a xchg byte ptr [esp+04h], dl 0x0000000e jmp 00007F44817E1627h 0x00000010 pop dword ptr [esp] 0x00000013 dec edx 0x00000014 add esp, 05h 0x00000017 mov bp, ax 0x0000001a mov cl, 88h 0x0000001c mov edx, dword ptr [esp+03h] 0x00000020 jmp 00007F44817E1603h 0x00000022 push word ptr [esp+01h] 0x00000027 dec cl 0x00000029 lea esp, dword ptr [esp+04h] 0x0000002d bsf edi, ebx 0x00000030 push word ptr [esp+02h] 0x00000035 pop ebx 0x00000036 jmp 00007F44817E1606h 0x00000038 lea edi, dword ptr [00000000h+ebx*4] 0x0000003f not ebp 0x00000041 xchg bh, cl 0x00000043 pop bp 0x00000045 mov bx, BEE2h 0x00000049 mov ax, 565Ah 0x0000004d jmp 00007F44817E1655h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5EFC12 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 jmp 00007F4481241E09h 0x00000008 mov esi, dword ptr [esp+34h] 0x0000000c mov ch, dl 0x0000000e call 00007F4481241D7Dh 0x00000013 mov ah, bh 0x00000015 mov ch, dl 0x00000017 jmp 00007F4481241DDAh 0x00000019 lea ebp, dword ptr [esp+0Ch] 0x0000001d lea edi, dword ptr [ecx+esi] 0x00000020 mov bl, DCh 0x00000022 not ax 0x00000025 sub esp, 000000B4h 0x0000002b jmp 00007F4481241D56h 0x0000002d mov edi, esp 0x0000002f call 00007F4481241DC0h 0x00000034 mov word ptr [esp], bx 0x00000038 lea edx, dword ptr [00000000h+ebx4] 0x0000003f mov ecx, esi 0x00000041 jmp 00007F4481241DBDh 0x00000043 mov dx, F2EDh 0x00000047 neg ebx 0x00000049 jc 00007F4481241E1Dh 0x0000004b lea ebx, dword ptr [00000000h+ebp4] 0x00000052 mov ax, 8AE6h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5EFD44 second address: 5EFD82 instructions: 0x00000000 rdtsc 0x00000002 mov bl, byte ptr [esp] 0x00000005 push sp 0x00000007 mov word ptr [esp], bp 0x0000000b mov ah, dh 0x0000000d push word ptr [esp] 0x00000011 jc 00007F44817E1646h 0x00000013 jmp 00007F44817E166Ah 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 add esi, 565B2E4Fh 0x0000001f mov bx, ax 0x00000022 inc eax 0x00000023 jmp 00007F44817E16DCh 0x00000025 jp 00007F44817E162Eh 0x00000027 bsf edx, ebx 0x0000002a lea eax, dword ptr [ebp-0000FDAEh] 0x00000030 jmp 00007F44817E165Fh 0x00000032 pushad 0x00000033 jmp 00007F44817E16A2h 0x00000035 lea esp, dword ptr [esp+20h] 0x00000039 not esi 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5EFD82 second address: 5EFE06 instructions: 0x00000000 rdtsc 0x00000002 mov bl, CBh 0x00000004 xchg ebx, edx 0x00000006 jmp 00007F4481241E10h 0x00000008 mov eax, ecx 0x0000000a mov ax, word ptr [esp] 0x0000000e bt bx, ax 0x00000012 jc 00007F4481241D28h 0x00000014 mov eax, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F0912 second address: 5F0EEB instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+50h] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c jmp 00007F44817E16A8h 0x0000000e mov dx, cx 0x00000011 setnl dh 0x00000014 setnp bl 0x00000017 jmp 00007F44817E1661h 0x00000019 cmp ebp, eax 0x0000001b call 00007F44817E1C37h 0x00000020 not dl 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 603B99 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push dword ptr [esp+38h] 0x00000007 retn 003Ch 0x0000000a lea eax, dword ptr [eax+edx] 0x0000000d add ebx, 2AEE4402h 0x00000013 jmp 00007F448122DF54h 0x00000018 mov ecx, esi 0x0000001a jmp 00007F4481241DBDh 0x0000001c mov dx, F2EDh 0x00000020 neg ebx 0x00000022 jc 00007F4481241E1Dh 0x00000024 lea ebx, dword ptr [00000000h+ebp*4] 0x0000002b mov ax, 8AE6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 603E4D second address: 5F76B3 instructions: 0x00000000 rdtsc 0x00000002 bsf ax, bx 0x00000006 jmp 00007F44817E16CBh 0x00000008 adc ax, ax 0x0000000b push dword ptr [esp+14h] 0x0000000f retn 0018h 0x00000012 pop esi 0x00000013 jmp 00007F44817D4E76h 0x00000018 mov ecx, edi 0x0000001a jmp 00007F44817E16BAh 0x0000001c mov edx, dword ptr [esp] 0x0000001f lea ebx, dword ptr [esp+000076EAh] 0x00000026 lea eax, dword ptr [esp+edx] 0x00000029 call 00007F44817E165Dh 0x0000002e mov dx, word ptr [esp+02h] 0x00000033 add esp, 00000000h 0x00000036 jl 00007F44817E2AFAh 0x0000003c jnl 00007F44817E1778h 0x00000042 push word ptr [esp+02h] 0x00000047 mov bh, cl 0x00000049 lea edx, dword ptr [00000000h+esi4] 0x00000050 jmp 00007F44817E15F2h 0x00000055 bsr ebx, ebp 0x00000058 bts ax, dx 0x0000005c jmp 00007F44817E17F1h 0x00000061 neg ah 0x00000063 lea esp, dword ptr [esp+02h] 0x00000067 jmp 00007F44817E14DAh 0x0000006c rol edi, 00000000h 0x0000006f stc 0x00000070 jnl 00007F44817E1666h 0x00000072 pushad 0x00000073 jmp 00007F44817E1686h 0x00000075 sub esp, 06h 0x00000078 lea ebx, dword ptr [00000000h+edi4] 0x0000007f lea esp, dword ptr [esp+02h] 0x00000083 jmp 00007F44817E16C4h 0x00000085 lea esp, dword ptr [esp+28h] 0x00000089 dec edi 0x0000008a lea eax, dword ptr [00000000h+ebx*4] 0x00000091 push eax 0x00000092 mov dx, cx 0x00000095 jmp 00007F44817E1645h 0x00000097 mov word ptr [esp+01h], dx 0x0000009c not al 0x0000009e lea esp, dword ptr [esp+04h] 0x000000a2 add edi, 507E8820h 0x000000a8 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F76B3 second address: 5F7759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE0h 0x00000004 mov edx, dword ptr [esp] 0x00000007 setnb al 0x0000000a bswap edx 0x0000000c rcl dl, cl 0x0000000e jp 00007F4481241D58h 0x00000010 not dl 0x00000012 sub esp, 10h 0x00000015 jmp 00007F4481241E25h 0x0000001a lea esp, dword ptr [esp+10h] 0x0000001e xor edi, 77D48258h 0x00000024 bsf ax, si 0x00000028 jnl 00007F4481241D7Ah 0x0000002a sub esp, 03h 0x0000002d mov ebx, edx 0x0000002f setne bh 0x00000032 xchg bh, dl 0x00000034 lea esp, dword ptr [esp+03h] 0x00000038 jmp 00007F4481241DBCh 0x0000003a xor edi, 60BA760Eh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F7759 second address: 5F7785 instructions: 0x00000000 rdtsc 0x00000002 btc ax, bx 0x00000006 jmp 00007F44817E16BCh 0x00000008 jno 00007F44817E164Ah 0x0000000a rcl al, cl 0x0000000c add edi, dword ptr [ebp+00h] 0x0000000f mov ax, word ptr [esp] 0x00000013 jmp 00007F44817E1697h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 601B40 second address: 601B44 instructions: 0x00000000 rdtsc 0x00000002 mov dh, B2h 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 604FB2 second address: 5F4C8A instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 mov ecx, 84CCED5Ah 0x0000000b jmp 00007F44817E163Fh 0x0000000d mov edx, ebp 0x0000000f pop ebx 0x00000010 jmp 00007F44817D1318h 0x00000015 mov ebx, edi 0x00000017 mov ax, word ptr [esp] 0x0000001b xchg eax, edx 0x0000001c mov dl, 3Ah 0x0000001e jmp 00007F44817E165Dh 0x00000020 lea eax, dword ptr [edx+edx] 0x00000023 lea edx, dword ptr [ebx-6DA261F9h] 0x00000029 mov dx, bx 0x0000002c sub esp, 14h 0x0000002f jmp 00007F44817E1696h 0x00000031 jo 00007F44817E1696h 0x00000033 mov edx, dword ptr [esp+05h] 0x00000037 pop dx 0x00000039 jmp 00007F44817E1792h 0x0000003e mov dh, 8Ch 0x00000040 lea esp, dword ptr [esp+02h] 0x00000044 jmp 00007F44817E1582h 0x00000049 lea esp, dword ptr [esp+10h] 0x0000004d sub edi, 128A0F11h 0x00000053 jmp 00007F44817E1709h 0x00000058 rcr cx, 0005h 0x0000005c jp 00007F44817E162Dh 0x0000005e shl al, 1 0x00000060 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F4C8A second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D86h 0x00000004 mov cx, EB63h 0x00000008 jmp 00007F4481241DCEh 0x0000000a ror edi, 00000000h 0x0000000d stc 0x0000000e jle 00007F4481241D86h 0x00000010 lea edx, dword ptr [eax+ecx] 0x00000013 jmp 00007F4481241DF0h 0x00000015 xchg edx, ecx 0x00000017 mov al, byte ptr [esp] 0x0000001a mov dx, word ptr [esp] 0x0000001e jmp 00007F4481241D81h 0x00000020 mov edx, 96F70AFFh 0x00000025 jmp 00007F4481241D75h 0x00000027 add edi, 4B2345C8h 0x0000002d mov ecx, dword ptr [esp] 0x00000030 mov ecx, edx 0x00000032 lea edx, dword ptr [ecx+ebp] 0x00000035 jmp 00007F4481241DEFh 0x00000037 xchg dl, dh 0x00000039 xchg ecx, edx 0x0000003b ror edi, 00000000h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F6D40 second address: 5F6D45 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+ebp] 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60139C second address: 6014E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D5Eh 0x00000004 sub ebp, 04h 0x00000007 mov dx, sp 0x0000000a add al, C5h 0x0000000c jnle 00007F4481241DF2h 0x0000000e mov eax, esp 0x00000010 mov ax, di 0x00000013 jmp 00007F4481241DEFh 0x00000015 mov edx, edi 0x00000017 mov ecx, dword ptr [edx] 0x00000019 mov dh, cl 0x0000001b rcr edx, cl 0x0000001d jmp 00007F44812420C7h 0x00000022 jp 00007F4481241F86h 0x00000028 mov edx, F267AC06h 0x0000002d setnp dl 0x00000030 jmp 00007F4481241B8Ah 0x00000035 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 601682 second address: 6017C4 instructions: 0x00000000 rdtsc 0x00000002 bt dx, di 0x00000006 jmp 00007F44817E1698h 0x00000008 jne 00007F44817E1696h 0x0000000a bswap eax 0x0000000c inc al 0x0000000e mov ax, word ptr [esp] 0x00000012 jmp 00007F44817E173Eh 0x00000017 cmc 0x00000018 mov eax, esi 0x0000001a mov dx, 4C11h 0x0000001e jmp 00007F44817E15CDh 0x00000023 rol ecx, 00000000h 0x00000026 jnc 00007F44817E16DBh 0x00000028 mov ah, al 0x0000002a mov dh, byte ptr [esp] 0x0000002d mov edx, dword ptr [esp] 0x00000030 rcl eax, 09h 0x00000033 lea edx, dword ptr [ebx+esi] 0x00000036 call 00007F44817E1725h 0x0000003b jmp 00007F44817E16BAh 0x0000003d not eax 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6023D2 second address: 601A3F instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 jmp 00007F44812414D0h 0x00000009 add ebp, 04h 0x0000000c lea edx, dword ptr [00000000h+ebp*4] 0x00000013 not ax 0x00000016 push esi 0x00000017 jmp 00007F4481241CE1h 0x0000001c not ah 0x0000001e bsr cx, bx 0x00000022 jnl 00007F4481241D79h 0x00000024 mov si, bx 0x00000027 jmp 00007F4481241D87h 0x00000029 push ebx 0x0000002a mov cx, A66Fh 0x0000002e mov edx, 7C18FE6Fh 0x00000033 mov ah, 72h 0x00000035 xchg eax, ecx 0x00000036 jmp 00007F4481241DAEh 0x00000038 push edi 0x00000039 not bh 0x0000003b sets dh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 603DFC second address: 603EE8 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [eax+ebx] 0x00000005 jmp 00007F44817E1705h 0x0000000a bsr edx, edx 0x0000000d jo 00007F44817E16CBh 0x0000000f jno 00007F44817E16C9h 0x00000011 mov edi, dword ptr [ebp+00h] 0x00000014 clc 0x00000015 jnc 00007F44817E1650h 0x00000017 jmp 00007F44817E1696h 0x00000019 xchg ax, dx 0x0000001b jmp 00007F44817E16A2h 0x0000001d add ebp, 04h 0x00000020 mov ah, byte ptr [esp] 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 604FCA second address: 6050CF instructions: 0x00000000 rdtsc 0x00000002 not edx 0x00000004 jmp 00007F4481241DCFh 0x00000006 push esi 0x00000007 bsr eax, esp 0x0000000a jo 00007F4481241DF5h 0x0000000c mov cl, D6h 0x0000000e mov ecx, dword ptr [esp] 0x00000011 dec esi 0x00000012 jmp 00007F4481241DC7h 0x00000014 push ebx 0x00000015 call 00007F4481241E34h 0x0000001a mov ax, 7417h 0x0000001e bswap edx 0x00000020 bt ecx, edx 0x00000023 pushfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6050CF second address: 60503E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A7h 0x00000004 xchg dword ptr [esp+04h], ecx 0x00000008 mov dx, si 0x0000000b mov ebx, esp 0x0000000d not bh 0x0000000f call 00007F44817E165Fh 0x00000014 lea ecx, dword ptr [ecx+01h] 0x00000017 mov ah, byte ptr [esp] 0x0000001a jmp 00007F44817E16B9h 0x0000001c lea esi, dword ptr [00000000h+esi*4] 0x00000023 lea esi, dword ptr [eax+ebp] 0x00000026 btr ax, sp 0x0000002a mov bx, 430Fh 0x0000002e xchg dword ptr [esp+08h], ecx 0x00000032 neg dl 0x00000034 jmp 00007F44817E164Fh 0x00000036 sub esp, 1Ah 0x00000039 lea esp, dword ptr [esp+11h] 0x0000003d pop dword ptr [esp] 0x00000040 xor ebx, 69AE8573h 0x00000046 jmp 00007F44817E1710h 0x0000004b lea esp, dword ptr [esp+01h] 0x0000004f push dword ptr [esp+0Ch] 0x00000053 retn 0010h 0x00000056 stc 0x00000057 ja 00007F44817E17C0h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60503E second address: 60518E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241EC2h 0x00000007 mov cx, 032Ah 0x0000000b sub cx, bx 0x0000000e jmp 00007F4481241DB8h 0x00000010 push ebp 0x00000011 lea eax, dword ptr [ecx+edx] 0x00000014 jmp 00007F4481241DA6h 0x00000016 mov eax, dword ptr [esp] 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60518E second address: 6051B3 instructions: 0x00000000 rdtsc 0x00000002 mov dx, E701h 0x00000006 mov cx, dx 0x00000009 xchg ebx, ebp 0x0000000b xchg dl, ah 0x0000000d jmp 00007F44817E1698h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F4CDF second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 mov cx, EB63h 0x00000006 jmp 00007F4481241D5Fh 0x00000008 ror edi, 00000000h 0x0000000b stc 0x0000000c jle 00007F4481241D86h 0x0000000e lea edx, dword ptr [eax+ecx] 0x00000011 jmp 00007F4481241DF0h 0x00000013 xchg edx, ecx 0x00000015 mov al, byte ptr [esp] 0x00000018 mov dx, word ptr [esp] 0x0000001c jmp 00007F4481241D81h 0x0000001e mov edx, 96F70AFFh 0x00000023 jmp 00007F4481241D75h 0x00000025 add edi, 4B2345C8h 0x0000002b mov ecx, dword ptr [esp] 0x0000002e mov ecx, edx 0x00000030 lea edx, dword ptr [ecx+ebp] 0x00000033 jmp 00007F4481241DEFh 0x00000035 xchg dl, dh 0x00000037 xchg ecx, edx 0x00000039 ror edi, 00000000h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 604854 second address: 604865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16DDh 0x00000004 mov ecx, dword ptr [ebp+00h] 0x00000007 mov edx, esp 0x00000009 seto al 0x0000000c setb dh 0x0000000f jmp 00007F44817E161Ah 0x00000011 add dword ptr [ebp+04h], ecx 0x00000014 xchg ah, dh 0x00000016 mov dl, byte ptr [esp] 0x00000019 mov eax, DB213984h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6047C6 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [esi-000000EAh] 0x00000008 jmp 00007F4481241D6Bh 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F4481241E45h 0x00000015 jns 00007F4481241D2Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F4481241DBCh 0x00000027 jp 00007F4481241DBAh 0x00000029 pop ebx 0x0000002a jmp 00007F4481241DBDh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F4481241DECh 0x00000039 jbe 00007F4481241D5Ah 0x0000003b pop esi 0x0000003c jmp 00007F448123218Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F4481241D7Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F4481241DB6h 0x0000005d jo 00007F4481241DB6h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F4481241EB2h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F4481241CA2h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F4481241E29h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F4481241D4Dh 0x0000008a shl al, 1 0x0000008c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60C3F9 second address: 60B418 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 04h 0x00000005 pushfd 0x00000006 pop dx 0x00000008 jmp 00007F44817E1650h 0x0000000a mov eax, dword ptr [esp] 0x0000000d lea esp, dword