Windows Analysis Report
rN9D2S747U.exe

Overview

General Information

Sample name:	rN9D2S747U.exe (renamed file extension from txt to exe, renamed because original name is a hash value)
Original sample name:	d467b9c94ce07d4f539491f5cd2fc7219008cf196eff6a62880095b06c345b75.txt
Analysis ID:	1651337
MD5:	08391c46059bd63c5973cc9bc12e08d1
SHA1:	0c2ab65b7b5c89e506aa746b3fd33f34b13f6ceb
SHA256:	d467b9c94ce07d4f539491f5cd2fc7219008cf196eff6a62880095b06c345b75
Infos:

Detection

LummaC, Amadey, Stealc

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Powershell download and execute

Yara detected Stealc

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides threads from debuggers

LummaC encrypted strings found

PE file contains section with special chars

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rN9D2S747U.exe	Avira: detected
Source: rN9D2S747U.exe	Avira: detected

Antivirus detection for URL or domain

Source: https://awake-weaves.cyou:443/api	Avira URL Cloud: Label: malware
Source: https://debonairnukk.xyz:443/api	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou:443/api	Avira URL Cloud: Label: malware
Source: https://diffuculttan.xyz:443/api	Avira URL Cloud: Label: malware
Source: https://sordid-snaked.cyou:443/apiC	Avira URL Cloud: Label: malware
Source: https://tacitglibbr.biz:443/api	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe	Avira: detection malicious, Label: TR/Redcap.bmwcz
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: rN9D2S747U.exe	Virustotal: Detection: 54%			Perma Link
Source: rN9D2S747U.exe	ReversingLabs: Detection: 65%

Sample uses string decryption to hide its real strings

Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: 185.215.113.43
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: S-%lu-
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: abc3bc1985
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: skotes.exe
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Startup
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: rundll32
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Programs
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: %USERPROFILE%
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: cred.dll
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: clip.dll
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: http://
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: https://
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: /quiet
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: /Plugins/
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: &unit=
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: shell32.dll
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: kernel32.dll
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ProgramData\
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: AVAST Software
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Kaspersky Lab
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Panda Security
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Doctor Web
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: 360TotalSecurity
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Bitdefender
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Norton
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Sophos
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Comodo
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: WinDefender
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: 0123456789
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ------
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ?scr=1
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ComputerName
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: -unicode-
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: VideoID
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ProductName
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: CurrentBuild
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: rundll32.exe
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: "taskkill /f /im "
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: " && timeout 1 && del
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: && Exit"
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: " && ren
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Powershell.exe
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: shutdown -s -t 0
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: random

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C82F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	0_2_00C82F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00342F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	1_2_00342F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00842F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	2_2_00842F1D

Uses 32bit PE files

Source: rN9D2S747U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.204.10.89:443 -> 192.168.2.4:49719 version: TLS 1.2

Source: rN9D2S747U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: rN9D2S747U.exe, x7W52.exe.1.dr, P3z54.exe.0.dr
Source:	Binary string: wextract.pdbGCTL source: rN9D2S747U.exe, x7W52.exe.1.dr, P3z54.exe.0.dr

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C82390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00C82390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00342390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00342390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00842390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00842390

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058230 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tacitglibbr .biz) : 192.168.2.4:52204 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.4:55041 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.4:65131 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.4:57171 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.4:59770 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.4:52222 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.4:56804 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.4:56960 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.4:63163 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49719 -> 23.204.10.89:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.43

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 23.204.10.89 23.204.10.89

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49719 -> 23.204.10.89:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Code function: 3_2_00A6E0C0 recv,recv,recv,recv,

3_2_00A6E0C0

Source: global traffic

Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0fdf494db196883f47ed36dbff715bb0; path=/; secure; HttpOnly; SameSite=Nonesessionid=6063e3a9461ef33513ad6be8; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-M equals www.youtube.com (Youtube)
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: om/ https://www.youtube.com https://www.google.c equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: tacitglibbr.biz
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awake-weaves.cyou:443/api
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fa
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steamp
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowere
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=J1-T6FXbrr0Z&a
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=9RV1KkrS040q&l=english&_c
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=xihOpMrg
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=ewPC
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/steam_share_image.jpg
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://debonairnukk.xyz:443/api
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diffuculttan.xyz:443/api
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rec./
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou:443/apiC
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamai
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339076389.0000000000C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tacitglibbr.biz:443/api
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou:443/api
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.c
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptch
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

Source: unknown

HTTPS traffic detected: 23.204.10.89:443 -> 192.168.2.4:49719 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 4B397a.exe.0.dr	Static PE information: section name:
Source: 4B397a.exe.0.dr	Static PE information: section name: .idata
Source: 3G94w.exe.1.dr	Static PE information: section name:
Source: 3G94w.exe.1.dr	Static PE information: section name: .idata
Source: 3G94w.exe.1.dr	Static PE information: section name:
Source: 1L26f6.exe.2.dr	Static PE information: section name:
Source: 1L26f6.exe.2.dr	Static PE information: section name: .idata
Source: 2k1905.exe.2.dr	Static PE information: section name:
Source: 2k1905.exe.2.dr	Static PE information: section name: .idata
Source: 2k1905.exe.2.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C81F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00C81F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00341F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_00341F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00841F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00841F90