ptr [esp+02h] 0x00000011 mov dword ptr [ebp+00h], ebx 0x00000014 lea eax, dword ptr [00000000h+eax4] 0x0000001b inc dh 0x0000001d jmp 00007F44817E16B5h 0x0000001f jo 00007F44817E1622h 0x00000021 mov ah, byte ptr [esp] 0x00000024 call 00007F44817E1665h 0x00000029 xor ax, sp 0x0000002c lea eax, dword ptr [esi-000000F8h] 0x00000032 push ax 0x00000034 jmp 00007F44817E1696h 0x00000036 mov edx, B2EBA21Ah 0x0000003b dec edx 0x0000003c lea esp, dword ptr [esp+02h] 0x00000040 xchg dword ptr [esp], ecx 0x00000043 mov dl, BBh 0x00000045 rcl dl, 1 0x00000047 jmp 00007F44817E16B3h 0x00000049 lea edx, dword ptr [00000000h+ebp4] 0x00000050 push esp 0x00000051 xchg dh, dl 0x00000053 lea ecx, dword ptr [ecx-0000104Ah] 0x00000059 mov ax, word ptr [esp] 0x0000005d bt dx, ax 0x00000061 jmp 00007F44817E1652h 0x00000063 rcr ax, cl 0x00000066 rcr ah, cl 0x00000068 xchg dword ptr [esp+04h], ecx 0x0000006c inc dx 0x0000006e jmp 00007F44817E1B33h 0x00000073 lea edx, dword ptr [edi+0000008Eh] 0x00000079 push ax 0x0000007b lea esp, dword ptr [esp] 0x0000007e mov word ptr [esp], ax 0x00000082 lea esp, dword ptr [esp+02h] 0x00000086 push dword ptr [esp+04h] 0x0000008a retn 0008h 0x0000008d mov ax, word ptr [esp] 0x00000091 bsr ebx, edx 0x00000094 jp 00007F44817E1663h 0x00000096 btc ax, cx 0x0000009a jmp 00007F44817E16B2h 0x0000009c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60B12B second address: 60B154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE4h 0x00000004 lea esp, dword ptr [esp+02h] 0x00000008 xchg dword ptr [esp+04h], ebp 0x0000000c mov ah, byte ptr [esp] 0x0000000f mov dh, 8Eh 0x00000011 xchg edx, eax 0x00000013 lea ebp, dword ptr [ebp+5Dh] 0x00000016 jmp 00007F4481241D71h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60B154 second address: 60B187 instructions: 0x00000000 rdtsc 0x00000002 mov ax, sp 0x00000005 call 00007F44817E16C2h 0x0000000a sub esp, 11h 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 xchg dword ptr [esp+18h], ebp 0x00000015 add al, 3Ah 0x00000017 jmp 00007F44817E165Dh 0x00000019 neg edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60B187 second address: 60B244 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 call 00007F4481241DC0h 0x00000008 push dword ptr [esp+1Ch] 0x0000000c retn 0020h 0x0000000f bts edx, ebp 0x00000012 sub esp, 1Bh 0x00000015 jmp 00007F4481241EE5h 0x0000001a xchg byte ptr [esp+0Bh], dh 0x0000001e xchg dl, al 0x00000020 ror bl, 00000000h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60B244 second address: 60B1DE instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ebx+edi] 0x00000005 jmp 00007F44817E163Dh 0x00000007 clc 0x00000008 jnbe 00007F44817E1662h 0x0000000a lea eax, dword ptr [00000000h+edi*4] 0x00000011 rol bl, 00000000h 0x00000014 jmp 00007F44817E1660h 0x00000016 sub dh, ah 0x00000018 js 00007F44817E16BDh 0x0000001a btr ax, si 0x0000001e mov dl, byte ptr [esp] 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 603F07 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 bts dx, dx 0x00000006 xchg dword ptr [esp], edi 0x00000009 mov eax, esp 0x0000000b mov eax, edx 0x0000000d btc dx, di 0x00000011 jmp 00007F4481241B5Fh 0x00000016 mov ax, E5E4h 0x0000001a push dword ptr [esp] 0x0000001d retn 0004h 0x00000020 mov ebx, edi 0x00000022 mov ax, word ptr [esp] 0x00000026 xchg eax, edx 0x00000027 mov dl, 3Ah 0x00000029 jmp 00007F4481241D7Dh 0x0000002b lea eax, dword ptr [edx+edx] 0x0000002e lea edx, dword ptr [ebx-6DA261F9h] 0x00000034 mov dx, bx 0x00000037 sub esp, 14h 0x0000003a jmp 00007F4481241DB6h 0x0000003c jo 00007F4481241DB6h 0x0000003e mov edx, dword ptr [esp+05h] 0x00000042 pop dx 0x00000044 jmp 00007F4481241EB2h 0x00000049 mov dh, 8Ch 0x0000004b lea esp, dword ptr [esp+02h] 0x0000004f jmp 00007F4481241CA2h 0x00000054 lea esp, dword ptr [esp+10h] 0x00000058 sub edi, 128A0F11h 0x0000005e jmp 00007F4481241E29h 0x00000063 rcr cx, 0005h 0x00000067 jp 00007F4481241D4Dh 0x00000069 shl al, 1 0x0000006b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 607D80 second address: 607B82 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 call 00007F44817E148Dh 0x0000000a setne dh 0x0000000d mov ecx, ebp 0x0000000f mov dh, 9Bh 0x00000011 mov dl, 24h 0x00000013 bswap edx 0x00000015 jmp 00007F44817E165Fh 0x00000017 xchg dword ptr [esp], ebx 0x0000001a lea ecx, dword ptr [edi+41h] 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 607B82 second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 mov edx, F46DAA9Dh 0x00000007 inc ch 0x00000009 jmp 00007F4481241DB4h 0x0000000b lea ebx, dword ptr [ebx-000001C5h] 0x00000011 mov dx, 50EEh 0x00000015 bsr cx, di 0x00000019 call 00007F4481241E16h 0x0000001e stc 0x0000001f pop word ptr [esp] 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 jmp 00007F4481241D65h 0x00000029 xchg dword ptr [esp], ebx 0x0000002c xchg cl, dh 0x0000002e xchg cx, dx 0x00000031 mov cx, word ptr [esp] 0x00000035 push dword ptr [esp] 0x00000038 retn 0004h 0x0000003b sub ebp, 02h 0x0000003e jmp 00007F4481241DA6h 0x00000040 neg dl 0x00000042 jo 00007F4481241DD3h 0x00000044 mov eax, ecx 0x00000046 xchg edx, eax 0x00000048 mov dh, 4Fh 0x0000004a jmp 00007F4481241F01h 0x0000004f mov cl, byte ptr [edi] 0x00000051 not dl 0x00000053 bswap edx 0x00000055 setb dl 0x00000058 neg ah 0x0000005a jmp 00007F4481241CA0h 0x0000005f jng 00007F4481241E3Bh 0x00000065 pushfd 0x00000066 mov al, byte ptr [esp+03h] 0x0000006a xchg word ptr [esp], ax 0x0000006e btc ax, dx 0x00000072 pop eax 0x00000073 sub esp, 0Bh 0x00000076 jmp 00007F4481241D24h 0x00000078 push dword ptr [esp+06h] 0x0000007c jnp 00007F4481241D79h 0x0000007e dec dx 0x00000080 lea esp, dword ptr [esp+03h] 0x00000084 jmp 00007F4481241D7Dh 0x00000086 sub cl, bl 0x00000088 xchg eax, edx 0x00000089 mov al, 17h 0x0000008b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60476F second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A2h 0x00000004 lea esi, dword ptr [esi-000000EAh] 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F44817E1725h 0x00000015 jns 00007F44817E160Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F44817E169Ch 0x00000027 jp 00007F44817E169Ah 0x00000029 pop ebx 0x0000002a jmp 00007F44817E169Dh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F44817E16CCh 0x00000039 jbe 00007F44817E163Ah 0x0000003b pop esi 0x0000003c jmp 00007F44817D1A6Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F44817E165Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F44817E1696h 0x0000005d jo 00007F44817E1696h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F44817E1792h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F44817E1582h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F44817E1709h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F44817E162Dh 0x0000008a shl al, 1 0x0000008c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 610C59 second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DFAh 0x00000004 mov dh, dl 0x00000006 jmp 00007F448123A8A9h 0x0000000b mov eax, 0B0F4634h 0x00000010 jmp 00007F4481241D36h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 607B5F second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 jmp 00007F44817E16E1h 0x00000007 sub ebp, 02h 0x0000000a jmp 00007F44817E1686h 0x0000000c neg dl 0x0000000e jo 00007F44817E16B3h 0x00000010 mov eax, ecx 0x00000012 xchg edx, eax 0x00000014 mov dh, 4Fh 0x00000016 jmp 00007F44817E17E1h 0x0000001b mov cl, byte ptr [edi] 0x0000001d not dl 0x0000001f bswap edx 0x00000021 setb dl 0x00000024 neg ah 0x00000026 jmp 00007F44817E1580h 0x0000002b jng 00007F44817E171Bh 0x00000031 pushfd 0x00000032 mov al, byte ptr [esp+03h] 0x00000036 xchg word ptr [esp], ax 0x0000003a btc ax, dx 0x0000003e pop eax 0x0000003f sub esp, 0Bh 0x00000042 jmp 00007F44817E1604h 0x00000044 push dword ptr [esp+06h] 0x00000048 jnp 00007F44817E1659h 0x0000004a dec dx 0x0000004c lea esp, dword ptr [esp+03h] 0x00000050 jmp 00007F44817E165Dh 0x00000052 sub cl, bl 0x00000054 xchg eax, edx 0x00000055 mov al, 17h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5F4B9A second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea ebp, dword ptr [esp] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c mov bx, B92Bh 0x00000010 setnl dh 0x00000013 jmp 00007F4481241D77h 0x00000015 mov si, ax 0x00000018 jmp 00007F4481241DC8h 0x0000001a sub esp, 000000C0h 0x00000020 jmp 00007F4481241DD7h 0x00000022 mov esi, esp 0x00000024 sub eax, 56CA30D9h 0x00000029 jne 00007F4481241D83h 0x0000002b mov bx, di 0x0000002e jmp 00007F4481241DDBh 0x00000030 lea ebx, dword ptr [ebx-3Bh] 0x00000033 mov ebx, edi 0x00000035 mov ax, word ptr [esp] 0x00000039 xchg eax, edx 0x0000003a mov dl, 3Ah 0x0000003c jmp 00007F4481241D7Dh 0x0000003e lea eax, dword ptr [edx+edx] 0x00000041 lea edx, dword ptr [ebx-6DA261F9h] 0x00000047 mov dx, bx 0x0000004a sub esp, 14h 0x0000004d jmp 00007F4481241DB6h 0x0000004f jo 00007F4481241DB6h 0x00000051 mov edx, dword ptr [esp+05h] 0x00000055 pop dx 0x00000057 jmp 00007F4481241EB2h 0x0000005c mov dh, 8Ch 0x0000005e lea esp, dword ptr [esp+02h] 0x00000062 jmp 00007F4481241CA2h 0x00000067 lea esp, dword ptr [esp+10h] 0x0000006b sub edi, 128A0F11h 0x00000071 jmp 00007F4481241E29h 0x00000076 rcr cx, 0005h 0x0000007a jp 00007F4481241D4Dh 0x0000007c shl al, 1 0x0000007e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6068A9 second address: 60687C instructions: 0x00000000 rdtsc 0x00000002 sub cx, bx 0x00000005 jmp 00007F44817E164Ah 0x00000007 mov dx, word ptr [esp] 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 606B01 second address: 606B35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB2h 0x00000004 lea esp, dword ptr [esp+03h] 0x00000008 jmp 00007F4481241DB8h 0x0000000a rol cx, 0000h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 606B35 second address: 606C59 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [00000000h+ebp*4] 0x00000009 mov eax, edx 0x0000000b jmp 00007F44817E16BDh 0x0000000d mov eax, edx 0x0000000f lea esp, dword ptr [esp+04h] 0x00000013 not cx 0x00000016 rcl ah, cl 0x00000018 jnp 00007F44817E163Ah 0x0000001a jmp 00007F44817E16A5h 0x0000001c mov dl, cl 0x0000001e cmc 0x0000001f sub edx, ebx 0x00000021 jmp 00007F44817E1658h 0x00000023 add cx, 46A5h 0x00000028 mov dl, byte ptr [esp] 0x0000002b xor edx, AB5782EBh 0x00000031 jmp 00007F44817E16FCh 0x00000033 jne 00007F44817E1643h 0x00000035 mov dh, 44h 0x00000037 mov dx, BF5Ch 0x0000003b call 00007F44817E16A1h 0x00000040 lea eax, dword ptr [ebx+ebp] 0x00000043 jmp 00007F44817E1661h 0x00000045 lea esp, dword ptr [esp+04h] 0x00000049 xor cx, EF15h 0x0000004e lea eax, dword ptr [esi-0000C2B9h] 0x00000054 mov al, ah 0x00000056 jmp 00007F44817E16ABh 0x00000058 pushfd 0x00000059 mov dl, bh 0x0000005b xchg byte ptr [esp], al 0x0000005e bsf edx, esp 0x00000061 jne 00007F44817E16B6h 0x00000063 mov dword ptr [esp], ecx 0x00000066 jmp 00007F44817E16B9h 0x00000068 lea esp, dword ptr [esp+04h] 0x0000006c inc cx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 606C59 second address: 606C5B instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 64C1E3 second address: 64C2CE instructions: 0x00000000 rdtsc 0x00000002 btr ebx, ebx 0x00000005 jno 00007F44817E16AFh 0x00000007 cmc 0x00000008 jmp 00007F44817E1669h 0x0000000a mov ebx, 1F08C55Dh 0x0000000f jmp 00007F44817E1694h 0x00000011 sub ebp, 08h 0x00000014 setns bl 0x00000017 sub esp, 1Ch 0x0000001a jmp 00007F44817E16CCh 0x0000001c jns 00007F44817E163Ah 0x0000001e pop dword ptr [esp+11h] 0x00000022 mov bh, byte ptr [esp+14h] 0x00000026 jmp 00007F44817E16A8h 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, E17Ah 0x0000002f mov edx, 6E64272Bh 0x00000034 sub esp, 18h 0x00000037 jmp 00007F44817E1734h 0x0000003c ja 00007F44817E1712h 0x00000042 mov edx, dword ptr [esp+0Eh] 0x00000046 mov dword ptr [ebp+04h], eax 0x00000049 mov eax, ebp 0x0000004b jmp 00007F44817E1597h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5E4613 second address: 5E47B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov byte ptr [esp+0Fh], ah 0x00000007 jmp 00007F4481241DEBh 0x00000009 sub ebp, 08h 0x0000000c call 00007F4481241D87h 0x00000011 push word ptr [esp+02h] 0x00000016 jnl 00007F4481241DD7h 0x00000018 lea esp, dword ptr [esp+02h] 0x0000001c jmp 00007F4481241D7Eh 0x0000001e mov dword ptr [ebp+00h], edx 0x00000021 lea edx, dword ptr [00000000h+ebx*4] 0x00000028 clc 0x00000029 js 00007F4481241DCDh 0x0000002b xchg dl, dh 0x0000002d jmp 00007F4481241E1Eh 0x0000002f xchg eax, ecx 0x00000030 mov dx, 7D53h 0x00000034 bswap edx 0x00000036 mov dh, dl 0x00000038 jmp 00007F4481241D7Ch 0x0000003a mov dword ptr [ebp+04h], ecx 0x0000003d lea edx, dword ptr [eax+ecx] 0x00000040 dec ecx 0x00000041 jno 00007F4481241D83h 0x00000043 mov cl, 71h 0x00000045 jmp 00007F4481241DEEh 0x00000047 jmp 00007F4481241E2Ah 0x0000004c mov ecx, dword ptr [esp] 0x0000004f bswap eax 0x00000051 lea ecx, dword ptr [esi+50h] 0x00000054 bt ax, di 0x00000058 jnp 00007F4481241D65h 0x0000005a mov ax, 5EB0h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 606615 second address: 6065B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E161Fh 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60DA0E second address: 60DADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D73h 0x00000004 lea eax, dword ptr [00000000h+eax4] 0x0000000b lea eax, dword ptr [00000000h+eax4] 0x00000012 jmp 00007F4481241DC1h 0x00000014 ror bx, 0000h 0x00000018 mov dh, byte ptr [esp] 0x0000001b mov ax, word ptr [esp] 0x0000001f neg ax 0x00000022 jl 00007F4481242C6Fh 0x00000028 mov ax, 9EF1h 0x0000002c xchg dx, ax 0x0000002f mov dh, 93h 0x00000031 jmp 00007F4481241DEBh 0x00000033 mov dx, DA80h 0x00000037 jmp 00007F4481241E2Dh 0x0000003c inc bx 0x0000003e btc edx, edx 0x00000041 jnc 00007F4481241D63h 0x00000043 setb al 0x00000046 not dh 0x00000048 bt edx, eax 0x0000004b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 655636 second address: 655647 instructions: 0x00000000 rdtsc 0x00000002 shr cx, cl 0x00000005 jl 00007F44817E1665h 0x00000007 jnl 00007F44817E168Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 60F361 second address: 60F346 instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebp 0x00000005 mov dx, 0278h 0x00000009 jmp 00007F4481241D79h 0x0000000b neg ax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 659584 second address: 62E2AD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+18h], ebx 0x00000006 jmp 00007F44817E1686h 0x00000008 lea esp, dword ptr [esp+04h] 0x0000000c popad 0x0000000d lea ecx, dword ptr [ecx-56ECA26Eh] 0x00000013 mov ecx, 9F0203F6h 0x00000018 lea ecx, dword ptr [esp+edi] 0x0000001b call 00007F44817E16A8h 0x00000020 jmp 00007F44817E166Ah 0x00000022 lea esp, dword ptr [esp+04h] 0x00000026 lea ecx, dword ptr [esp+74h] 0x0000002a jmp 00007F44817E1690h 0x0000002c call 00007F448178778Ch 0x00000031 jmp 00007F44817C5DEEh 0x00000036 jmp 