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C83BA2	0_2_00C83BA2
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C85C9E	0_2_00C85C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00343BA2	1_2_00343BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00345C9E	1_2_00345C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00843BA2	2_2_00843BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00845C9E	2_2_00845C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA78BB	3_2_00AA78BB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA8860	3_2_00AA8860
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA7049	3_2_00AA7049
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA31A8	3_2_00AA31A8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00B781D3	3_2_00B781D3
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A64B30	3_2_00A64B30
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00B77B6E	3_2_00B77B6E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A64DE0	3_2_00A64DE0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA2D10	3_2_00AA2D10
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA779B	3_2_00AA779B
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A97F36	3_2_00A97F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B8860	4_2_007B8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B7049	4_2_007B7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B78BB	4_2_007B78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B31A8	4_2_007B31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00774B30	4_2_00774B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B2D10	4_2_007B2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00774DE0	4_2_00774DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007A7F36	4_2_007A7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B779B	4_2_007B779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B8860	7_2_007B8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B7049	7_2_007B7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B78BB	7_2_007B78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B31A8	7_2_007B31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00774B30	7_2_00774B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B2D10	7_2_007B2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00774DE0	7_2_00774DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007A7F36	7_2_007A7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B779B	7_2_007B779B

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe 62E97F2C558313F494A3554FE24BA552DA64F709A98E4880A5A6B621DC89F789
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe 5258BA33DED7480FB162FF25AF0DD7628D468B88D8160B79824301F50C7981AC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe 091BC5705EA1F8127DB8F1D53C883BA04B79AFB04BECE4F90C73D1311C546ADE

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: String function: 00A780C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0078DF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 007880C0 appears 260 times

PE file contains executable resources (Code or Archives)

Source: rN9D2S747U.exe	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 7036837 bytes, 2 files, at 0x2c +A "P3z54.exe" +A "4B397a.exe", ID 1472, number 1, 256 datablocks, 0x1503 compression
Source: rN9D2S747U.exe	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM)
Source: P3z54.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 5372344 bytes, 2 files, at 0x2c +A "x7W52.exe" +A "3G94w.exe", ID 1451, number 1, 167 datablocks, 0x1503 compression
Source: x7W52.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 3493948 bytes, 2 files, at 0x2c +A "1L26f6.exe" +A "2k1905.exe", ID 1485, number 1, 147 datablocks, 0x1503 compression

Sample file is different than original file name gathered from version info

Source: rN9D2S747U.exe

Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs rN9D2S747U.exe

Uses 32bit PE files

Source: rN9D2S747U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3G94w.exe.1.dr	Static PE information: Section: kbusnrxz ZLIB complexity 0.9948743793587023
Source: 1L26f6.exe.2.dr	Static PE information: Section: ZLIB complexity 0.998451336852861
Source: 2k1905.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9975251498287672
Source: 2k1905.exe.2.dr	Static PE information: Section: oxelpjbe ZLIB complexity 0.9946053361491747
Source: skotes.exe.3.dr	Static PE information: Section: ZLIB complexity 0.998451336852861

Source: 2k1905.exe.2.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 4B397a.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/8@10/2

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C83FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_00C83FEF

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C81F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00C81F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00341F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_00341F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00841F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00841F90

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C8597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00C8597D

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C84FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

0_2_00C84FE0

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\rN9D2S747U.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Command line argument: Kernel32.dll	0_2_00C82BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Command line argument: Kernel32.dll	1_2_00342BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Command line argument: Kernel32.dll	2_2_00842BFB

Source: rN9D2S747U.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: rN9D2S747U.exe	Virustotal: Detection: 54%
Source: rN9D2S747U.exe	ReversingLabs: Detection: 65%

Source: 2k1905.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 3G94w.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\rN9D2S747U.exe "C:\Users\user\Desktop\rN9D2S747U.exe"
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\"
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: rN9D2S747U.exe

Static file information: File size 7193600 > 1048576

Source: rN9D2S747U.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x6d3e00

Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rN9D2S747U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: rN9D2S747U.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: rN9D2S747U.exe, x7W52.exe.1.dr, P3z54.exe.0.dr
Source:	Binary string: wextract.pdbGCTL source: rN9D2S747U.exe, x7W52.exe.1.dr, P3z54.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Unpacked PE file: 3.2.1L26f6.exe.a60000.0.unpack :EW;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 4.2.skotes.exe.770000.0.unpack :EW;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 7.2.skotes.exe.770000.0.unpack :EW;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Unpacked PE file: 11.2.2k1905.exe.130000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oxelpjbe:EW;rxotcwhb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oxelpjbe:EW;rxotcwhb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Unpacked PE file: 13.2.3G94w.exe.1a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kbusnrxz:EW;yvqiegwt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kbusnrxz:EW;yvqiegwt:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C82F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00C82F1D