00007F44817E1654h 0x0000003b jmp 00007F44817FE1C9h 0x00000040 push esi 0x00000041 jmp 00007F448180EFBFh 0x00000046 pushad 0x00000047 lea ebp, dword ptr [ebp+25A1C75Dh] 0x0000004d not ebx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 656379 second address: 65661E instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebx+000000B6h] 0x00000008 call 00007F4481241E3Bh 0x0000000d mov edx, dword ptr [ebp+00h] 0x00000010 neg ebx 0x00000012 jnc 00007F4481241E25h 0x00000018 lea eax, dword ptr [00000000h+esi4] 0x0000001f jmp 00007F4481241EB7h 0x00000024 lea ebx, dword ptr [00000000h+edi4] 0x0000002b xchg ah, al 0x0000002d jmp 00007F4481241D81h 0x0000002f add ebp, 02h 0x00000032 shl bx, cl 0x00000035 jo 00007F4481241E7Ah 0x0000003b bsf ax, si 0x0000003f jmp 00007F4481241DCEh 0x00000041 sub esp, 05h 0x00000044 cmc 0x00000045 lea esp, dword ptr [esp+01h] 0x00000049 jmp 00007F4481241DCAh 0x0000004b jmp 00007F4481241D78h 0x0000004d mov al, byte ptr [edx] 0x00000050 mov dx, cx 0x00000053 xchg dh, dl 0x00000055 bsr edx, edi 0x00000058 jns 00007F4481241DD5h 0x0000005a mov bh, byte ptr [esp] 0x0000005d mov word ptr [ebp+00h], ax 0x00000061 dec dx 0x00000063 jnbe 00007F4481241DBCh 0x00000065 rol dx, 0007h 0x00000069 call 00007F4481241DD5h 0x0000006e mov edx, dword ptr [esp] 0x00000071 shl edx, 1 0x00000073 mov bx, 859Dh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 65661E second address: 656620 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 637B15 second address: 637B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB4h 0x00000004 pushfd 0x00000005 pop dword ptr [ebp+00h] 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 607F6E second address: 608024 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1665h 0x00000007 mov dh, ah 0x00000009 mov edx, dword ptr [esp+01h] 0x0000000d push dword ptr [esp+24h] 0x00000011 retn 0028h 0x00000014 bt edx, ecx 0x00000017 btr ax, si 0x0000001b setl dh 0x0000001e jmp 00007F44817E16F6h 0x00000020 not cl 0x00000022 not dx 0x00000025 lea edx, dword ptr [00000000h+edx*4] 0x0000002c push bx 0x0000002e bsr dx, si 0x00000032 jbe 00007F44817E15FAh 0x00000038 pop dx 0x0000003a jmp 00007F44817E169Ah 0x0000003c add cl, FFFFFFA5h 0x0000003f bts dx, sp 0x00000043 jmp 00007F44817E16A8h 0x00000045 jc 00007F44817E165Eh 0x00000047 inc dl 0x00000049 xchg dx, ax 0x0000004c mov al, byte ptr [esp] 0x0000004f clc 0x00000050 not dx 0x00000053 mov ax, si 0x00000056 jmp 00007F44817E16A9h 0x00000058 xor cl, 00000015h 0x0000005b bswap edx 0x0000005d adc ax, dx 0x00000060 jns 00007F44817E16B4h 0x00000062 js 00007F44817E169Ch 0x00000064 pushfd 0x00000065 mov dword ptr [esp], ebx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 657A01 second address: 658F1B instructions: 0x00000000 rdtsc 0x00000002 rcr bh, cl 0x00000004 mov bh, byte ptr [esp] 0x00000007 xchg dword ptr [esp], edi 0x0000000a jmp 00007F44812432ADh 0x0000000f mov dl, byte ptr [esp] 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 5E245C second address: 60B418 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 4BB0h 0x00000006 mov bx, si 0x00000009 btr bx, dx 0x0000000d jmp 00007F4481817380h 0x00000012 jnl 00007F44817AB99Fh 0x00000018 lea ebx, dword ptr [00000000h+esi*4] 0x0000001f jmp 00007F448181738Dh 0x00000024 sub ebp, 08h 0x00000027 push esp 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, word ptr [esp] 0x0000002f jmp 00007F44817E165Fh 0x00000031 or edx, esi 0x00000033 jbe 00007F44817E16CBh 0x00000035 mov edx, eax 0x00000037 sub esp, 1Ch 0x0000003a jmp 00007F44817E16ADh 0x0000003c mov dword ptr [ebp+04h], eax 0x0000003f and dl, ah 0x00000041 jnl 00007F44817E16AFh 0x00000043 bswap ebx 0x00000045 jmp 00007F44817E1668h 0x00000047 mov al, 8Eh 0x00000049 jmp 00007F44817D487Dh 0x0000004e mov ax, word ptr [esp] 0x00000052 bsr ebx, edx 0x00000055 jp 00007F44817E1663h 0x00000057 btc ax, cx 0x0000005b jmp 00007F44817E16B2h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 618AF6 second address: 618B68 instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp] 0x00000005 retn 0004h 0x00000008 mov ecx, dword ptr [ebp+00h] 0x0000000b lea eax, dword ptr [ebx+ebp] 0x0000000e bts dx, di 0x00000012 jmp 00007F4481241E42h 0x00000017 jle 00007F4481241DFDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 640208 second address: 64036F instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1771h 0x00000007 mov dx, word ptr [esp] 0x0000000b call 00007F44817E1666h 0x00000010 mov dl, ah 0x00000012 mov dword ptr [esp], ebx 0x00000015 xchg dword ptr [esp+04h], ebx 0x00000019 sub esp, 14h 0x0000001c jmp 00007F44817E176Fh 0x00000021 push ebx 0x00000022 mov ah, 64h 0x00000024 lea ebx, dword ptr [ebx+4Fh] 0x00000027 mov dx, ax 0x0000002a stc 0x0000002b stc 0x0000002c jmp 00007F44817E15FDh 0x00000031 pushad 0x00000032 xchg ax, dx 0x00000034 xchg dword ptr [esp+3Ch], ebx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 64075D second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241D75h 0x00000007 jmp 00007F4481241E06h 0x00000009 mov al, F0h 0x0000000b mov word ptr [ebp+00h], bx 0x0000000f not eax 0x00000011 rcr bx, 000Ah 0x00000015 jns 00007F4481241D7Eh 0x00000017 jmp 00007F4481241E37h 0x0000001c bsr eax, ebx 0x0000001f sub esp, 0Fh 0x00000022 lea esp, dword ptr [esp+03h] 0x00000026 jmp 00007F448120AD3Bh 0x0000002b mov eax, 0B0F4634h 0x00000030 jmp 00007F4481241D36h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 64023B second address: 640256 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 mov eax, 1BA171EFh 0x0000000a mov ax, A249h 0x0000000e jmp 00007F44817E16DDh 0x00000010 lea eax, dword ptr [ebx-0000BE75h] 0x00000016 xchg dword ptr [esp], eax 0x00000019 sub esp, 01h 0x0000001c setle dh 0x0000001f mov dl, 2Dh 0x00000021 mov dx, bx 0x00000024 jmp 00007F44817E1656h 0x00000026 sub esp, 0Ah 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d lea eax, dword ptr [eax+25h] 0x00000030 mov edx, esi 0x00000032 xchg dh, dl 0x00000034 xchg dh, dl 0x00000036 jmp 00007F44817E189Ah 0x0000003b lea edx, dword ptr [00000000h+eax*4] 0x00000042 mov dh, byte ptr [esp] 0x00000045 xchg dword ptr [esp+08h], eax 0x00000049 mov eax, dword ptr [esp] 0x0000004c setbe dl 0x0000004f dec dx 0x00000051 jmp 00007F44817E15C9h 0x00000056 clc 0x00000057 push dword ptr [esp+08h] 0x0000005b retn 000Ch 0x0000005e setnle al 0x00000061 xchg al, dh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 641F54 second address: 641F54 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], ecx 0x00000006 jmp 00007F4481241CB1h 0x0000000b cmc 0x0000000c popad 0x0000000d cmc 0x0000000e cmc 0x0000000f shr eax, 10h 0x00000012 call 00007F4481241D83h 0x00000017 jmp 00007F4481241DF7h 0x00000019 lea esp, dword ptr [esp+14h] 0x0000001d test ax, ax 0x00000020 pushad 0x00000021 lea esp, dword ptr [esp+20h] 0x00000025 jmp 00007F4481241D75h 0x00000027 je 00007F4481241C98h 0x0000002d push sp 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F4481241F24h 0x00000038 inc edx 0x00000039 inc edx 0x0000003a dec esi 0x0000003b jmp 00007F4481241D87h 0x0000003d jne 00007F4481241C58h 0x00000043 setb ah 0x00000046 jmp 00007F4481241DE7h 0x00000048 setnle al 0x0000004b mov ax, word ptr [esp] 0x0000004f movzx eax, word ptr [edx] 0x00000052 push ecx 0x00000053 stc 0x00000054 jmp 00007F4481241DCFh 0x00000056 mov byte ptr [esp+02h], cl 0x0000005a jmp 00007F4481241D86h 0x0000005c add ecx, eax 0x0000005e sub esp, 0Eh 0x00000061 mov eax, AE848F68h 0x00000066 lea esp, dword ptr [esp+02h] 0x0000006a jmp 00007F4481241EBDh 0x0000006f pushad 0x00000070 mov ebp, E723975Fh 0x00000075 lea ebp, dword ptr [ecx+edi] 0x00000078 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 6575F5 second address: 63E5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E15EBh 0x00000007 inc edi 0x00000008 setnle al 0x0000000b lea edx, dword ptr [eax+ecx] 0x0000000e mov dx, bp 0x00000011 jmp 00007F44817E16BAh 0x00000013 mov dx, word ptr [ebx+esi] 0x00000017 mov bx, word ptr [esp] 0x0000001b cmc 0x0000001c js 00007F44817E1661h 0x0000001e jns 00007F44817E16A0h 0x00000020 lea ebx, dword ptr [ebx+0000E1EEh] 0x00000026 sub ah, ah 0x00000028 jmp 00007F44817E165Ah 0x0000002a mov word ptr [ebp+00h], dx 0x0000002e mov dx, word ptr [esp] 0x00000032 call 00007F44817E1707h 0x00000037 ror edx, 02h 0x0000003a jnbe 00007F44817E164Dh 0x0000003c jbe 00007F44817E1635h 0x0000003e mov bh, al 0x00000040 jmp 00007F44817C866Dh 0x00000045 jmp 00007F44817E1669h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 63DD4F second address: 63DD85 instructions: 0x00000000 rdtsc 0x00000002 btr ax, cx 0x00000006 xchg edx, eax 0x00000008 bsr dx, dx 0x0000000c lea edx, dword ptr [edx+edi] 0x0000000f push dword ptr [esp+44h] 0x00000013 retn 0048h 0x00000016 movzx ebx, byte ptr [edi] 0x00000019 jmp 00007F4481241E96h 0x0000001e lea eax, dword ptr [edx+6Ch] 0x00000021 sub esp, 06h 0x00000024 jl 00007F4481241CA9h 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e call 00007F4481241E13h 0x00000033 mov edx, dword ptr [esp] 0x00000036 mov eax, E9CADE55h 0x0000003b bt edx, edi 0x0000003e mov edx, ecx 0x00000040 inc ah 0x00000042 jmp 00007F4481241D3Ah 0x00000044 xchg dword ptr [esp], ebx 0x00000047 lea edx, dword ptr [00000000h+ebx4] 0x0000004e not dx 0x00000051 bswap edx 0x00000053 lea eax, dword ptr [00000000h+esi4] 0x0000005a pushad 0x0000005b jmp 00007F4481241D73h 0x0000005d lea ebx, dword ptr [ebx-0000003Dh] 0x00000063 sub esp, 1Ch 0x00000066 mov ax, 7715h 0x0000006a jmp 00007F4481241DD8h 0x0000006c pop word ptr [esp+06h] 0x00000071 lea esp, dword ptr [esp+02h] 0x00000075 xchg byte ptr [esp+0Ch], ah 0x00000079 xchg dword ptr [esp+38h], ebx 0x0000007d not ax 0x00000080 mov dx, si 0x00000083 jmp 00007F4481241D73h 0x00000085 sets dl 0x00000088 xchg ax, dx 0x0000008a push dword ptr [esp+38h] 0x0000008e retn 003Ch 0x00000091 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	RDTSC instruction interceptor: First address: 63E26B second address: 63E3C3 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1701h 0x00000007 lea eax, dword ptr [ecx-00006757h] 0x0000000d mov eax, 1C262CCAh 0x00000012 mov ax, word ptr [esp] 0x00000016 call 00007F44817E16B6h 0x0000001b xchg dword ptr [esp+04h], esi 0x0000001f bswap eax 0x00000021 jmp 00007F44817E1686h 0x00000023 bsr eax, ecx 0x00000026 inc ax 0x00000028 mov dx, di 0x0000002b lea esi, dword ptr [esi+00000092h] 0x00000031 shr dh, cl 0x00000033 bswap edx 0x00000035 jmp 00007F44817E16B2h 0x00000037 bswap eax 0x00000039 xchg dword ptr [esp+04h], esi 0x0000003d xchg dl, dh 0x0000003f mov dx, 17B9h 0x00000043 mov ax, cx 0x00000046 mov ah, byte ptr [esp] 0x00000049 jmp 00007F44817E1658h 0x0000004b not eax 0x0000004d push dword ptr [esp+04h] 0x00000051 retn 0008h 0x00000054 shr eax, cl 0x00000056 mov edx, dword ptr [esp] 0x00000059 xchg al, ah 0x0000005b rcr eax, cl 0x0000005d bswap edx 0x0000005f mov dx, F0D0h 0x00000063 xchg ax, dx 0x00000065 jmp 00007F44817E175Eh 0x0000006a ror bl, 00000000h 0x0000006d js 00007F44817E165Dh 0x0000006f lea edx, dword ptr [esi-7Fh] 0x00000072 jmp 00007F44817E1642h 0x00000074 lea edx, dword ptr [24CC2BE0h] 0x0000007a rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0454 second address: 6D0456 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D05C8 second address: 6D0B63 instructions: 0x00000000 rdtsc 0x00000002 neg dx 0x00000005 mov cx, 4EA1h 0x00000009 pop ax 0x0000000b jmp 00007F44817E1657h 0x0000000d bsf ax, dx 0x00000011 mov di, 6F97h 0x00000015 call 00007F44817E1C2Dh 0x0000001a pop dword ptr [esp+1Bh] 0x0000001e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0B63 second address: 6D0735 instructions: 0x00000000 rdtsc 0x00000002 bsr cx, cx 0x00000006 sub esp, 1Ah 0x00000009 jmp 00007F4481241A6Ch 0x0000000e lea esp, dword ptr [esp+48h] 0x00000012 inc dh 0x00000014 cpuid 0x00000016 mov cx, 6D02h 0x0000001a rol ax, cl 0x0000001d xchg bh, dl 0x0000001f jmp 00007F4481241C87h 0x00000024 stc 0x00000025 not bh 0x00000027 not ecx 0x00000029 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0735 second address: 6D0695 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 mov edx, ecx 0x00000008 jmp 00007F44817E154Eh 0x0000000d stc 0x0000000e call 00007F44817E1664h 0x00000013 bsf ax, si 0x00000017 xchg word ptr [esp], bx 0x0000001b xchg word ptr [esp], cx 0x0000001f mov byte ptr [esp+02h], ch 0x00000023 bswap ebx 0x00000025 jmp 00007F44817E170Dh 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e xchg ch, bl 0x00000030 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D09D3 second address: 6D0A41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pop ecx 0x00000004 xchg esi, ebp 0x00000006 mov di, 7728h 0x0000000a jmp 00007F4481241D7Ch 0x0000000c bts edx, esp 0x0000000f xchg word ptr [esp+1Ch], si 0x00000014 xchg bx, dx 0x00000017 push dword ptr [esp+02h] 0x0000001b jmp 00007F4481241DDCh 0x0000001d sub esp, 05h 0x00000020 call 00007F4481241E44h 0x00000025 neg cx 0x00000028 pop dword ptr [esp+20h] 0x0000002c bsf bp, bp 0x00000030 pop ebp 0x00000031 lea eax, dword ptr [esp+0000EEACh] 0x00000038 jmp 00007F4481241CEEh 0x0000003d mov dword ptr [esp+18h], edi 0x00000041 call 00007F4481241DFBh 0x00000046 clc 0x00000047 bsf ecx, ebx 0x0000004a call 00007F4481241D84h 0x0000004f std 0x00000050 xchg ah, ch 0x00000052 popad 0x00000053 jmp 00007F4481241D86h 0x00000055 pop dword ptr [esp+03h] 0x00000059 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0A41 second address: 6D0AE9 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [esp+eax] 0x00000005 push word ptr [esp+01h] 0x0000000a jmp 00007F44817E16BFh 0x0000000c xchg bp, bx 0x0000000f pop dword ptr [esp] 0x00000012 add esp, 03h 0x00000015 cld 0x00000016 mov word ptr [esp], sp 0x0000001a lea eax, dword ptr [00000000h+edi4] 0x00000021 jmp 00007F44817E1655h 0x00000023 mov byte ptr [esp], cl 0x00000026 mov ebx, dword ptr [esp] 0x00000029 btc si, cx 0x0000002d xchg ch, bh 0x0000002f sub esp, 01h 0x00000032 jmp 00007F44817E1715h 0x00000037 sub esp, 1Eh 0x0000003a call 00007F44817E163Eh 0x0000003f sub esp, 1Ah 0x00000042 popad 0x00000043 neg esi 0x00000045 std 0x00000046 bts dx, sp 0x0000004a jmp 00007F44817E165Fh 0x0000004c lea edi, dword ptr [00000000h+esi4] 0x00000053 xchg word ptr [esp+07h], cx 0x00000058 setl ah 0x0000005b jmp 00007F44817E16AAh 0x0000005d push dx 0x0000005f mov dx, 63C0h 0x00000063 mov ebp, dword ptr [esp+17h] 0x00000067 not dl 0x00000069 sub esp, 05h 0x0000006c xchg word ptr [esp+16h], si 0x00000071 jmp 00007F44817E1656h 0x00000073 btc eax, esi 0x00000076 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0BB7 second address: 6D0BB9 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0BB9 second address: 6D0BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E165Fh 0x00000004 mov dword ptr [esp], eax 0x00000007 cmc 0x00000008 pushad 0x00000009 push word ptr [esp+03h] 0x0000000e mov bp, word ptr [esp+1Fh] 0x00000013 jmp 00007F44817E16D4h 0x00000015 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0CE6 second address: 6D0D0E instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241E23h 0x00000007 lea edx, dword ptr [00000000h+edx*4] 0x0000000e mov ecx, esp 0x00000010 jmp 00007F4481241D50h 0x00000012 pop edx 0x00000013 xchg word ptr [esp+04h], cx 0x00000018 cpuid 0x0000001a xchg word ptr [esp], bx 0x0000001e push word ptr [esp+13h] 0x00000023 add esp, 0Fh 0x00000026 jmp 00007F4481241D76h 0x00000028 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D0D0E second address: 6D0D93 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 sub esp, 06h 0x00000007 push word ptr [esp+06h] 0x0000000c jmp 00007F44817E16B6h 0x0000000e sbb edx, 4C9FCF64h 0x00000014 mov bh, dh 0x00000016 mov eax, dword ptr [esp+03h] 0x0000001a lea eax, dword ptr [esp+edx] 0x0000001d xchg byte ptr [esp+07h], dh 0x00000021 jmp 00007F44817E1657h 0x00000023 lea esp, dword ptr [esp] 0x00000026 pop ax 0x00000028 pop si 0x0000002a mov bx, CC7Ch 0x0000002e lea esp, dword ptr [esp+03h] 0x00000032 jmp 00007F44817E16E9h 0x00000034 lea esp, dword ptr [esp] 0x00000037 mov di, bp 0x0000003a rcl ebx, 17h 0x0000003d neg al 0x0000003f lea edi, dword ptr [00000000h+esi*4] 0x00000046 ror ebx, cl 0x00000048 jmp 00007F44817E1646h 0x0000004a add esi, esp 0x0000004c cld 0x0000004d mov dh, byte ptr [esp+07h] 0x00000051 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D102C second address: 6D1047 instructions: 0x00000000 rdtsc 0x00000002 mov dl, 2Eh 0x00000004 pop edx 0x00000005 pushad 0x00000006 pop cx 0x00000008 push dword ptr [esp+10h] 0x0000000c jmp 00007F4481241D6Fh 0x0000000e lea edx, dword ptr [edx+ebp] 0x00000011 and ch, FFFFFFCCh 0x00000014 mov eax, esi 0x00000016 xchg ecx, esi 0x00000018 dec di 0x0000001a sbb ax, 0000B5A1h 0x0000001e jmp 00007F4481241D7Ah 0x00000020 mov byte ptr [esp+14h], dh 0x00000024 add esp, 26h 0x00000027 not ebp 0x00000029 pop word ptr [esp] 0x0000002d mov bl, 13h 0x0000002f jmp 00007F4481241DDAh 0x00000031 mov ebp, 9AAF724Ch 0x00000036 btr bp, si 0x0000003a pop bp 0x0000003c bswap ebp 0x0000003e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6D12E9 second address: 6D11B5 instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+0Bh], cx 0x00000007 setbe dl 0x0000000a xchg byte ptr [esp+04h], dl 0x0000000e jmp 00007F44817E1627h 0x00000010 pop dword ptr [esp] 0x00000013 dec edx 0x00000014 add esp, 05h 0x00000017 mov bp, ax 0x0000001a mov cl, 88h 0x0000001c mov edx, dword ptr [esp+03h] 0x00000020 jmp 00007F44817E1603h 0x00000022 push word ptr [esp+01h] 0x00000027 dec cl 0x00000029 lea esp, dword ptr [esp+04h] 0x0000002d bsf edi, ebx 0x00000030 push word ptr [esp+02h] 0x00000035 pop ebx 0x00000036 jmp 00007F44817E1606h 0x00000038 lea edi, dword ptr [00000000h+ebx*4] 0x0000003f not ebp 0x00000041 xchg bh, cl 0x00000043 pop bp 0x00000045 mov bx, BEE2h 0x00000049 mov ax, 565Ah 0x0000004d jmp 00007F44817E1655h 0x0000004f rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5EFC12 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 jmp 00007F4481241E09h 0x00000008 mov esi, dword ptr [esp+34h] 0x0000000c mov ch, dl 0x0000000e call 00007F4481241D7Dh 0x00000013 mov ah, bh 0x00000015 mov ch, dl 0x00000017 jmp 00007F4481241DDAh 0x00000019 lea ebp, dword ptr [esp+0Ch] 0x0000001d lea edi, dword ptr [ecx+esi] 0x00000020 mov bl, DCh 0x00000022 not ax 0x00000025 sub esp, 000000B4h 0x0000002b jmp 00007F4481241D56h 0x0000002d mov edi, esp 0x0000002f call 00007F4481241DC0h 0x00000034 mov word ptr [esp], bx 0x00000038 lea edx, dword ptr [00000000h+ebx4] 0x0000003f mov ecx, esi 0x00000041 jmp 00007F4481241DBDh 0x00000043 mov dx, F2EDh 0x00000047 neg ebx 0x00000049 jc 00007F4481241E1Dh 0x0000004b lea ebx, dword ptr [00000000h+ebp4] 0x00000052 mov ax, 8AE6h 0x00000056 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5EFD44 second address: 5EFD82 instructions: 0x00000000 rdtsc 0x00000002 mov bl, byte ptr [esp] 0x00000005 push sp 0x00000007 mov word ptr [esp], bp 0x0000000b mov ah, dh 0x0000000d push word ptr [esp] 0x00000011 jc 00007F44817E1646h 0x00000013 jmp 00007F44817E166Ah 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 add esi, 565B2E4Fh 0x0000001f mov bx, ax 0x00000022 inc eax 0x00000023 jmp 00007F44817E16DCh 0x00000025 jp 00007F44817E162Eh 0x00000027 bsf edx, ebx 0x0000002a lea eax, dword ptr [ebp-0000FDAEh] 0x00000030 pushad 0x00000031 jmp 00007F44817E16D5h 0x00000033 lea esp, dword ptr [esp+20h] 0x00000037 not esi 0x00000039 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5EFD82 second address: 5EFE06 instructions: 0x00000000 rdtsc 0x00000002 mov bl, CBh 0x00000004 xchg ebx, edx 0x00000006 jmp 00007F4481241E10h 0x00000008 mov eax, ecx 0x0000000a mov ax, word ptr [esp] 0x0000000e bt bx, ax 0x00000012 jc 00007F4481241D28h 0x00000014 mov eax, ecx 0x00000016 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F0912 second address: 5F0EEB instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+50h] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c jmp 00007F44817E16A8h 0x0000000e mov dx, cx 0x00000011 setnl dh 0x00000014 setnp bl 0x00000017 jmp 00007F44817E1661h 0x00000019 cmp ebp, eax 0x0000001b call 00007F44817E1C37h 0x00000020 not dl 0x00000022 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 603B99 second address: 5EFD44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push dword ptr [esp+38h] 0x00000007 retn 003Ch 0x0000000a lea eax, dword ptr [eax+edx] 0x0000000d add ebx, 2AEE4402h 0x00000013 jmp 00007F448122DF54h 0x00000018 mov ecx, esi 0x0000001a jmp 00007F4481241DBDh 0x0000001c mov dx, F2EDh 0x00000020 neg ebx 0x00000022 jc 00007F4481241E1Dh 0x00000024 lea ebx, dword ptr [00000000h+ebp*4] 0x0000002b mov ax, 8AE6h 0x0000002f rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 603E4D second address: 5F76B3 instructions: 0x00000000 rdtsc 0x00000002 bsf ax, bx 0x00000006 jmp 00007F44817E16CBh 0x00000008 adc ax, ax 0x0000000b push dword ptr [esp+14h] 0x0000000f retn 0018h 0x00000012 pop esi 0x00000013 jmp 00007F44817D4E76h 0x00000018 mov ecx, edi 0x0000001a jmp 00007F44817E16BAh 0x0000001c mov edx, dword ptr [esp] 0x0000001f lea ebx, dword ptr [esp+000076EAh] 0x00000026 lea eax, dword ptr [esp+edx] 0x00000029 call 00007F44817E165Dh 0x0000002e mov dx, word ptr [esp+02h] 0x00000033 add esp, 00000000h 0x00000036 jl 00007F44817E2AFAh 0x0000003c jnl 00007F44817E1778h 0x00000042 push word ptr [esp+02h] 0x00000047 mov bh, cl 0x00000049 lea edx, dword ptr [00000000h+esi4] 0x00000050 jmp 00007F44817E15F2h 0x00000055 bsr ebx, ebp 0x00000058 bts ax, dx 0x0000005c jmp 00007F44817E17F1h 0x00000061 neg ah 0x00000063 lea esp, dword ptr [esp+02h] 0x00000067 jmp 00007F44817E14DAh 0x0000006c rol edi, 00000000h 0x0000006f stc 0x00000070 jnl 00007F44817E1666h 0x00000072 pushad 0x00000073 jmp 00007F44817E1686h 0x00000075 sub esp, 06h 0x00000078 lea ebx, dword ptr [00000000h+edi4] 0x0000007f lea esp, dword ptr [esp+02h] 0x00000083 jmp 00007F44817E16C4h 0x00000085 lea esp, dword ptr [esp+28h] 0x00000089 dec edi 0x0000008a lea eax, dword ptr [00000000h+ebx*4] 0x00000091 push eax 0x00000092 mov dx, cx 0x00000095 jmp 00007F44817E1645h 0x00000097 mov word ptr [esp+01h], dx 0x0000009c not al 0x0000009e lea esp, dword ptr [esp+04h] 0x000000a2 add edi, 507E8820h 0x000000a8 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F76B3 second address: 5F7759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE0h 0x00000004 mov edx, dword ptr [esp] 0x00000007 setnb al 0x0000000a bswap edx 0x0000000c rcl dl, cl 0x0000000e jp 00007F4481241D58h 0x00000010 not dl 0x00000012 sub esp, 10h 0x00000015 jmp 00007F4481241E25h 0x0000001a lea esp, dword ptr [esp+10h] 0x0000001e xor edi, 77D48258h 0x00000024 bsf ax, si 0x00000028 jnl 00007F4481241D7Ah 0x0000002a sub esp, 03h 0x0000002d mov ebx, edx 0x0000002f setne bh 0x00000032 xchg bh, dl 0x00000034 lea esp, dword ptr [esp+03h] 0x00000038 jmp 00007F4481241DBCh 0x0000003a xor edi, 60BA760Eh 0x00000040 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F7759 second address: 5F7785 instructions: 0x00000000 rdtsc 0x00000002 btc ax, bx 0x00000006 jmp 00007F44817E16BCh 0x00000008 jno 00007F44817E164Ah 0x0000000a rcl al, cl 0x0000000c add edi, dword ptr [ebp+00h] 0x0000000f mov ax, word ptr [esp] 0x00000013 jmp 00007F44817E1697h 0x00000015 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 601B40 second address: 601B44 instructions: 0x00000000 rdtsc 0x00000002 mov dh, B2h 0x00000004 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 604FB2 second address: 5F4C8A instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 mov ecx, 84CCED5Ah 0x0000000b jmp 00007F44817E163Fh 0x0000000d mov edx, ebp 0x0000000f pop ebx 0x00000010 jmp 00007F44817D1318h 0x00000015 mov ebx, edi 0x00000017 mov ax, word ptr [esp] 0x0000001b xchg eax, edx 0x0000001c mov dl, 3Ah 0x0000001e jmp 00007F44817E165Dh 0x00000020 lea eax, dword ptr [edx+edx] 0x00000023 lea edx, dword ptr [ebx-6DA261F9h] 0x00000029 mov dx, bx 0x0000002c sub esp, 14h 0x0000002f jmp 00007F44817E1696h 0x00000031 jo 00007F44817E1696h 0x00000033 mov edx, dword ptr [esp+05h] 0x00000037 pop dx 0x00000039 jmp 00007F44817E1792h 0x0000003e mov dh, 8Ch 0x00000040 lea esp, dword ptr [esp+02h] 0x00000044 jmp 00007F44817E1582h 0x00000049 lea esp, dword ptr [esp+10h] 0x0000004d sub edi, 128A0F11h 0x00000053 jmp 00007F44817E1709h 0x00000058 rcr cx, 0005h 0x0000005c jp 00007F44817E162Dh 0x0000005e shl al, 1 0x00000060 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F4C8A second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D86h 0x00000004 mov cx, EB63h 0x00000008 jmp 00007F4481241DCEh 0x0000000a ror edi, 00000000h 0x0000000d stc 0x0000000e jle 00007F4481241D86h 0x00000010 lea edx, dword ptr [eax+ecx] 0x00000013 jmp 00007F4481241DF0h 0x00000015 xchg edx, ecx 0x00000017 mov al, byte ptr [esp] 0x0000001a mov dx, word ptr [esp] 0x0000001e jmp 00007F4481241D81h 0x00000020 mov edx, 96F70AFFh 0x00000025 jmp 00007F4481241D75h 0x00000027 add edi, 4B2345C8h 0x0000002d mov ecx, dword ptr [esp] 0x00000030 mov ecx, edx 0x00000032 lea edx, dword ptr [ecx+ebp] 0x00000035 jmp 00007F4481241DEFh 0x00000037 xchg dl, dh 0x00000039 xchg ecx, edx 0x0000003b ror edi, 00000000h 0x0000003e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F6D40 second address: 5F6D45 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edi+ebp] 0x00000005 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60139C second address: 6014E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D5Eh 0x00000004 sub ebp, 04h 0x00000007 mov dx, sp 0x0000000a add al, C5h 0x0000000c jnle 00007F4481241DF2h 0x0000000e mov eax, esp 0x00000010 jmp 00007F4481241D88h 0x00000012 mov ax, di 0x00000015 jmp 00007F4481241DB7h 0x00000017 mov edx, edi 0x00000019 mov ecx, dword ptr [edx] 0x0000001b mov dh, cl 0x0000001d rcr edx, cl 0x0000001f jmp 00007F44812420C7h 0x00000024 jp 00007F4481241F86h 0x0000002a mov edx, F267AC06h 0x0000002f setnp dl 0x00000032 jmp 00007F4481241B8Ah 0x00000037 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6023D2 second address: 601A3F instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 jmp 00007F44817E0DB0h 0x00000009 add ebp, 04h 0x0000000c lea edx, dword ptr [00000000h+ebp*4] 0x00000013 not ax 0x00000016 push esi 0x00000017 jmp 00007F44817E15C1h 0x0000001c not ah 0x0000001e bsr cx, bx 0x00000022 jnl 00007F44817E1659h 0x00000024 mov si, bx 0x00000027 jmp 00007F44817E1667h 0x00000029 push ebx 0x0000002a mov cx, A66Fh 0x0000002e mov edx, 7C18FE6Fh 0x00000033 mov ah, 72h 0x00000035 xchg eax, ecx 0x00000036 jmp 00007F44817E168Eh 0x00000038 push edi 0x00000039 not bh 0x0000003b sets dh 0x0000003e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 603DFC second address: 603EE8 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [eax+ebx] 0x00000005 jmp 00007F4481241E25h 0x0000000a bsr edx, edx 0x0000000d jo 00007F4481241DEBh 0x0000000f jno 00007F4481241DE9h 0x00000011 mov edi, dword ptr [ebp+00h] 0x00000014 clc 0x00000015 jnc 00007F4481241D70h 0x00000017 jmp 00007F4481241DB6h 0x00000019 xchg ax, dx 0x0000001b jmp 00007F4481241DC2h 0x0000001d add ebp, 04h 0x00000020 mov ah, byte ptr [esp] 0x00000023 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60571F second address: 60581E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, byte ptr [esp+17h] 0x00000007 jmp 00007F44817E169Dh 0x00000009 not eax 0x0000000b jmp 00007F44817E1663h 0x0000000d push edi 0x0000000e xchg ebp, edi 0x00000010 mov bx, F68Fh 0x00000014 neg al 0x00000016 jp 00007F44817E16ADh 0x00000018 jnp 00007F44817E16EBh 0x0000001a jmp 00007F44817E1645h 0x0000001c push esi 0x0000001d mov ecx, esi 0x0000001f mov dh, byte ptr [esp] 0x00000022 pushfd 0x00000023 lea ecx, dword ptr [00000000h+ebp*4] 0x0000002a xchg dl, dh 0x0000002c jmp 00007F44817E16ADh 0x0000002e bsf bp, sp 0x00000032 jnp 00007F44817E16A6h 0x00000034 add esp, 04h 0x00000037 jns 00007F44817E17DAh 0x0000003d jmp 00007F44817E1648h 0x0000003f pop ebp 0x00000040 mov di, word ptr [esp] 0x00000044 pushad 0x00000045 cpuid 0x00000047 mov word ptr [esp+0Eh], bp 0x0000004c jmp 00007F44817E1606h 0x0000004e add esp, 20h 0x00000051 jnp 00007F44817E163Fh 0x00000053 pop esi 0x00000054 mov ebx, esi 0x00000056 xchg edi, eax 0x00000058 jmp 00007F44817E164Fh 0x0000005a bsr ax, cx 0x0000005e jo 00007F44817E1692h 0x00000060 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 604FCA second address: 6050CF instructions: 0x00000000 rdtsc 0x00000002 not edx 0x00000004 jmp 00007F4481241DCFh 0x00000006 push esi 0x00000007 bsr eax, esp 0x0000000a jo 00007F4481241DF5h 0x0000000c mov cl, D6h 0x0000000e mov ecx, dword ptr [esp] 0x00000011 dec esi 0x00000012 jmp 00007F4481241DC7h 0x00000014 push ebx 0x00000015 call 00007F4481241E34h 0x0000001a mov ax, 7417h 0x0000001e bswap edx 0x00000020 bt ecx, edx 0x00000023 pushfd 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6050CF second address: 60503E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A7h 0x00000004 xchg dword ptr [esp+04h], ecx 0x00000008 mov dx, si 0x0000000b mov ebx, esp 0x0000000d not bh 0x0000000f call 00007F44817E165Fh 0x00000014 lea ecx, dword ptr [ecx+01h] 0x00000017 mov ah, byte ptr [esp] 0x0000001a jmp 00007F44817E16B9h 0x0000001c lea esi, dword ptr [00000000h+esi*4] 0x00000023 lea esi, dword ptr [eax+ebp] 0x00000026 btr ax, sp 0x0000002a mov bx, 430Fh 0x0000002e xchg dword ptr [esp+08h], ecx 0x00000032 neg dl 0x00000034 jmp 00007F44817E164Fh 0x00000036 sub esp, 1Ah 0x00000039 lea esp, dword ptr [esp+11h] 0x0000003d pop dword ptr [esp] 0x00000040 xor ebx, 69AE8573h 0x00000046 jmp 00007F44817E1710h 0x0000004b lea esp, dword ptr [esp+01h] 0x0000004f push dword ptr [esp+0Ch] 0x00000053 retn 0010h 0x00000056 stc 0x00000057 ja 00007F44817E17C0h 0x0000005d rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60503E second address: 