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 2k1905.exe.2.dr	Static PE information: real checksum: 0x1c0cdb should be: 0x1c66f2
Source: 1L26f6.exe.2.dr	Static PE information: real checksum: 0x2e94ab should be: 0x2e559c
Source: skotes.exe.3.dr	Static PE information: real checksum: 0x2e94ab should be: 0x2e559c
Source: 4B397a.exe.0.dr	Static PE information: real checksum: 0x2b7e27 should be: 0x2bafdd
Source: 3G94w.exe.1.dr	Static PE information: real checksum: 0x1c67a1 should be: 0x1be774

PE file contains sections with non-standard names

Source: 4B397a.exe.0.dr	Static PE information: section name:
Source: 4B397a.exe.0.dr	Static PE information: section name: .idata
Source: 4B397a.exe.0.dr	Static PE information: section name: zhbmyutw
Source: 4B397a.exe.0.dr	Static PE information: section name: tkykhzdh
Source: 4B397a.exe.0.dr	Static PE information: section name: .taggant
Source: 3G94w.exe.1.dr	Static PE information: section name:
Source: 3G94w.exe.1.dr	Static PE information: section name: .idata
Source: 3G94w.exe.1.dr	Static PE information: section name:
Source: 3G94w.exe.1.dr	Static PE information: section name: kbusnrxz
Source: 3G94w.exe.1.dr	Static PE information: section name: yvqiegwt
Source: 3G94w.exe.1.dr	Static PE information: section name: .taggant
Source: 1L26f6.exe.2.dr	Static PE information: section name:
Source: 1L26f6.exe.2.dr	Static PE information: section name: .idata
Source: 1L26f6.exe.2.dr	Static PE information: section name: diabzkav
Source: 1L26f6.exe.2.dr	Static PE information: section name: eighdbaz
Source: 1L26f6.exe.2.dr	Static PE information: section name: .taggant
Source: 2k1905.exe.2.dr	Static PE information: section name:
Source: 2k1905.exe.2.dr	Static PE information: section name: .idata
Source: 2k1905.exe.2.dr	Static PE information: section name:
Source: 2k1905.exe.2.dr	Static PE information: section name: oxelpjbe
Source: 2k1905.exe.2.dr	Static PE information: section name: rxotcwhb
Source: 2k1905.exe.2.dr	Static PE information: section name: .taggant
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.3.dr	Static PE information: section name: diabzkav
Source: skotes.exe.3.dr	Static PE information: section name: eighdbaz
Source: skotes.exe.3.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C8724D push ecx; ret	0_2_00C87260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_0034724D push ecx; ret	1_2_00347260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_0084724D push ecx; ret	2_2_00847260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A7D91C push ecx; ret	3_2_00A7D92F
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A71359 push es; ret	3_2_00A7135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_0078D91C push ecx; ret	4_2_0078D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_0078D91C push ecx; ret	7_2_0078D92F

Source: 4B397a.exe.0.dr	Static PE information: section name: entropy: 7.777592768894132
Source: 3G94w.exe.1.dr	Static PE information: section name: kbusnrxz entropy: 7.9545496097424495
Source: 1L26f6.exe.2.dr	Static PE information: section name: entropy: 7.986948480140589
Source: 2k1905.exe.2.dr	Static PE information: section name: entropy: 7.983477399534379
Source: 2k1905.exe.2.dr	Static PE information: section name: oxelpjbe entropy: 7.9533529811209425
Source: skotes.exe.3.dr	Static PE information: section name: entropy: 7.986948480140589

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Jump to dropped file
Source: C:\Users\user\Desktop\rN9D2S747U.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Jump to dropped file
Source: C:\Users\user\Desktop\rN9D2S747U.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Jump to dropped file

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C81AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	0_2_00C81AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00341AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	1_2_00341AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00841AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	2_2_00841AE8