60518E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241EC2h 0x00000007 mov cx, 032Ah 0x0000000b sub cx, bx 0x0000000e jmp 00007F4481241DB8h 0x00000010 push ebp 0x00000011 lea eax, dword ptr [ecx+edx] 0x00000014 jmp 00007F4481241DA6h 0x00000016 mov eax, dword ptr [esp] 0x00000019 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60518E second address: 6051B3 instructions: 0x00000000 rdtsc 0x00000002 mov dx, E701h 0x00000006 mov cx, dx 0x00000009 xchg ebx, ebp 0x0000000b xchg dl, ah 0x0000000d jmp 00007F44817E1698h 0x0000000f rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F4CDF second address: 5F4D25 instructions: 0x00000000 rdtsc 0x00000002 mov cx, EB63h 0x00000006 jmp 00007F4481241D5Fh 0x00000008 ror edi, 00000000h 0x0000000b stc 0x0000000c jle 00007F4481241D86h 0x0000000e lea edx, dword ptr [eax+ecx] 0x00000011 jmp 00007F4481241DF0h 0x00000013 xchg edx, ecx 0x00000015 mov al, byte ptr [esp] 0x00000018 mov dx, word ptr [esp] 0x0000001c jmp 00007F4481241D81h 0x0000001e mov edx, 96F70AFFh 0x00000023 jmp 00007F4481241D75h 0x00000025 add edi, 4B2345C8h 0x0000002b mov ecx, dword ptr [esp] 0x0000002e mov ecx, edx 0x00000030 lea edx, dword ptr [ecx+ebp] 0x00000033 jmp 00007F4481241DEFh 0x00000035 xchg dl, dh 0x00000037 xchg ecx, edx 0x00000039 ror edi, 00000000h 0x0000003c rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 604854 second address: 604865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16DDh 0x00000004 mov ecx, dword ptr [ebp+00h] 0x00000007 mov edx, esp 0x00000009 seto al 0x0000000c setb dh 0x0000000f jmp 00007F44817E161Ah 0x00000011 add dword ptr [ebp+04h], ecx 0x00000014 xchg ah, dh 0x00000016 mov dl, byte ptr [esp] 0x00000019 mov eax, DB213984h 0x0000001e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6047C6 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [esi-000000EAh] 0x00000008 jmp 00007F4481241D6Bh 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F4481241E45h 0x00000015 jns 00007F4481241D2Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F4481241DBCh 0x00000027 jp 00007F4481241DBAh 0x00000029 pop ebx 0x0000002a jmp 00007F4481241DBDh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F4481241DECh 0x00000039 jbe 00007F4481241D5Ah 0x0000003b pop esi 0x0000003c jmp 00007F448123218Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F4481241D7Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F4481241DB6h 0x0000005d jo 00007F4481241DB6h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F4481241EB2h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F4481241CA2h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F4481241E29h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F4481241D4Dh 0x0000008a shl al, 1 0x0000008c rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60C3F9 second address: 60B418 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 04h 0x00000005 pushfd 0x00000006 pop dx 0x00000008 jmp 00007F44817E1650h 0x0000000a mov eax, dword ptr [esp] 0x0000000d lea esp, dword ptr [esp+02h] 0x00000011 mov dword ptr [ebp+00h], ebx 0x00000014 lea eax, dword ptr [00000000h+eax4] 0x0000001b inc dh 0x0000001d jmp 00007F44817E16B5h 0x0000001f jo 00007F44817E1622h 0x00000021 mov ah, byte ptr [esp] 0x00000024 call 00007F44817E1665h 0x00000029 xor ax, sp 0x0000002c lea eax, dword ptr [esi-000000F8h] 0x00000032 push ax 0x00000034 jmp 00007F44817E1696h 0x00000036 mov edx, B2EBA21Ah 0x0000003b dec edx 0x0000003c lea esp, dword ptr [esp+02h] 0x00000040 xchg dword ptr [esp], ecx 0x00000043 mov dl, BBh 0x00000045 rcl dl, 1 0x00000047 jmp 00007F44817E16B3h 0x00000049 lea edx, dword ptr [00000000h+ebp4] 0x00000050 push esp 0x00000051 xchg dh, dl 0x00000053 lea ecx, dword ptr [ecx-0000104Ah] 0x00000059 mov ax, word ptr [esp] 0x0000005d bt dx, ax 0x00000061 jmp 00007F44817E1652h 0x00000063 rcr ax, cl 0x00000066 rcr ah, cl 0x00000068 xchg dword ptr [esp+04h], ecx 0x0000006c inc dx 0x0000006e jmp 00007F44817E1B33h 0x00000073 lea edx, dword ptr [edi+0000008Eh] 0x00000079 push ax 0x0000007b lea esp, dword ptr [esp] 0x0000007e mov word ptr [esp], ax 0x00000082 lea esp, dword ptr [esp+02h] 0x00000086 push dword ptr [esp+04h] 0x0000008a retn 0008h 0x0000008d mov ax, word ptr [esp] 0x00000091 bsr ebx, edx 0x00000094 jp 00007F44817E1663h 0x00000096 btc ax, cx 0x0000009a jmp 00007F44817E16B2h 0x0000009c rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60B12B second address: 60B154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DE4h 0x00000004 lea esp, dword ptr [esp+02h] 0x00000008 xchg dword ptr [esp+04h], ebp 0x0000000c mov ah, byte ptr [esp] 0x0000000f mov dh, 8Eh 0x00000011 xchg edx, eax 0x00000013 lea ebp, dword ptr [ebp+5Dh] 0x00000016 jmp 00007F4481241D71h 0x00000018 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60B154 second address: 60B187 instructions: 0x00000000 rdtsc 0x00000002 mov ax, sp 0x00000005 call 00007F44817E16C2h 0x0000000a sub esp, 11h 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 xchg dword ptr [esp+18h], ebp 0x00000015 add al, 3Ah 0x00000017 jmp 00007F44817E165Dh 0x00000019 neg edx 0x0000001b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60B187 second address: 60B244 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 call 00007F4481241DC0h 0x00000008 push dword ptr [esp+1Ch] 0x0000000c retn 0020h 0x0000000f bts edx, ebp 0x00000012 sub esp, 1Bh 0x00000015 jmp 00007F4481241EE5h 0x0000001a xchg byte ptr [esp+0Bh], dh 0x0000001e xchg dl, al 0x00000020 ror bl, 00000000h 0x00000023 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60B244 second address: 60B1DE instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ebx+edi] 0x00000005 jmp 00007F44817E163Dh 0x00000007 clc 0x00000008 jnbe 00007F44817E1662h 0x0000000a lea eax, dword ptr [00000000h+edi*4] 0x00000011 rol bl, 00000000h 0x00000014 jmp 00007F44817E1660h 0x00000016 sub dh, ah 0x00000018 js 00007F44817E16BDh 0x0000001a btr ax, si 0x0000001e mov dl, byte ptr [esp] 0x00000021 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 603F07 second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 bts dx, dx 0x00000006 xchg dword ptr [esp], edi 0x00000009 mov eax, esp 0x0000000b mov eax, edx 0x0000000d btc dx, di 0x00000011 jmp 00007F4481241B5Fh 0x00000016 mov ax, E5E4h 0x0000001a push dword ptr [esp] 0x0000001d retn 0004h 0x00000020 mov ebx, edi 0x00000022 mov ax, word ptr [esp] 0x00000026 xchg eax, edx 0x00000027 mov dl, 3Ah 0x00000029 jmp 00007F4481241D7Dh 0x0000002b lea eax, dword ptr [edx+edx] 0x0000002e lea edx, dword ptr [ebx-6DA261F9h] 0x00000034 mov dx, bx 0x00000037 sub esp, 14h 0x0000003a jmp 00007F4481241DB6h 0x0000003c jo 00007F4481241DB6h 0x0000003e mov edx, dword ptr [esp+05h] 0x00000042 pop dx 0x00000044 jmp 00007F4481241EB2h 0x00000049 mov dh, 8Ch 0x0000004b lea esp, dword ptr [esp+02h] 0x0000004f jmp 00007F4481241CA2h 0x00000054 lea esp, dword ptr [esp+10h] 0x00000058 sub edi, 128A0F11h 0x0000005e jmp 00007F4481241E29h 0x00000063 rcr cx, 0005h 0x00000067 jp 00007F4481241D4Dh 0x00000069 shl al, 1 0x0000006b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 607D80 second address: 607B82 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 call 00007F44817E148Dh 0x0000000a setne dh 0x0000000d mov ecx, ebp 0x0000000f mov dh, 9Bh 0x00000011 mov dl, 24h 0x00000013 bswap edx 0x00000015 jmp 00007F44817E165Fh 0x00000017 xchg dword ptr [esp], ebx 0x0000001a lea ecx, dword ptr [edi+41h] 0x0000001d rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 607B82 second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 mov edx, F46DAA9Dh 0x00000007 inc ch 0x00000009 jmp 00007F4481241DB4h 0x0000000b lea ebx, dword ptr [ebx-000001C5h] 0x00000011 mov dx, 50EEh 0x00000015 bsr cx, di 0x00000019 call 00007F4481241E16h 0x0000001e stc 0x0000001f pop word ptr [esp] 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 jmp 00007F4481241D65h 0x00000029 xchg dword ptr [esp], ebx 0x0000002c xchg cl, dh 0x0000002e xchg cx, dx 0x00000031 mov cx, word ptr [esp] 0x00000035 push dword ptr [esp] 0x00000038 retn 0004h 0x0000003b sub ebp, 02h 0x0000003e jmp 00007F4481241DA6h 0x00000040 neg dl 0x00000042 jo 00007F4481241DD3h 0x00000044 mov eax, ecx 0x00000046 xchg edx, eax 0x00000048 mov dh, 4Fh 0x0000004a jmp 00007F4481241F01h 0x0000004f mov cl, byte ptr [edi] 0x00000051 not dl 0x00000053 bswap edx 0x00000055 setb dl 0x00000058 neg ah 0x0000005a jmp 00007F4481241CA0h 0x0000005f jng 00007F4481241E3Bh 0x00000065 pushfd 0x00000066 mov al, byte ptr [esp+03h] 0x0000006a xchg word ptr [esp], ax 0x0000006e btc ax, dx 0x00000072 pop eax 0x00000073 sub esp, 0Bh 0x00000076 jmp 00007F4481241D24h 0x00000078 push dword ptr [esp+06h] 0x0000007c jnp 00007F4481241D79h 0x0000007e dec dx 0x00000080 lea esp, dword ptr [esp+03h] 0x00000084 jmp 00007F4481241D7Dh 0x00000086 sub cl, bl 0x00000088 xchg eax, edx 0x00000089 mov al, 17h 0x0000008b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60476F second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E16A2h 0x00000004 lea esi, dword ptr [esi-000000EAh] 0x0000000a cpuid 0x0000000c pop ebp 0x0000000d sub esp, 16h 0x00000010 jmp 00007F44817E1725h 0x00000015 jns 00007F44817E160Ch 0x00000017 shr cl, 00000000h 0x0000001a mov dword ptr [esp+06h], ecx 0x0000001e lea esp, dword ptr [esp+02h] 0x00000022 add esp, 14h 0x00000025 jnp 00007F44817E169Ch 0x00000027 jp 00007F44817E169Ah 0x00000029 pop ebx 0x0000002a jmp 00007F44817E169Dh 0x0000002c mov dh, ch 0x0000002e mov ax, F563h 0x00000032 mov ch, al 0x00000034 neg si 0x00000037 jmp 00007F44817E16CCh 0x00000039 jbe 00007F44817E163Ah 0x0000003b pop esi 0x0000003c jmp 00007F44817D1A6Dh 0x00000041 mov ebx, edi 0x00000043 mov ax, word ptr [esp] 0x00000047 xchg eax, edx 0x00000048 mov dl, 3Ah 0x0000004a jmp 00007F44817E165Dh 0x0000004c lea eax, dword ptr [edx+edx] 0x0000004f lea edx, dword ptr [ebx-6DA261F9h] 0x00000055 mov dx, bx 0x00000058 sub esp, 14h 0x0000005b jmp 00007F44817E1696h 0x0000005d jo 00007F44817E1696h 0x0000005f mov edx, dword ptr [esp+05h] 0x00000063 pop dx 0x00000065 jmp 00007F44817E1792h 0x0000006a mov dh, 8Ch 0x0000006c lea esp, dword ptr [esp+02h] 0x00000070 jmp 00007F44817E1582h 0x00000075 lea esp, dword ptr [esp+10h] 0x00000079 sub edi, 128A0F11h 0x0000007f jmp 00007F44817E1709h 0x00000084 rcr cx, 0005h 0x00000088 jp 00007F44817E162Dh 0x0000008a shl al, 1 0x0000008c rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 610C59 second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DFAh 0x00000004 mov dh, dl 0x00000006 jmp 00007F448123A8A9h 0x0000000b mov eax, 0B0F4634h 0x00000010 jmp 00007F4481241D36h 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 607B5F second address: 607C62 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 jmp 00007F44817E16E1h 0x00000007 sub ebp, 02h 0x0000000a jmp 00007F44817E1686h 0x0000000c neg dl 0x0000000e jo 00007F44817E16B3h 0x00000010 mov eax, ecx 0x00000012 xchg edx, eax 0x00000014 mov dh, 4Fh 0x00000016 jmp 00007F44817E17E1h 0x0000001b mov cl, byte ptr [edi] 0x0000001d not dl 0x0000001f bswap edx 0x00000021 setb dl 0x00000024 neg ah 0x00000026 jmp 00007F44817E1580h 0x0000002b jng 00007F44817E171Bh 0x00000031 pushfd 0x00000032 mov al, byte ptr [esp+03h] 0x00000036 xchg word ptr [esp], ax 0x0000003a btc ax, dx 0x0000003e pop eax 0x0000003f sub esp, 0Bh 0x00000042 jmp 00007F44817E1604h 0x00000044 push dword ptr [esp+06h] 0x00000048 jnp 00007F44817E1659h 0x0000004a dec dx 0x0000004c lea esp, dword ptr [esp+03h] 0x00000050 jmp 00007F44817E165Dh 0x00000052 sub cl, bl 0x00000054 xchg eax, edx 0x00000055 mov al, 17h 0x00000057 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5F4B9A second address: 5F4CDF instructions: 0x00000000 rdtsc 0x00000002 lea ebp, dword ptr [esp] 0x00000005 lea ebx, dword ptr [00000000h+eax*4] 0x0000000c mov bx, B92Bh 0x00000010 setnl dh 0x00000013 jmp 00007F4481241D77h 0x00000015 mov si, ax 0x00000018 jmp 00007F4481241DC8h 0x0000001a sub esp, 000000C0h 0x00000020 jmp 00007F4481241DD7h 0x00000022 mov esi, esp 0x00000024 sub eax, 56CA30D9h 0x00000029 jne 00007F4481241D83h 0x0000002b mov bx, di 0x0000002e jmp 00007F4481241DDBh 0x00000030 lea ebx, dword ptr [ebx-3Bh] 0x00000033 mov ebx, edi 0x00000035 mov ax, word ptr [esp] 0x00000039 xchg eax, edx 0x0000003a mov dl, 3Ah 0x0000003c jmp 00007F4481241D7Dh 0x0000003e lea eax, dword ptr [edx+edx] 0x00000041 lea edx, dword ptr [ebx-6DA261F9h] 0x00000047 mov dx, bx 0x0000004a sub esp, 14h 0x0000004d jmp 00007F4481241DB6h 0x0000004f jo 00007F4481241DB6h 0x00000051 mov edx, dword ptr [esp+05h] 0x00000055 pop dx 0x00000057 jmp 00007F4481241EB2h 0x0000005c mov dh, 8Ch 0x0000005e lea esp, dword ptr [esp+02h] 0x00000062 jmp 00007F4481241CA2h 0x00000067 lea esp, dword ptr [esp+10h] 0x0000006b sub edi, 128A0F11h 0x00000071 jmp 00007F4481241E29h 0x00000076 rcr cx, 0005h 0x0000007a jp 00007F4481241D4Dh 0x0000007c shl al, 1 0x0000007e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6068A9 second address: 60687C instructions: 0x00000000 rdtsc 0x00000002 sub cx, bx 0x00000005 jmp 00007F44817E164Ah 0x00000007 mov dx, word ptr [esp] 0x0000000b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 606B01 second address: 606B35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB2h 0x00000004 lea esp, dword ptr [esp+03h] 0x00000008 jmp 00007F4481241DB8h 0x0000000a rol cx, 0000h 0x0000000e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 606B35 second address: 606C59 instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [00000000h+ebp*4] 0x00000009 mov eax, edx 0x0000000b jmp 00007F44817E16BDh 0x0000000d mov eax, edx 0x0000000f lea esp, dword ptr [esp+04h] 0x00000013 not cx 0x00000016 rcl ah, cl 0x00000018 jnp 00007F44817E163Ah 0x0000001a jmp 00007F44817E16A5h 0x0000001c mov dl, cl 0x0000001e cmc 0x0000001f sub edx, ebx 0x00000021 jmp 00007F44817E1658h 0x00000023 add cx, 46A5h 0x00000028 mov dl, byte ptr [esp] 0x0000002b xor edx, AB5782EBh 0x00000031 jmp 00007F44817E16FCh 0x00000033 jne 00007F44817E1643h 0x00000035 mov dh, 44h 0x00000037 mov dx, BF5Ch 0x0000003b call 00007F44817E16A1h 0x00000040 lea eax, dword ptr [ebx+ebp] 0x00000043 jmp 00007F44817E1661h 0x00000045 lea esp, dword ptr [esp+04h] 0x00000049 xor cx, EF15h 0x0000004e lea eax, dword ptr [esi-0000C2B9h] 0x00000054 mov al, ah 0x00000056 jmp 00007F44817E16ABh 0x00000058 pushfd 0x00000059 mov dl, bh 0x0000005b xchg byte ptr [esp], al 0x0000005e bsf edx, esp 0x00000061 jne 00007F44817E16B6h 0x00000063 mov dword ptr [esp], ecx 0x00000066 jmp 00007F44817E16B9h 0x00000068 lea esp, dword ptr [esp+04h] 0x0000006c inc cx 0x0000006e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 606C59 second address: 606C5B instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 64C1E3 second address: 64C2CE instructions: 0x00000000 rdtsc 0x00000002 btr ebx, ebx 0x00000005 jno 00007F44817E16AFh 0x00000007 cmc 0x00000008 jmp 00007F44817E1669h 0x0000000a mov ebx, 1F08C55Dh 0x0000000f jmp 