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: ACEE14 second address: ACEE34 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F14E087E8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E087E8D2h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C47DC3 second address: C47DCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C47DCF second address: C47DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EA7C second address: C4EA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EA82 second address: C4EA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EA8B second address: C4EA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EA91 second address: C4EA95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EBF0 second address: C4EBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jno 00007F14E0885B36h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C509E9 second address: C509ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50D55 second address: C50DB8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F14E0885B38h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sub dword ptr [ebp+122D3529h], eax 0x00000015 push 00000000h 0x00000017 jmp 00007F14E0885B3Ah 0x0000001c push FC07A49Ah 0x00000021 push eax 0x00000022 push esi 0x00000023 jmp 00007F14E0885B42h 0x00000028 pop esi 0x00000029 pop eax 0x0000002a add dword ptr [esp], 03F85BE6h 0x00000031 mov dx, cx 0x00000034 push 00000003h 0x00000036 sbb dh, 00000000h 0x00000039 push 00000000h 0x0000003b mov edx, eax 0x0000003d push 00000003h 0x0000003f push ebx 0x00000040 mov dword ptr [ebp+122D3608h], edx 0x00000046 pop edi 0x00000047 push A9B27319h 0x0000004c push eax 0x0000004d push edx 0x0000004e push ecx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DB8 second address: C50DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DBD second address: C50DC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DC2 second address: C50DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 164D8CE7h 0x0000000e mov cx, EBEBh 0x00000012 lea ebx, dword ptr [ebp+1245588Fh] 0x00000018 clc 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F14E051BDACh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DEC second address: C50DF2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DF2 second address: C50DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DF8 second address: C50DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DFC second address: C50E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C63D32 second address: C63D38 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C725AA second address: C725B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 jnc 00007F14E051BDA6h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C725B9 second address: C725BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C42A96 second address: C42AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F14E051BDA6h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C42AA6 second address: C42AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7088F second address: C70895 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C709DF second address: C709EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F14E0885B36h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C709EB second address: C709F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C709F3 second address: C70A2E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F14E0885B3Ch 0x00000008 jnl 00007F14E0885B36h 0x0000000e push ebx 0x0000000f push esi 0x00000010 pop esi 0x00000011 je 00007F14E0885B36h 0x00000017 pop ebx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push esi 0x0000001c pushad 0x0000001d popad 0x0000001e pop esi 0x0000001f pushad 0x00000020 jmp 00007F14E0885B40h 0x00000025 jl 00007F14E0885B36h 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C70A2E second address: C70A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F14E051BDA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C70B7F second address: C70BC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ah 0x00000007 jmp 00007F14E0885B46h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 ja 00007F14E0885B55h 0x00000016 jmp 00007F14E0885B49h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C70BC6 second address: C70BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C70BD1 second address: C70BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C71039 second address: C71043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C71043 second address: C71061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E0885B48h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7132F second address: C71338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C71338 second address: C7133E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7133E second address: C7134E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F14E051BDA6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7134E second address: C7135E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F14E0885B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7147F second address: C71491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7161F second address: C7163D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007F14E0885B49h 0x0000000b jmp 00007F14E0885B43h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C49A5D second address: C49A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F14E051BDAAh 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007F14E051BDA6h 0x00000013 popad 0x00000014 jnl 00007F14E051BDA8h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C71DC4 second address: C71DDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B46h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C78C9A second address: C78CAA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C78CAA second address: C78CCE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F14E0885B3Ah 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jg 00007F14E0885B36h 0x0000001c push esi 0x0000001d pop esi 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7D941 second address: C7D948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7DC55 second address: C7DC5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7DC5B second address: C7DC5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7DDD5 second address: C7DDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7F747 second address: C7F74C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C84635 second address: C8463A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8463A second address: C8463F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8472D second address: C8474D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F14E0885B48h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C852C6 second address: C852D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F14E051BDA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C87E6D second address: C87E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C87E71 second address: C87EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+1245DECFh], edi 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D3BD6h], ebx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F14E051BDA8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 add dword ptr [ebp+1245E253h], ebx 0x0000003a xchg eax, ebx 0x0000003b push ebx 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8A8F6 second address: C8A90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E0885B42h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8A90D second address: C8A993 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F14E051BDA6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e jmp 00007F14E051BDB7h 0x00000013 pop esi 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F14E051BDA8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 mov edi, 1F298961h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F14E051BDA8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 mov dword ptr [ebp+1247F3B0h], edi 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c jmp 00007F14E051BDAAh 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8A993 second address: C8A998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8C544 second address: C8C554 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F14E051BDA6h 0x00000008 jc 00007F14E051BDA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3D734 second address: C3D738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3D738 second address: C3D73E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCA9 second address: C8DCAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCAD second address: C8DCBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCBC second address: C8DCC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCC2 second address: C8DCC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCC6 second address: C8DCCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCCA second address: C8DD2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b jp 00007F14E051BDA6h 0x00000011 jmp 00007F14E051BDB7h 0x00000016 popad 0x00000017 pop ebx 0x00000018 nop 0x00000019 mov di, ax 0x0000001c push 00000000h 0x0000001e and edi, dword ptr [ebp+122D35C0h] 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F14E051BDA8h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 xchg eax, esi 0x00000041 push ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 je 00007F14E051BDA6h 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DD2C second address: C8DD30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DD30 second address: C8DD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DD3C second address: C8DD55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E0885B40h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DD55 second address: C8DD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8EDA4 second address: C8EDA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8FCB3 second address: C8FCBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F14E051BDA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C931FE second address: C9320F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F14E0885B36h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9320F second address: C93220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C941BE second address: C941D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C93399 second address: C933A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C933A5 second address: C933AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C96270 second address: C9627A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F14E051BDA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C97461 second address: C974A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F14E0885B36h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F14E0885B48h 0x00000016 push 00000000h 0x00000018 jnp 00007F14E0885B36h 0x0000001e push 00000000h 0x00000020 mov ebx, edx 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F14E0885B3Bh 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C96497 second address: C964A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F14E051BDA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C974A6 second address: C974AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C974AC second address: C974C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDB4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C99492 second address: C99496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A4B6 second address: C9A4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F14E051BDA6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C975ED second address: C97662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jno 00007F14E0885B38h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F14E0885B38h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov bl, ch 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov dword ptr [ebp+122D219Fh], edi 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d jg 00007F14E0885B39h 0x00000043 mov eax, dword ptr [ebp+122D1499h] 0x00000049 and bh, 00000071h 0x0000004c mov dword ptr [ebp+12455AFBh], esi 0x00000052 push FFFFFFFFh 0x00000054 sub dword ptr [ebp+122D3529h], eax 0x0000005a push eax 0x0000005b pushad 0x0000005c jmp 00007F14E0885B3Ch 0x00000061 push eax 0x00000062 push edx 0x00000063 push edi 0x00000064 pop edi 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A4C3 second address: C9A52A instructions: 0x00000000 rdtsc 0x00000002 je 00007F14E051BDA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F14E051BDA8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 adc di, 6396h 0x0000002d push 00000000h 0x0000002f call 00007F14E051BDB8h 0x00000034 add edi, dword ptr [ebp+122D1D78h] 0x0000003a pop ebx 0x0000003b push 00000000h 0x0000003d or dword ptr [ebp+12456B0Ah], edi 0x00000043 xchg eax, esi 0x00000044 push edi 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A52A second address: C9A52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A52E second address: C9A548 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A548 second address: C9A54C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A54C second address: C9A552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B5C3 second address: C9B5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A6B6 second address: C9A6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B5D4 second address: C9B5E6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jnc 00007F14E0885B3Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A6BA second address: C9A6BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B5E6 second address: C9B645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007F14E0885B38h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 0000001Ah 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 push 00000000h 0x00000022 jno 00007F14E0885B4Bh 0x00000028 push 00000000h 0x0000002a or dword ptr [ebp+122D1FC4h], esi 0x00000030 jng 00007F14E0885B3Ch 0x00000036 mov dword ptr [ebp+122D21A4h], edi 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B645 second address: C9B649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B649 second address: C9B657 instructions: 0x00000000 rdtsc 0x00000002 je 00007F14E0885B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B657 second address: C9B65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B78E second address: C9B799 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9D763 second address: C9D7A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push edx 0x0000000b movsx ebx, si 0x0000000e pop edi 0x0000000f push 00000000h 0x00000011 mov ebx, dword ptr [ebp+12456529h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F14E051BDA8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 movsx ebx, bx 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a jbe 00007F14E051BDA6h 0x00000040 pop ebx 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B8B7 second address: C9B8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9D7A7 second address: C9D7AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9E880 second address: C9E895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA6708 second address: CA670E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5D20 second address: CA5D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5D2B second address: CA5D4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F14E051BDACh 0x00000012 jc 00007F14E051BDA6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5D4D second address: CA5D65 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F14E0885B43h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5EC9 second address: CA5EE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E051BDAEh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5EE3 second address: CA5EEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5EEF second address: CA5F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F14E051BDA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F14E051BDAAh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA607E second address: CA6082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA6082 second address: CA608B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA608B second address: CA6091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CABD89 second address: CABDAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F14E051BDB9h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CABDAA second address: ACEE14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 19141651h 0x0000000e jmp 00007F14E0885B3Bh 0x00000013 push dword ptr [ebp+122D0689h] 0x00000019 jmp 00007F14E0885B40h 0x0000001e call dword ptr [ebp+122D21C8h] 0x00000024 pushad 0x00000025 jmp 00007F14E0885B3Ah 0x0000002a sub dword ptr [ebp+122D386Eh], edx 0x00000030 xor eax, eax 0x00000032 mov dword ptr [ebp+122D39A0h], eax 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c ja 00007F14E0885B37h 0x00000042 clc 0x00000043 mov dword ptr [ebp+122D2EBAh], eax 0x00000049 clc 0x0000004a mov esi, 0000003Ch 0x0000004f sub dword ptr [ebp+122D386Eh], eax 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 jo 00007F14E0885B3Ch 0x0000005f add dword ptr [ebp+122D39A0h], esi 0x00000065 pushad 0x00000066 add dword ptr [ebp+122D386Eh], ecx 0x0000006c movzx eax, cx 0x0000006f popad 0x00000070 lodsw 0x00000072 jmp 00007F14E0885B3Ah 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b stc 0x0000007c mov ebx, dword ptr [esp+24h] 0x00000080 pushad 0x00000081 jmp 00007F14E0885B46h 0x00000086 or esi, dword ptr [ebp+122D2E46h] 0x0000008c popad 0x0000008d nop 0x0000008e push edx 0x0000008f push eax 0x00000090 push edx 0x00000091 jmp 00007F14E0885B49h 0x00000096 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CAD2E2 second address: CAD2E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3F81 second address: CB3F90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F14E0885B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB2C47 second address: CB2C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDB5h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB31F0 second address: CB31FF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F14E0885B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push esi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB34B7 second address: CB34BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB34BC second address: CB34D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F14E0885B44h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3781 second address: CB3793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3793 second address: CB37CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E0885B48h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14E0885B47h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB37CD second address: CB37D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB391D second address: CB3989 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B45h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F14E0885B41h 0x00000010 jnc 00007F14E0885B52h 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 push edi 0x0000001a pop edi 0x0000001b jno 00007F14E0885B36h 0x00000021 jmp 00007F14E0885B3Fh 0x00000026 popad 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3C24 