00007F44817E1694h 0x00000011 sub ebp, 08h 0x00000014 setns bl 0x00000017 sub esp, 1Ch 0x0000001a jmp 00007F44817E16CCh 0x0000001c jns 00007F44817E163Ah 0x0000001e pop dword ptr [esp+11h] 0x00000022 mov bh, byte ptr [esp+14h] 0x00000026 jmp 00007F44817E16A8h 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, E17Ah 0x0000002f mov edx, 6E64272Bh 0x00000034 sub esp, 18h 0x00000037 jmp 00007F44817E1734h 0x0000003c ja 00007F44817E1712h 0x00000042 mov edx, dword ptr [esp+0Eh] 0x00000046 mov dword ptr [ebp+04h], eax 0x00000049 mov eax, ebp 0x0000004b jmp 00007F44817E1597h 0x00000050 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5E4613 second address: 5E47B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov byte ptr [esp+0Fh], ah 0x00000007 jmp 00007F4481241DEBh 0x00000009 sub ebp, 08h 0x0000000c call 00007F4481241D87h 0x00000011 push word ptr [esp+02h] 0x00000016 jnl 00007F4481241DD7h 0x00000018 lea esp, dword ptr [esp+02h] 0x0000001c jmp 00007F4481241D7Eh 0x0000001e mov dword ptr [ebp+00h], edx 0x00000021 lea edx, dword ptr [00000000h+ebx*4] 0x00000028 clc 0x00000029 js 00007F4481241DCDh 0x0000002b xchg dl, dh 0x0000002d jmp 00007F4481241E1Eh 0x0000002f xchg eax, ecx 0x00000030 mov dx, 7D53h 0x00000034 bswap edx 0x00000036 mov dh, dl 0x00000038 jmp 00007F4481241D7Ch 0x0000003a mov dword ptr [ebp+04h], ecx 0x0000003d lea edx, dword ptr [eax+ecx] 0x00000040 dec ecx 0x00000041 jno 00007F4481241D83h 0x00000043 mov cl, 71h 0x00000045 jmp 00007F4481241DEEh 0x00000047 jmp 00007F4481241E2Ah 0x0000004c mov ecx, dword ptr [esp] 0x0000004f bswap eax 0x00000051 lea ecx, dword ptr [esi+50h] 0x00000054 bt ax, di 0x00000058 jnp 00007F4481241D65h 0x0000005a mov ax, 5EB0h 0x0000005e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 606615 second address: 6065B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E161Fh 0x00000004 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60DA0E second address: 60DADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241D73h 0x00000004 lea eax, dword ptr [00000000h+eax4] 0x0000000b lea eax, dword ptr [00000000h+eax4] 0x00000012 jmp 00007F4481241DC1h 0x00000014 ror bx, 0000h 0x00000018 mov dh, byte ptr [esp] 0x0000001b mov ax, word ptr [esp] 0x0000001f neg ax 0x00000022 jl 00007F4481242C6Fh 0x00000028 mov ax, 9EF1h 0x0000002c xchg dx, ax 0x0000002f mov dh, 93h 0x00000031 jmp 00007F4481241DEBh 0x00000033 mov dx, DA80h 0x00000037 jmp 00007F4481241E2Dh 0x0000003c inc bx 0x0000003e btc edx, edx 0x00000041 jnc 00007F4481241D63h 0x00000043 setb al 0x00000046 not dh 0x00000048 bt edx, eax 0x0000004b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 655636 second address: 655647 instructions: 0x00000000 rdtsc 0x00000002 shr cx, cl 0x00000005 jl 00007F44817E1665h 0x00000007 jnl 00007F44817E168Ah 0x00000009 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 60F361 second address: 60F346 instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebp 0x00000005 mov dx, 0278h 0x00000009 jmp 00007F4481241D79h 0x0000000b neg ax 0x0000000e rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 659584 second address: 62E2AD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+18h], ebx 0x00000006 jmp 00007F44817E1686h 0x00000008 lea esp, dword ptr [esp+04h] 0x0000000c popad 0x0000000d lea ecx, dword ptr [ecx-56ECA26Eh] 0x00000013 mov ecx, 9F0203F6h 0x00000018 lea ecx, dword ptr [esp+edi] 0x0000001b call 00007F44817E16A8h 0x00000020 jmp 00007F44817E166Ah 0x00000022 lea esp, dword ptr [esp+04h] 0x00000026 lea ecx, dword ptr [esp+74h] 0x0000002a jmp 00007F44817E1690h 0x0000002c call 00007F448178778Ch 0x00000031 jmp 00007F44817C5DEEh 0x00000036 jmp 00007F44817E1654h 0x0000003b jmp 00007F44817FE1C9h 0x00000040 push esi 0x00000041 jmp 00007F448180EFBFh 0x00000046 pushad 0x00000047 lea ebp, dword ptr [ebp+25A1C75Dh] 0x0000004d not ebx 0x0000004f rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 656379 second address: 65661E instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebx+000000B6h] 0x00000008 call 00007F4481241E3Bh 0x0000000d mov edx, dword ptr [ebp+00h] 0x00000010 neg ebx 0x00000012 jnc 00007F4481241E25h 0x00000018 lea eax, dword ptr [00000000h+esi4] 0x0000001f jmp 00007F4481241EB7h 0x00000024 lea ebx, dword ptr [00000000h+edi4] 0x0000002b xchg ah, al 0x0000002d jmp 00007F4481241D81h 0x0000002f add ebp, 02h 0x00000032 shl bx, cl 0x00000035 jo 00007F4481241E7Ah 0x0000003b bsf ax, si 0x0000003f jmp 00007F4481241DCEh 0x00000041 sub esp, 05h 0x00000044 cmc 0x00000045 lea esp, dword ptr [esp+01h] 0x00000049 jmp 00007F4481241DCAh 0x0000004b jmp 00007F4481241D78h 0x0000004d mov al, byte ptr [edx] 0x00000050 mov dx, cx 0x00000053 xchg dh, dl 0x00000055 bsr edx, edi 0x00000058 jns 00007F4481241DD5h 0x0000005a mov bh, byte ptr [esp] 0x0000005d mov word ptr [ebp+00h], ax 0x00000061 dec dx 0x00000063 jnbe 00007F4481241DBCh 0x00000065 rol dx, 0007h 0x00000069 call 00007F4481241DD5h 0x0000006e mov edx, dword ptr [esp] 0x00000071 shl edx, 1 0x00000073 mov bx, 859Dh 0x00000077 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 65661E second address: 656620 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 637B15 second address: 637B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4481241DB4h 0x00000004 pushfd 0x00000005 pop dword ptr [ebp+00h] 0x00000008 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 607F6E second address: 608024 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1665h 0x00000007 mov dh, ah 0x00000009 mov edx, dword ptr [esp+01h] 0x0000000d push dword ptr [esp+24h] 0x00000011 retn 0028h 0x00000014 bt edx, ecx 0x00000017 btr ax, si 0x0000001b setl dh 0x0000001e jmp 00007F44817E16F6h 0x00000020 not cl 0x00000022 not dx 0x00000025 lea edx, dword ptr [00000000h+edx*4] 0x0000002c push bx 0x0000002e bsr dx, si 0x00000032 jbe 00007F44817E15FAh 0x00000038 pop dx 0x0000003a jmp 00007F44817E169Ah 0x0000003c add cl, FFFFFFA5h 0x0000003f bts dx, sp 0x00000043 jmp 00007F44817E16A8h 0x00000045 jc 00007F44817E165Eh 0x00000047 inc dl 0x00000049 xchg dx, ax 0x0000004c mov al, byte ptr [esp] 0x0000004f clc 0x00000050 not dx 0x00000053 mov ax, si 0x00000056 jmp 00007F44817E16A9h 0x00000058 xor cl, 00000015h 0x0000005b bswap edx 0x0000005d adc ax, dx 0x00000060 jns 00007F44817E16B4h 0x00000062 js 00007F44817E169Ch 0x00000064 pushfd 0x00000065 mov dword ptr [esp], ebx 0x00000068 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 657A01 second address: 658F1B instructions: 0x00000000 rdtsc 0x00000002 rcr bh, cl 0x00000004 mov bh, byte ptr [esp] 0x00000007 xchg dword ptr [esp], edi 0x0000000a jmp 00007F44812432ADh 0x0000000f mov dl, byte ptr [esp] 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 5E245C second address: 60B3EC instructions: 0x00000000 rdtsc 0x00000002 mov bx, 4BB0h 0x00000006 mov bx, si 0x00000009 btr bx, dx 0x0000000d jmp 00007F4481817380h 0x00000012 jnl 00007F44817AB99Fh 0x00000018 lea ebx, dword ptr [00000000h+esi*4] 0x0000001f jmp 00007F448181738Dh 0x00000024 sub ebp, 08h 0x00000027 push esp 0x00000028 mov dword ptr [ebp+00h], edx 0x0000002b mov dx, word ptr [esp] 0x0000002f jmp 00007F44817E165Fh 0x00000031 or edx, esi 0x00000033 jbe 00007F44817E16CBh 0x00000035 mov edx, eax 0x00000037 sub esp, 1Ch 0x0000003a jmp 00007F44817E16ADh 0x0000003c mov dword ptr [ebp+04h], eax 0x0000003f and dl, ah 0x00000041 jnl 00007F44817E16AFh 0x00000043 bswap ebx 0x00000045 mov al, 8Eh 0x00000047 jmp 00007F44817D4892h 0x0000004c mov ax, word ptr [esp] 0x00000050 bsr ebx, edx 0x00000053 jp 00007F44817E1663h 0x00000055 btc ax, cx 0x00000059 jmp 00007F44817E16A5h 0x0000005b rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 618AF6 second address: 618B68 instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp] 0x00000005 retn 0004h 0x00000008 mov ecx, dword ptr [ebp+00h] 0x0000000b lea eax, dword ptr [ebx+ebp] 0x0000000e bts dx, di 0x00000012 jmp 00007F4481241E42h 0x00000017 jle 00007F4481241DFDh 0x00000019 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 640208 second address: 64036F instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1771h 0x00000007 mov dx, word ptr [esp] 0x0000000b call 00007F44817E1666h 0x00000010 mov dl, ah 0x00000012 mov dword ptr [esp], ebx 0x00000015 xchg dword ptr [esp+04h], ebx 0x00000019 sub esp, 14h 0x0000001c jmp 00007F44817E176Fh 0x00000021 push ebx 0x00000022 mov ah, 64h 0x00000024 lea ebx, dword ptr [ebx+4Fh] 0x00000027 mov dx, ax 0x0000002a stc 0x0000002b stc 0x0000002c jmp 00007F44817E15FDh 0x00000031 pushad 0x00000032 xchg ax, dx 0x00000034 xchg dword ptr [esp+3Ch], ebx 0x00000038 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 64075D second address: 60975B instructions: 0x00000000 rdtsc 0x00000002 call 00007F4481241D75h 0x00000007 jmp 00007F4481241E06h 0x00000009 mov al, F0h 0x0000000b mov word ptr [ebp+00h], bx 0x0000000f not eax 0x00000011 rcr bx, 000Ah 0x00000015 jns 00007F4481241D7Eh 0x00000017 jmp 00007F4481241E37h 0x0000001c bsr eax, ebx 0x0000001f sub esp, 0Fh 0x00000022 lea esp, dword ptr [esp+03h] 0x00000026 jmp 00007F448120AD3Bh 0x0000002b mov eax, 0B0F4634h 0x00000030 jmp 00007F4481241D36h 0x00000032 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 64023B second address: 640256 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 mov eax, 1BA171EFh 0x0000000a mov ax, A249h 0x0000000e jmp 00007F44817E16DDh 0x00000010 lea eax, dword ptr [ebx-0000BE75h] 0x00000016 xchg dword ptr [esp], eax 0x00000019 sub esp, 01h 0x0000001c setle dh 0x0000001f mov dl, 2Dh 0x00000021 mov dx, bx 0x00000024 jmp 00007F44817E1656h 0x00000026 sub esp, 0Ah 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d lea eax, dword ptr [eax+25h] 0x00000030 mov edx, esi 0x00000032 xchg dh, dl 0x00000034 xchg dh, dl 0x00000036 jmp 00007F44817E189Ah 0x0000003b lea edx, dword ptr [00000000h+eax*4] 0x00000042 mov dh, byte ptr [esp] 0x00000045 xchg dword ptr [esp+08h], eax 0x00000049 mov eax, dword ptr [esp] 0x0000004c setbe dl 0x0000004f dec dx 0x00000051 jmp 00007F44817E15C9h 0x00000056 clc 0x00000057 push dword ptr [esp+08h] 0x0000005b retn 000Ch 0x0000005e setnle al 0x00000061 xchg al, dh 0x00000063 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 641F54 second address: 641F54 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], ecx 0x00000006 jmp 00007F4481241CB1h 0x0000000b cmc 0x0000000c popad 0x0000000d cmc 0x0000000e cmc 0x0000000f shr eax, 10h 0x00000012 call 00007F4481241D83h 0x00000017 jmp 00007F4481241DF7h 0x00000019 lea esp, dword ptr [esp+14h] 0x0000001d test ax, ax 0x00000020 pushad 0x00000021 lea esp, dword ptr [esp+20h] 0x00000025 jmp 00007F4481241D75h 0x00000027 je 00007F4481241C98h 0x0000002d push sp 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F4481241F24h 0x00000038 inc edx 0x00000039 inc edx 0x0000003a dec esi 0x0000003b jmp 00007F4481241D87h 0x0000003d jne 00007F4481241C58h 0x00000043 setb ah 0x00000046 jmp 00007F4481241DE7h 0x00000048 setnle al 0x0000004b mov ax, word ptr [esp] 0x0000004f movzx eax, word ptr [edx] 0x00000052 push ecx 0x00000053 stc 0x00000054 jmp 00007F4481241DCFh 0x00000056 mov byte ptr [esp+02h], cl 0x0000005a jmp 00007F4481241D86h 0x0000005c add ecx, eax 0x0000005e sub esp, 0Eh 0x00000061 mov eax, AE848F68h 0x00000066 lea esp, dword ptr [esp+02h] 0x0000006a jmp 00007F4481241EBDh 0x0000006f pushad 0x00000070 mov ebp, E723975Fh 0x00000075 lea ebp, dword ptr [ecx+edi] 0x00000078 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 6575F5 second address: 63E5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44817E15EBh 0x00000007 inc edi 0x00000008 setnle al 0x0000000b lea edx, dword ptr [eax+ecx] 0x0000000e mov dx, bp 0x00000011 jmp 00007F44817E16BAh 0x00000013 mov dx, word ptr [ebx+esi] 0x00000017 mov bx, word ptr [esp] 0x0000001b cmc 0x0000001c js 00007F44817E1661h 0x0000001e jns 00007F44817E16A0h 0x00000020 lea ebx, dword ptr [ebx+0000E1EEh] 0x00000026 sub ah, ah 0x00000028 jmp 00007F44817E165Ah 0x0000002a mov word ptr [ebp+00h], dx 0x0000002e mov dx, word ptr [esp] 0x00000032 call 00007F44817E1707h 0x00000037 ror edx, 02h 0x0000003a jnbe 00007F44817E164Dh 0x0000003c jbe 00007F44817E1635h 0x0000003e mov bh, al 0x00000040 jmp 00007F44817C866Dh 0x00000045 jmp 00007F44817E1669h 0x00000047 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 63DD4F second address: 63DD85 instructions: 0x00000000 rdtsc 0x00000002 btr ax, cx 0x00000006 xchg edx, eax 0x00000008 bsr dx, dx 0x0000000c lea edx, dword ptr [edx+edi] 0x0000000f push dword ptr [esp+44h] 0x00000013 retn 0048h 0x00000016 movzx ebx, byte ptr [edi] 0x00000019 jmp 00007F4481241E96h 0x0000001e lea eax, dword ptr [edx+6Ch] 0x00000021 sub esp, 06h 0x00000024 jl 00007F4481241CA9h 0x0000002a lea esp, dword ptr [esp+02h] 0x0000002e call 00007F4481241E13h 0x00000033 mov edx, dword ptr [esp] 0x00000036 mov eax, E9CADE55h 0x0000003b bt edx, edi 0x0000003e mov edx, ecx 0x00000040 inc ah 0x00000042 jmp 00007F4481241D3Ah 0x00000044 xchg dword ptr [esp], ebx 0x00000047 lea edx, dword ptr [00000000h+ebx4] 0x0000004e not dx 0x00000051 bswap edx 0x00000053 lea eax, dword ptr [00000000h+esi4] 0x0000005a pushad 0x0000005b jmp 00007F4481241D73h 0x0000005d lea ebx, dword ptr [ebx-0000003Dh] 0x00000063 sub esp, 1Ch 0x00000066 mov ax, 7715h 0x0000006a jmp 00007F4481241DD8h 0x0000006c pop word ptr [esp+06h] 0x00000071 lea esp, dword ptr [esp+02h] 0x00000075 xchg byte ptr [esp+0Ch], ah 0x00000079 xchg dword ptr [esp+38h], ebx 0x0000007d not ax 0x00000080 mov dx, si 0x00000083 jmp 00007F4481241D73h 0x00000085 sets dl 0x00000088 xchg ax, dx 0x0000008a push dword ptr [esp+38h] 0x0000008e retn 003Ch 0x00000091 rdtsc
Source: C:\Windows\SysWOW64\Dtldt.exe	RDTSC instruction interceptor: First address: 63E26B second address: 63E3C3 instructions: 0x00000000 rdtsc 0x00000002 call 00007F44817E1701h 0x00000007 lea eax, dword ptr [ecx-00006757h] 0x0000000d mov eax, 1C262CCAh 0x00000012 mov ax, word ptr [esp] 0x00000016 call 00007F44817E16B6h 0x0000001b xchg dword ptr [esp+04h], esi 0x0000001f bswap eax 0x00000021 jmp 00007F44817E1686h 0x00000023 bsr eax, ecx 0x00000026 inc ax 0x00000028 mov dx, di 0x0000002b lea esi, dword ptr [esi+00000092h] 0x00000031 shr dh, cl 0x00000033 bswap edx 0x00000035 jmp 00007F44817E16B2h 0x00000037 bswap eax 0x00000039 xchg dword ptr [esp+04h], esi 0x0000003d xchg dl, dh 0x0000003f mov dx, 17B9h 0x00000043 mov ax, cx 0x00000046 mov ah, byte ptr [esp] 0x00000049 jmp 00007F44817E1658h 0x0000004b not eax 0x0000004d push dword ptr [esp+04h] 0x00000051 retn 0008h 0x00000054 shr eax, cl 0x00000056 mov edx, dword ptr [esp] 0x00000059 xchg al, ah 0x0000005b rcr eax, cl 0x0000005d bswap edx 0x0000005f mov dx, F0D0h 0x00000063 xchg ax, dx 0x00000065 jmp 00007F44817E175Eh 0x0000006a ror bl, 00000000h 0x0000006d js 00007F44817E165Dh 0x0000006f lea edx, dword ptr [esi-7Fh] 0x00000072 jmp 00007F44817E1642h 0x00000074 lea edx, dword ptr [24CC2BE0h] 0x0000007a rdtsc