second address: CB3C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3C28 second address: CB3C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F14E0885B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3DEA second address: CB3E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3E05 second address: CB3E34 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F14E0885B3Ch 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14E0885B49h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB81E6 second address: CB8210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F14E051BDA8h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14E051BDB8h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8210 second address: CB8214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB837B second address: CB8388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F14E051BDA6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8388 second address: CB838E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB838E second address: CB8392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8392 second address: CB8398 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8BFC second address: CB8C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDB1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8C18 second address: CB8C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB9057 second address: CB9061 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F14E051BDA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB962D second address: CB9633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB9633 second address: CB9637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB7EB4 second address: CB7EE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F14E0885B45h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C82AFC second address: C68B0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F14E051BDA6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F14E051BDA8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b jmp 00007F14E051BDB8h 0x00000030 lea eax, dword ptr [ebp+12487867h] 0x00000036 or dword ptr [ebp+122D1D4Ah], ebx 0x0000003c and di, 7444h 0x00000041 nop 0x00000042 jnc 00007F14E051BDACh 0x00000048 push eax 0x00000049 jmp 00007F14E051BDABh 0x0000004e nop 0x0000004f or ch, FFFFFFAAh 0x00000052 call dword ptr [ebp+12454269h] 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F14E051BDAEh 0x0000005f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C831BC second address: C831CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C831CE second address: C831FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDB8h 0x00000009 popad 0x0000000a pop edx 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F14E051BDAAh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83A81 second address: C83A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83E09 second address: C83E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007F14E051BDA6h 0x0000000c jmp 00007F14E051BDB6h 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007F14E051BDB6h 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83F3A second address: C83F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E0885B3Fh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83F60 second address: C83F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83F64 second address: C83FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F14E0885B42h 0x0000000b popad 0x0000000c nop 0x0000000d call 00007F14E0885B48h 0x00000012 pop edx 0x00000013 mov edx, dword ptr [ebp+122D1D27h] 0x00000019 lea eax, dword ptr [ebp+124878ABh] 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F14E0885B38h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 nop 0x0000003a push eax 0x0000003b push edx 0x0000003c ja 00007F14E0885B4Bh 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83FE6 second address: C8402E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F14E051BDB3h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F14E051BDB0h 0x00000010 nop 0x00000011 push esi 0x00000012 sub dword ptr [ebp+122D36B5h], ecx 0x00000018 pop ecx 0x00000019 lea eax, dword ptr [ebp+12487867h] 0x0000001f or dword ptr [ebp+122D3969h], esi 0x00000025 push eax 0x00000026 jbe 00007F14E051BDB8h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8402E second address: C84032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC1F8E second address: CC1F98 instructions: 0x00000000 rdtsc 0x00000002 js 00007F14E051BDA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC20ED second address: CC20F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC20F4 second address: CC20FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC20FB second address: CC210E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F14E0885B36h 0x0000000d jl 00007F14E0885B36h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC210E second address: CC2112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC2541 second address: CC2560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 jc 00007F14E0885B4Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E0885B41h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC26A8 second address: CC26D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDB7h 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007F14E051BDA6h 0x00000011 popad 0x00000012 popad 0x00000013 push ecx 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC7054 second address: CC705A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC705A second address: CC7060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC719C second address: CC71A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC71A2 second address: CC71B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F14E051BDACh 0x0000000b jg 00007F14E051BDA6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC75EE second address: CC75FB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F14E0885B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC7764 second address: CC777C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F14E051BDACh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC777C second address: CC7789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC7789 second address: CC778D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC778D second address: CC77A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B43h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC6DA0 second address: CC6DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC7AAA second address: CC7AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCACE9 second address: CCACED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCACED second address: CCACF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCD345 second address: CCD35A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F14E051BDAFh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCDBD second address: CCCDE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B3Bh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCDE5 second address: CCCE02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCFC5 second address: CCCFCF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F14E0885B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCFCF second address: CCCFDF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F14E051BDAAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCFDF second address: CCCFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCFE3 second address: CCD01D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB4h 0x00000007 jbe 00007F14E051BDA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F14E051BDB3h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCD01D second address: CCD032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F14E0885B36h 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jne 00007F14E0885B36h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCFB25 second address: CCFB2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCFB2D second address: CCFB31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCFCBB second address: CCFCC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD4F45 second address: CD4F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD4F4B second address: CD4F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD4F4F second address: CD4F53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD539A second address: CD53A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD53A0 second address: CD53C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B40h 0x00000007 js 00007F14E0885B36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F14E0885B3Ah 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89C6 second address: CD89D0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F14E051BDA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89D0 second address: CD89DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F14E0885B3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89DE second address: CD89E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89E2 second address: CD89E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89E9 second address: CD89EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3F30A second address: C3F325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F14E0885B43h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3F325 second address: C3F329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3F329 second address: C3F340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B43h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3F340 second address: C3F346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD82B7 