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_006C2039 rdtsc

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\Dtldt.exe	API coverage: 1.9 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001A4A0

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_100090A0 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	0_2_100090A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10026300 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,	0_2_10026300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10008570 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,	0_2_10008570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_10008740 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_10008740

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

0_2_100170E0

Source: Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Dtldt.exe, 00000003.00000003.2578010973.0000000001543000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Anti Debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\Dtldt.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_006C2039 rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\Dtldt.exe

Code function: 3_2_01401053 LdrInitializeThunk,

3_2_01401053

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10014210 BlockInput,BlockInput,InterlockedExchange,BlockInput,InterlockedExchange,InterlockedExchange,

0_2_10014210

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10012640 sprintf,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegDeleteKeyA,RegDeleteValueA,

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120F122 mov eax, dword ptr fs:[00000030h]	3_2_0120F122
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120F122 mov ecx, dword ptr fs:[00000030h]	3_2_0120F122
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229132 mov eax, dword ptr fs:[00000030h]	3_2_01229132
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229132 mov ecx, dword ptr fs:[00000030h]	3_2_01229132
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241133 mov eax, dword ptr fs:[00000030h]	3_2_01241133
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240103 mov eax, dword ptr fs:[00000030h]	3_2_01240103
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240103 mov eax, dword ptr fs:[00000030h]	3_2_01240103
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C190 mov eax, dword ptr fs:[00000030h]	3_2_0120C190
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C190 mov eax, dword ptr fs:[00000030h]	3_2_0120C190
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]	3_2_012121E5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]	3_2_012121E5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]	3_2_012121E5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012121E5 mov eax, dword ptr fs:[00000030h]	3_2_012121E5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ED1FE mov eax, dword ptr fs:[00000030h]	3_2_011ED1FE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ED1FE mov eax, dword ptr fs:[00000030h]	3_2_011ED1FE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01212019 mov eax, dword ptr fs:[00000030h]	3_2_01212019
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241066 mov eax, dword ptr fs:[00000030h]	3_2_01241066
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]	3_2_01211042
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]	3_2_01211042
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]	3_2_01211042
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211042 mov eax, dword ptr fs:[00000030h]	3_2_01211042
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012250B6 mov eax, dword ptr fs:[00000030h]	3_2_012250B6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01238088 mov eax, dword ptr fs:[00000030h]	3_2_01238088
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01238088 mov eax, dword ptr fs:[00000030h]	3_2_01238088
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01238088 mov eax, dword ptr fs:[00000030h]	3_2_01238088
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122309E mov ecx, dword ptr fs:[00000030h]	3_2_0122309E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123D0FC mov eax, dword ptr fs:[00000030h]	3_2_0123D0FC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123D0FC mov eax, dword ptr fs:[00000030h]	3_2_0123D0FC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E20C1 mov eax, dword ptr fs:[00000030h]	3_2_011E20C1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012370C4 mov eax, dword ptr fs:[00000030h]	3_2_012370C4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012370C4 mov eax, dword ptr fs:[00000030h]	3_2_012370C4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov ecx, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov eax, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012340D0 mov ecx, dword ptr fs:[00000030h]	3_2_012340D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220322 mov eax, dword ptr fs:[00000030h]	3_2_01220322
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220322 mov eax, dword ptr fs:[00000030h]	3_2_01220322
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]	3_2_0120C312
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]	3_2_0120C312
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]	3_2_0120C312
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C312 mov eax, dword ptr fs:[00000030h]	3_2_0120C312
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120B365 mov ecx, dword ptr fs:[00000030h]	3_2_0120B365
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120B365 mov eax, dword ptr fs:[00000030h]	3_2_0120B365
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01225342 mov eax, dword ptr fs:[00000030h]	3_2_01225342
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01225342 mov eax, dword ptr fs:[00000030h]	3_2_01225342
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F350 mov eax, dword ptr fs:[00000030h]	3_2_0121F350
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F350 mov eax, dword ptr fs:[00000030h]	3_2_0121F350
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123D354 mov eax, dword ptr fs:[00000030h]	3_2_0123D354
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123D354 mov eax, dword ptr fs:[00000030h]	3_2_0123D354
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B382 mov eax, dword ptr fs:[00000030h]	3_2_0122B382
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B382 mov ecx, dword ptr fs:[00000030h]	3_2_0122B382
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123F391 mov eax, dword ptr fs:[00000030h]	3_2_0123F391
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123F391 mov ecx, dword ptr fs:[00000030h]	3_2_0123F391
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012373F2 mov eax, dword ptr fs:[00000030h]	3_2_012373F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012243DE mov eax, dword ptr fs:[00000030h]	3_2_012243DE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012243DE mov eax, dword ptr fs:[00000030h]	3_2_012243DE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F202 mov eax, dword ptr fs:[00000030h]	3_2_0121F202
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241200 mov eax, dword ptr fs:[00000030h]	3_2_01241200
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241200 mov eax, dword ptr fs:[00000030h]	3_2_01241200
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01241200 mov eax, dword ptr fs:[00000030h]	3_2_01241200
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F262 mov eax, dword ptr fs:[00000030h]	3_2_0121F262
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F262 mov eax, dword ptr fs:[00000030h]	3_2_0121F262
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov ecx, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211282 mov eax, dword ptr fs:[00000030h]	3_2_01211282
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DD2C9 mov eax, dword ptr fs:[00000030h]	3_2_011DD2C9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DD2C9 mov ecx, dword ptr fs:[00000030h]	3_2_011DD2C9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012202C2 mov eax, dword ptr fs:[00000030h]	3_2_012202C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01213530 mov eax, dword ptr fs:[00000030h]	3_2_01213530
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01213530 mov eax, dword ptr fs:[00000030h]	3_2_01213530
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120B509 mov ecx, dword ptr fs:[00000030h]	3_2_0120B509
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120B509 mov eax, dword ptr fs:[00000030h]	3_2_0120B509
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236549 mov eax, dword ptr fs:[00000030h]	3_2_01236549
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]	3_2_01211552
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]	3_2_01211552
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]	3_2_01211552
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211552 mov eax, dword ptr fs:[00000030h]	3_2_01211552
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov eax, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B596 mov ecx, dword ptr fs:[00000030h]	3_2_0122B596
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD5A3 mov eax, dword ptr fs:[00000030h]	3_2_011FD5A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD5A3 mov eax, dword ptr fs:[00000030h]	3_2_011FD5A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD5A3 mov eax, dword ptr fs:[00000030h]	3_2_011FD5A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220422 mov eax, dword ptr fs:[00000030h]	3_2_01220422
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01237436 mov eax, dword ptr fs:[00000030h]	3_2_01237436
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01237436 mov eax, dword ptr fs:[00000030h]	3_2_01237436
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E1455 mov eax, dword ptr fs:[00000030h]	3_2_011E1455
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E0449 mov eax, dword ptr fs:[00000030h]	3_2_011E0449
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FF478 mov eax, dword ptr fs:[00000030h]	3_2_011FF478
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FF478 mov eax, dword ptr fs:[00000030h]	3_2_011FF478
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FF478 mov eax, dword ptr fs:[00000030h]	3_2_011FF478
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122144D mov eax, dword ptr fs:[00000030h]	3_2_0122144D
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122B4A2 mov eax, dword ptr fs:[00000030h]	3_2_0122B4A2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012214B3 mov eax, dword ptr fs:[00000030h]	3_2_012214B3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012344BC mov eax, dword ptr fs:[00000030h]	3_2_012344BC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012344BC mov eax, dword ptr fs:[00000030h]	3_2_012344BC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012344BC mov eax, dword ptr fs:[00000030h]	3_2_012344BC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01220482 mov eax, dword ptr fs:[00000030h]	3_2_01220482
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E54A3 mov esi, dword ptr fs:[00000030h]	3_2_011E54A3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012264F2 mov ecx, dword ptr fs:[00000030h]	3_2_012264F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E04C8 mov eax, dword ptr fs:[00000030h]	3_2_011E04C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E04C8 mov eax, dword ptr fs:[00000030h]	3_2_011E04C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0121F4D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F4D0 mov ecx, dword ptr fs:[00000030h]	3_2_0121F4D0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012364DB mov eax, dword ptr fs:[00000030h]	3_2_012364DB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012364DB mov eax, dword ptr fs:[00000030h]	3_2_012364DB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012364DB mov eax, dword ptr fs:[00000030h]	3_2_012364DB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E04E2 mov eax, dword ptr fs:[00000030h]	3_2_011E04E2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E04E2 mov eax, dword ptr fs:[00000030h]	3_2_011E04E2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E1713 mov eax, dword ptr fs:[00000030h]	3_2_011E1713
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E1713 mov eax, dword ptr fs:[00000030h]	3_2_011E1713
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E1713 mov eax, dword ptr fs:[00000030h]	3_2_011E1713
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE712 mov eax, dword ptr fs:[00000030h]	3_2_011FE712
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE712 mov eax, dword ptr fs:[00000030h]	3_2_011FE712
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE712 mov eax, dword ptr fs:[00000030h]	3_2_011FE712
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E574E mov eax, dword ptr fs:[00000030h]	3_2_011E574E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E574E mov ecx, dword ptr fs:[00000030h]	3_2_011E574E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01223753 mov eax, dword ptr fs:[00000030h]	3_2_01223753
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01214755 mov eax, dword ptr fs:[00000030h]	3_2_01214755
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01214755 mov eax, dword ptr fs:[00000030h]	3_2_01214755
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012077A2 mov eax, dword ptr fs:[00000030h]	3_2_012077A2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012077A2 mov eax, dword ptr fs:[00000030h]	3_2_012077A2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F782 mov eax, dword ptr fs:[00000030h]	3_2_0121F782
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F782 mov eax, dword ptr fs:[00000030h]	3_2_0121F782
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F782 mov eax, dword ptr fs:[00000030h]	3_2_0121F782
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F782 mov ecx, dword ptr fs:[00000030h]	3_2_0121F782
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD7B2 mov eax, dword ptr fs:[00000030h]	3_2_011FD7B2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD7B2 mov ecx, dword ptr fs:[00000030h]	3_2_011FD7B2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FD7B2 mov eax, dword ptr fs:[00000030h]	3_2_011FD7B2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123E7F2 mov ecx, dword ptr fs:[00000030h]	3_2_0123E7F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012247D2 mov eax, dword ptr fs:[00000030h]	3_2_012247D2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012247D2 mov ecx, dword ptr fs:[00000030h]	3_2_012247D2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012347DB mov eax, dword ptr fs:[00000030h]	3_2_012347DB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123B7DA mov eax, dword ptr fs:[00000030h]	3_2_0123B7DA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov ecx, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012037DF mov eax, dword ptr fs:[00000030h]	3_2_012037DF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236623 mov eax, dword ptr fs:[00000030h]	3_2_01236623
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]	3_2_0120C621
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]	3_2_0120C621
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]	3_2_0120C621
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C621 mov eax, dword ptr fs:[00000030h]	3_2_0120C621
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123B671 mov eax, dword ptr fs:[00000030h]	3_2_0123B671
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov eax, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122964C mov ecx, dword ptr fs:[00000030h]	3_2_0122964C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122D6A2 mov eax, dword ptr fs:[00000030h]	3_2_0122D6A2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012076AF mov eax, dword ptr fs:[00000030h]	3_2_012076AF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224682 mov eax, dword ptr fs:[00000030h]	3_2_01224682
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224682 mov ecx, dword ptr fs:[00000030h]	3_2_01224682
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C689 mov eax, dword ptr fs:[00000030h]	3_2_0120C689
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C689 mov eax, dword ptr fs:[00000030h]	3_2_0120C689
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123468C mov eax, dword ptr fs:[00000030h]	3_2_0123468C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012116EE mov eax, dword ptr fs:[00000030h]	3_2_012116EE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012116EE mov eax, dword ptr fs:[00000030h]	3_2_012116EE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012366FD mov eax, dword ptr fs:[00000030h]	3_2_012366FD
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012036C0 mov eax, dword ptr fs:[00000030h]	3_2_012036C0
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012236C8 mov eax, dword ptr fs:[00000030h]	3_2_012236C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012236C8 mov eax, dword ptr fs:[00000030h]	3_2_012236C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012236C8 mov eax, dword ptr fs:[00000030h]	3_2_012236C8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011EC6F2 mov ecx, dword ptr fs:[00000030h]	3_2_011EC6F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C6CF mov eax, dword ptr fs:[00000030h]	3_2_0120C6CF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C6CF mov eax, dword ptr fs:[00000030h]	3_2_0120C6CF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120C6CF mov ecx, dword ptr fs:[00000030h]	3_2_0120C6CF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov ecx, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012286D6 mov eax, dword ptr fs:[00000030h]	3_2_012286D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F6D6 mov eax, dword ptr fs:[00000030h]	3_2_0121F6D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F6D6 mov ecx, dword ptr fs:[00000030h]	3_2_0121F6D6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F931 mov eax, dword ptr fs:[00000030h]	3_2_0121F931
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E6902 mov eax, dword ptr fs:[00000030h]	3_2_011E6902
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]	3_2_0124090F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]	3_2_0124090F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]	3_2_0124090F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0124090F mov eax, dword ptr fs:[00000030h]	3_2_0124090F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211912 mov eax, dword ptr fs:[00000030h]	3_2_01211912
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123696C mov eax, dword ptr fs:[00000030h]	3_2_0123696C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121E9AF mov eax, dword ptr fs:[00000030h]	3_2_0121E9AF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121E9AF mov eax, dword ptr fs:[00000030h]	3_2_0121E9AF
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121F9B6 mov eax, dword ptr fs:[00000030h]	3_2_0121F9B6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE982 mov eax, dword ptr fs:[00000030h]	3_2_011FE982
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE982 mov ecx, dword ptr fs:[00000030h]	3_2_011FE982
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FE982 mov eax, dword ptr fs:[00000030h]	3_2_011FE982
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121D9D8 mov eax, dword ptr fs:[00000030h]	3_2_0121D9D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122D822 mov eax, dword ptr fs:[00000030h]	3_2_0122D822
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240822 mov eax, dword ptr fs:[00000030h]	3_2_01240822
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240822 mov eax, dword ptr fs:[00000030h]	3_2_01240822
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123F82F mov eax, dword ptr fs:[00000030h]	3_2_0123F82F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211862 mov eax, dword ptr fs:[00000030h]	3_2_01211862
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121D862 mov eax, dword ptr fs:[00000030h]	3_2_0121D862
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204873 mov eax, dword ptr fs:[00000030h]	3_2_01204873
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FF882 mov eax, dword ptr fs:[00000030h]	3_2_011FF882
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012368BE mov eax, dword ptr fs:[00000030h]	3_2_012368BE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012368BE mov eax, dword ptr fs:[00000030h]	3_2_012368BE
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122D892 mov eax, dword ptr fs:[00000030h]	3_2_0122D892
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121D89C mov eax, dword ptr fs:[00000030h]	3_2_0121D89C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122A8F2 mov eax, dword ptr fs:[00000030h]	3_2_0122A8F2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]	3_2_012108C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]	3_2_012108C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]	3_2_012108C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_012108C2 mov eax, dword ptr fs:[00000030h]	3_2_012108C2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011EBB1D mov eax, dword ptr fs:[00000030h]	3_2_011EBB1D
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236B2A mov eax, dword ptr fs:[00000030h]	3_2_01236B2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236B2A mov eax, dword ptr fs:[00000030h]	3_2_01236B2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDB30 mov eax, dword ptr fs:[00000030h]	3_2_011DDB30
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01207B10 mov eax, dword ptr fs:[00000030h]	3_2_01207B10
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01207B10 mov eax, dword ptr fs:[00000030h]	3_2_01207B10