second address: CD82C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F14E0885B3Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD82C5 second address: CD82CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8411 second address: CD8416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8416 second address: CD841C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD841C second address: CD8422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8422 second address: CD8426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8426 second address: CD8442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F14E0885B3Bh 0x0000000e jnc 00007F14E0885B36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8703 second address: CD8707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDC910 second address: CDC916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDCA69 second address: CDCA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDCC17 second address: CDCC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E0885B44h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDCC30 second address: CDCC3A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F14E051BDACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDD19A second address: CDD1B3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F14E0885B36h 0x00000008 jmp 00007F14E0885B3Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDDD72 second address: CDDD77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE3E35 second address: CE3E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4365 second address: CE436B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE436B second address: CE436F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE436F second address: CE4373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4624 second address: CE4643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F14E0885B3Dh 0x0000000c pushad 0x0000000d jnc 00007F14E0885B36h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4643 second address: CE4681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F14E051BDA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F14E051BDB9h 0x00000012 jmp 00007F14E051BDB8h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4C1F second address: CE4C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4EEE second address: CE4EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4EF4 second address: CE4EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4EF8 second address: CE4F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4F0C second address: CE4F27 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F14E0885B46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE577A second address: CE5793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F14E051BDB0h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE5793 second address: CE5799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE5799 second address: CE57B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F14E051BDB3h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE57B3 second address: CE57B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE57B7 second address: CE57BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE026 second address: CEE02A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE02A second address: CEE03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F14E051BDA6h 0x0000000d je 00007F14E051BDA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE03F second address: CEE044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE044 second address: CEE04B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE04B second address: CEE053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF3898 second address: CF38C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F14E051BDA6h 0x00000011 jmp 00007F14E051BDB7h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF38C0 second address: CF38E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ah 0x00000007 jmp 00007F14E0885B41h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF38E2 second address: CF38EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F14E051BDA6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF3FD8 second address: CF3FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F14E0885B48h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF4298 second address: CF42A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF42A2 second address: CF42BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jnp 00007F14E0885B36h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF42BA second address: CF42CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F14E051BDA6h 0x0000000d jng 00007F14E051BDA6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF42CD second address: CF42D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF4E06 second address: CF4E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF4E0E second address: CF4E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F14E0885B45h 0x0000000a popad 0x0000000b push esi 0x0000000c jnp 00007F14E0885B3Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CFDEF1 second address: CFDEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F14E051BDA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D09480 second address: D09484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D09484 second address: D09494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDACh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D09494 second address: D094A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F14E0885B52h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D09623 second address: D09627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D104DC second address: D104E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F14E0885B36h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D104E6 second address: D104F0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F14E051BDACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D1D8A3 second address: D1D8B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F14E0885B3Ah 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D1D75A second address: D1D762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D1D762 second address: D1D766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D1D766 second address: D1D786 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F14E051BDB5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2344A second address: D23459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23459 second address: D23466 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23466 second address: D2346A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2346A second address: D2347C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F14E051BDACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D235BC second address: D235C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D235C4 second address: D235CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D235CD second address: D235DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E0885B3Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23856 second address: D2385C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2385C second address: D23869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23869 second address: D2386D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2386D second address: D23871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23871 second address: D23877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23A27 second address: D23A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23A2B second address: D23A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23A2F second address: D23A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23E46 second address: D23E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2846B second address: D28473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D28473 second address: D28479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D34ED1 second address: D34ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D34ED7 second address: D34F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F14E051BDB3h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F14E051BDAEh 0x00000015 jnl 00007F14E051BDBAh 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D34D76 second address: D34D8C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e jc 00007F14E0885B3Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3C3F0 second address: D3C414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F14E051BDAAh 0x0000000d jmp 00007F14E051BDB2h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3C414 second address: D3C41F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3C41F second address: D3C427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3C427 second address: D3C453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F14E0885B3Dh 0x0000000a jg 00007F14E0885B3Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F14E0885B36h 0x00000018 jo 00007F14E0885B36h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3871F second address: D3874A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 jmp 00007F14E051BDAEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3874A second address: D3876A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B40h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D48EE1 second address: D48EEB instructions: 0x00000000 rdtsc 0x00000002 js 00007F14E051BDAEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D4AB17 second address: D4AB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B3D second address: D63B58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B58 