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DB63 mov eax, dword ptr fs:[00000030h]	3_2_0121DB63
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DB63 mov eax, dword ptr fs:[00000030h]	3_2_0121DB63
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123BB6A mov eax, dword ptr fs:[00000030h]	3_2_0123BB6A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123BB6A mov eax, dword ptr fs:[00000030h]	3_2_0123BB6A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240B7B mov eax, dword ptr fs:[00000030h]	3_2_01240B7B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240B7B mov eax, dword ptr fs:[00000030h]	3_2_01240B7B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01228B42 mov ecx, dword ptr fs:[00000030h]	3_2_01228B42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210B42 mov eax, dword ptr fs:[00000030h]	3_2_01210B42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210B42 mov eax, dword ptr fs:[00000030h]	3_2_01210B42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01215B42 mov eax, dword ptr fs:[00000030h]	3_2_01215B42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224BA2 mov eax, dword ptr fs:[00000030h]	3_2_01224BA2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224BA2 mov ecx, dword ptr fs:[00000030h]	3_2_01224BA2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01238BB3 mov eax, dword ptr fs:[00000030h]	3_2_01238BB3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120EBB7 mov eax, dword ptr fs:[00000030h]	3_2_0120EBB7
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECBDC mov eax, dword ptr fs:[00000030h]	3_2_011ECBDC
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122ABD8 mov eax, dword ptr fs:[00000030h]	3_2_0122ABD8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECA3F mov eax, dword ptr fs:[00000030h]	3_2_011ECA3F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECA3F mov ecx, dword ptr fs:[00000030h]	3_2_011ECA3F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECA3F mov eax, dword ptr fs:[00000030h]	3_2_011ECA3F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FA11 mov eax, dword ptr fs:[00000030h]	3_2_0123FA11
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FA11 mov eax, dword ptr fs:[00000030h]	3_2_0123FA11
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E4A22 mov eax, dword ptr fs:[00000030h]	3_2_011E4A22
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011E4A22 mov ecx, dword ptr fs:[00000030h]	3_2_011E4A22
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CA71 mov eax, dword ptr fs:[00000030h]	3_2_0122CA71
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DA77 mov eax, dword ptr fs:[00000030h]	3_2_0121DA77
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121DA77 mov ecx, dword ptr fs:[00000030h]	3_2_0121DA77
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224A52 mov eax, dword ptr fs:[00000030h]	3_2_01224A52
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01224A52 mov ecx, dword ptr fs:[00000030h]	3_2_01224A52
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240AA5 mov eax, dword ptr fs:[00000030h]	3_2_01240AA5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240AA5 mov eax, dword ptr fs:[00000030h]	3_2_01240AA5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01219AB6 mov eax, dword ptr fs:[00000030h]	3_2_01219AB6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01219AB6 mov ecx, dword ptr fs:[00000030h]	3_2_01219AB6
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]	3_2_0123CA86
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]	3_2_0123CA86
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]	3_2_0123CA86
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CA86 mov eax, dword ptr fs:[00000030h]	3_2_0123CA86
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FA94 mov eax, dword ptr fs:[00000030h]	3_2_0121FA94
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FA94 mov eax, dword ptr fs:[00000030h]	3_2_0121FA94
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122DAC2 mov eax, dword ptr fs:[00000030h]	3_2_0122DAC2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122CD2A mov eax, dword ptr fs:[00000030h]	3_2_0122CD2A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121ED32 mov eax, dword ptr fs:[00000030h]	3_2_0121ED32
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov ecx, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01210D12 mov eax, dword ptr fs:[00000030h]	3_2_01210D12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121ED72 mov eax, dword ptr fs:[00000030h]	3_2_0121ED72
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123DDB4 mov eax, dword ptr fs:[00000030h]	3_2_0123DDB4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CDF9 mov eax, dword ptr fs:[00000030h]	3_2_0120CDF9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CDF9 mov eax, dword ptr fs:[00000030h]	3_2_0120CDF9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CDF9 mov eax, dword ptr fs:[00000030h]	3_2_0120CDF9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]	3_2_01240DF8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]	3_2_01240DF8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]	3_2_01240DF8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01240DF8 mov eax, dword ptr fs:[00000030h]	3_2_01240DF8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121EC32 mov eax, dword ptr fs:[00000030h]	3_2_0121EC32
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229C02 mov ecx, dword ptr fs:[00000030h]	3_2_01229C02
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122DC02 mov eax, dword ptr fs:[00000030h]	3_2_0122DC02
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123EC12 mov eax, dword ptr fs:[00000030h]	3_2_0123EC12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123EC12 mov ecx, dword ptr fs:[00000030h]	3_2_0123EC12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CC6F mov eax, dword ptr fs:[00000030h]	3_2_0120CC6F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CC6F mov eax, dword ptr fs:[00000030h]	3_2_0120CC6F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120CC6F mov ecx, dword ptr fs:[00000030h]	3_2_0120CC6F
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229C42 mov eax, dword ptr fs:[00000030h]	3_2_01229C42
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]	3_2_011DDC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]	3_2_011DDC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]	3_2_011DDC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011DDC82 mov eax, dword ptr fs:[00000030h]	3_2_011DDC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]	3_2_0120DC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]	3_2_0120DC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]	3_2_0120DC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DC82 mov eax, dword ptr fs:[00000030h]	3_2_0120DC82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01233CE7 mov eax, dword ptr fs:[00000030h]	3_2_01233CE7
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01233CE7 mov eax, dword ptr fs:[00000030h]	3_2_01233CE7
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01229CD2 mov ecx, dword ptr fs:[00000030h]	3_2_01229CD2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CCD8 mov eax, dword ptr fs:[00000030h]	3_2_0123CCD8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CCD8 mov eax, dword ptr fs:[00000030h]	3_2_0123CCD8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FF22 mov eax, dword ptr fs:[00000030h]	3_2_0121FF22
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FF22 mov eax, dword ptr fs:[00000030h]	3_2_0121FF22
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122DF3E mov eax, dword ptr fs:[00000030h]	3_2_0122DF3E
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FDF32 mov eax, dword ptr fs:[00000030h]	3_2_011FDF32
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011FDF32 mov ecx, dword ptr fs:[00000030h]	3_2_011FDF32
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01211F12 mov eax, dword ptr fs:[00000030h]	3_2_01211F12
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01228F63 mov eax, dword ptr fs:[00000030h]	3_2_01228F63
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01228F63 mov ecx, dword ptr fs:[00000030h]	3_2_01228F63
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01202F62 mov eax, dword ptr fs:[00000030h]	3_2_01202F62
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECF59 mov eax, dword ptr fs:[00000030h]	3_2_011ECF59
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_011ECF59 mov eax, dword ptr fs:[00000030h]	3_2_011ECF59
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CF6B mov eax, dword ptr fs:[00000030h]	3_2_0123CF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov eax, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0122BF6B mov ecx, dword ptr fs:[00000030h]	3_2_0122BF6B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FF7A mov eax, dword ptr fs:[00000030h]	3_2_0123FF7A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FF7A mov eax, dword ptr fs:[00000030h]	3_2_0123FF7A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01223FB4 mov eax, dword ptr fs:[00000030h]	3_2_01223FB4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01223FB4 mov eax, dword ptr fs:[00000030h]	3_2_01223FB4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01223FB4 mov eax, dword ptr fs:[00000030h]	3_2_01223FB4
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]	3_2_0120BFBA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]	3_2_0120BFBA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]	3_2_0120BFBA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120BFBA mov eax, dword ptr fs:[00000030h]	3_2_0120BFBA
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204FE1 mov ecx, dword ptr fs:[00000030h]	3_2_01204FE1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01204FE1 mov eax, dword ptr fs:[00000030h]	3_2_01204FE1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236FE5 mov eax, dword ptr fs:[00000030h]	3_2_01236FE5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01236FE5 mov eax, dword ptr fs:[00000030h]	3_2_01236FE5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FFD2 mov eax, dword ptr fs:[00000030h]	3_2_0121FFD2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0121FFD2 mov eax, dword ptr fs:[00000030h]	3_2_0121FFD2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01232E79 mov eax, dword ptr fs:[00000030h]	3_2_01232E79
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01232E79 mov ecx, dword ptr fs:[00000030h]	3_2_01232E79
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123FE4C mov eax, dword ptr fs:[00000030h]	3_2_0123FE4C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120EEA2 mov eax, dword ptr fs:[00000030h]	3_2_0120EEA2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120EEA2 mov ecx, dword ptr fs:[00000030h]	3_2_0120EEA2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DEB2 mov eax, dword ptr fs:[00000030h]	3_2_0120DEB2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DEB2 mov eax, dword ptr fs:[00000030h]	3_2_0120DEB2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0120DEB2 mov eax, dword ptr fs:[00000030h]	3_2_0120DEB2
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01227E82 mov eax, dword ptr fs:[00000030h]	3_2_01227E82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01227E82 mov eax, dword ptr fs:[00000030h]	3_2_01227E82
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123CE89 mov eax, dword ptr fs:[00000030h]	3_2_0123CE89
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0123AE90 mov eax, dword ptr fs:[00000030h]	3_2_0123AE90
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01237E96 mov eax, dword ptr fs:[00000030h]	3_2_01237E96
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov ecx, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D5163 mov eax, dword ptr fs:[00000030h]	3_2_013D5163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013CE5D8 mov eax, dword ptr fs:[00000030h]	3_2_013CE5D8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov ecx, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D1DE3 mov eax, dword ptr fs:[00000030h]	3_2_013D1DE3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0145614B mov eax, dword ptr fs:[00000030h]	3_2_0145614B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148415B mov eax, dword ptr fs:[00000030h]	3_2_0148415B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0148415B mov ecx, dword ptr fs:[00000030h]	3_2_0148415B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0143B163 mov eax, dword ptr fs:[00000030h]	3_2_0143B163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0143B163 mov eax, dword ptr fs:[00000030h]	3_2_0143B163
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013EA116 mov eax, dword ptr fs:[00000030h]	3_2_013EA116
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0149317C mov eax, dword ptr fs:[00000030h]	3_2_0149317C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01465101 mov ebx, dword ptr fs:[00000030h]	3_2_01465101
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01465101 mov eax, dword ptr fs:[00000030h]	3_2_01465101
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01493103 mov eax, dword ptr fs:[00000030h]	3_2_01493103
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0143B113 mov ecx, dword ptr fs:[00000030h]	3_2_0143B113
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0143F111 mov eax, dword ptr fs:[00000030h]	3_2_0143F111
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0144B123 mov eax, dword ptr fs:[00000030h]	3_2_0144B123
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0144B123 mov eax, dword ptr fs:[00000030h]	3_2_0144B123
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014951C3 mov eax, dword ptr fs:[00000030h]	3_2_014951C3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014511E3 mov eax, dword ptr fs:[00000030h]	3_2_014511E3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014511E3 mov eax, dword ptr fs:[00000030h]	3_2_014511E3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014511E3 mov eax, dword ptr fs:[00000030h]	3_2_014511E3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013BA193 mov eax, dword ptr fs:[00000030h]	3_2_013BA193
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013C618C mov eax, dword ptr fs:[00000030h]	3_2_013C618C
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014931F5 mov eax, dword ptr fs:[00000030h]	3_2_014931F5
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B8186 mov ecx, dword ptr fs:[00000030h]	3_2_013B8186
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014561FB mov eax, dword ptr fs:[00000030h]	3_2_014561FB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01440181 mov eax, dword ptr fs:[00000030h]	3_2_01440181
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01444183 mov eax, dword ptr fs:[00000030h]	3_2_01444183
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]	3_2_013B71EB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]	3_2_013B71EB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]	3_2_013B71EB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013B71EB mov eax, dword ptr fs:[00000030h]	3_2_013B71EB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov eax, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0146C1B1 mov ecx, dword ptr fs:[00000030h]	3_2_0146C1B1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013EE1C7 mov eax, dword ptr fs:[00000030h]	3_2_013EE1C7
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB mov ecx, dword ptr fs:[00000030h]	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB mov eax, dword ptr fs:[00000030h]	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB mov eax, dword ptr fs:[00000030h]	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014681BB mov eax, dword ptr fs:[00000030h]	3_2_014681BB
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0147E1B8 mov eax, dword ptr fs:[00000030h]	3_2_0147E1B8
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov ecx, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013D0035 mov eax, dword ptr fs:[00000030h]	3_2_013D0035
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013BE033 mov edi, dword ptr fs:[00000030h]	3_2_013BE033
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0140005B mov eax, dword ptr fs:[00000030h]	3_2_0140005B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01492063 mov eax, dword ptr fs:[00000030h]	3_2_01492063
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0144207A mov eax, dword ptr fs:[00000030h]	3_2_0144207A
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_0149300B mov eax, dword ptr fs:[00000030h]	3_2_0149300B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013F0070 mov eax, dword ptr fs:[00000030h]	3_2_013F0070
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013F0070 mov eax, dword ptr fs:[00000030h]	3_2_013F0070
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013F0070 mov eax, dword ptr fs:[00000030h]	3_2_013F0070
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013C106B mov eax, dword ptr fs:[00000030h]	3_2_013C106B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013C106B mov eax, dword ptr fs:[00000030h]	3_2_013C106B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013C106B mov eax, dword ptr fs:[00000030h]	3_2_013C106B
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013FA053 mov eax, dword ptr fs:[00000030h]	3_2_013FA053
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01462033 mov eax, dword ptr fs:[00000030h]	3_2_01462033
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_01462033 mov eax, dword ptr fs:[00000030h]	3_2_01462033
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]	3_2_013DC0B9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]	3_2_013DC0B9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]	3_2_013DC0B9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_013DC0B9 mov eax, dword ptr fs:[00000030h]	3_2_013DC0B9
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014540D3 mov eax, dword ptr fs:[00000030h]	3_2_014540D3
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]	3_2_014870E1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]	3_2_014870E1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]	3_2_014870E1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014870E1 mov eax, dword ptr fs:[00000030h]	3_2_014870E1
Source: C:\Windows\SysWOW64\Dtldt.exe	Code function: 3_2_014440F3 mov eax, dword ptr fs:[00000030h]	3_2_014440F3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10006010 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

0_2_10006010

HIPS / PFW / Operating System Protection Evasion

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,		0_2_1000C680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Code function: 0_2_1000C680 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,		0_2_1000C680

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Contains functionality to query CPU information (cpuid)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndProgman%s.exerunasexplorer.exeSeDebugPrivilegecmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255BITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilege
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000003.2231108429.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2738620900.0000000002D50000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_006B24D6 cpuid

0_2_006B24D6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001ADE0 sprintf,sprintf,GetLocalTime,sprintf,

0_2_1001ADE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Contains functionality to modify windows services which are used for security filtering and protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_1001C850 GetModuleFileNameA,_strnicmp,CopyFileA,SetFileAttributesA,Sleep,GetVersionExA,UnlockServiceDatabase,GetLastError,

0_2_1001C850

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Code function: 0_2_10022310 OpenServiceA 00000000,sharedaccess,000F01FF

0_2_10022310

AV process strings found (often used to terminate AV products)

Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: acs.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vsserv.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: avcenter.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: kxetray.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: avp.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: cfp.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: KSafeTray.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: rtvscan.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 360tray.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ashDisp.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: TMBMSRV.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: avgwdsvc.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: AYAgent.aye
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: RavMonD.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Mcshield.exe
Source: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe, 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR

Yara detected Mimikatz

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10106038.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.53f068.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.100f69f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.52fa20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.439030.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2739065259.00000000100F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2737120507.000000000051F000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe PID: 408, type: MEMORYSTR

Remote Access Functionality