second address: D63B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B5D second address: D63B62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B62 second address: D63B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B68 second address: D63B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDAAh 0x00000009 jns 00007F14E051BDA6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F14E051BDA6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B85 second address: D63B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B45h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63E49 second address: D63E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63E4D second address: D63E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F14E0885B47h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63E6C second address: D63E73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63FB0 second address: D63FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D646B6 second address: D646BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D646BD second address: D646C7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F14E0885B42h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D646C7 second address: D646CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D649AE second address: D649B6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D649B6 second address: D649BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D676CD second address: D676DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D6787A second address: D67880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D67BC3 second address: D67C3A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F14E0885B36h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F14E0885B38h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 or dx, F8DCh 0x0000002e push dword ptr [ebp+122D1E89h] 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F14E0885B38h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov dword ptr [ebp+12485B07h], ebx 0x00000054 push D8FF36C2h 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F14E0885B3Dh 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D67C3A second address: D67C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D67C3E second address: D67C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D6AB0E second address: D6AB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jmp 00007F14E051BDB9h 0x0000000c jo 00007F14E051BDA6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D6A664 second address: D6A66E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F14E0885B36h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513029A second address: 513029E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513029E second address: 51302A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51302A4 second address: 51302A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E1B second address: 5110E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, D9h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E22 second address: 5110E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E30 second address: 5110E45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E45 second address: 5110E96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F14E051BDB1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F14E051BDAEh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F14E051BDB7h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E96 second address: 5110E9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51604F2 second address: 5160586 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F14E051BDACh 0x00000011 jmp 00007F14E051BDB5h 0x00000016 popfd 0x00000017 pushfd 0x00000018 jmp 00007F14E051BDB0h 0x0000001d and ax, 2F08h 0x00000022 jmp 00007F14E051BDABh 0x00000027 popfd 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F14E051BDB9h 0x0000002f xchg eax, ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F14E051BDB8h 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160586 second address: 5160595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160595 second address: 5160604 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F14E051BDB3h 0x00000012 or ch, 0000006Eh 0x00000015 jmp 00007F14E051BDB9h 0x0000001a popfd 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F14E051BDB8h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160604 second address: 5160608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160608 second address: 516060E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 516060E second address: 5160614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160614 second address: 5160618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160618 second address: 516061C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F01E5 second address: 50F01EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F01EB second address: 50F01F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F01F1 second address: 50F0200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0200 second address: 50F0215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B20 second address: 5110B49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, E02Eh 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dx, si 0x00000017 mov eax, 02D43819h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B49 second address: 5110B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B4F second address: 5110B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B53 second address: 5110B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B63 second address: 5110B79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B79 second address: 5110B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B7F second address: 5110B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B83 second address: 5110B92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B92 second address: 5110B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B96 second address: 5110B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106B4 second address: 51106BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106BC second address: 51106E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F14E0885B42h 0x00000008 pop ecx 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cl, dh 0x00000014 mov dx, ax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106E1 second address: 51106E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106E7 second address: 51106EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106EB second address: 51106EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51105EA second address: 5110605 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110605 second address: 511061D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDB4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 511061D second address: 5110635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B3Dh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110635 second address: 5110669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E051BDB7h 0x00000008 mov bx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F14E051BDB1h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110669 second address: 5110671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110352 second address: 5110358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110358 second address: 511035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 511035C second address: 5110360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110360 second address: 511039C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a movzx eax, di 0x0000000d mov dl, C8h 0x0000000f popad 0x00000010 mov dword ptr [esp], ebp 0x00000013 jmp 00007F14E0885B3Eh 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F14E0885B47h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 511039C second address: 51103C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, dx 0x00000010 movsx edi, si 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51103C4 second address: 51103D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E0885B3Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51103D4 second address: 51103D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512027B second address: 512027F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512027F second address: 5120285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120285 second address: 51202F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F14E0885B42h 0x00000009 and si, 9F08h 0x0000000e jmp 00007F14E0885B3Bh 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F14E0885B41h 0x00000023 xor si, 7A26h 0x00000028 jmp 00007F14E0885B41h 0x0000002d popfd 0x0000002e call 00007F14E0885B40h 0x00000033 pop eax 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51202F0 second address: 5120310 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx eax, di 0x00000010 mov bx, 923Ch 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120310 second address: 5120316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120316 second address: 512031A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512031A second address: 5120334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B3Fh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120334 second address: 5120353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E051BDB3h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120353 second address: 512035A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 516040A second address: 5160412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, si 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160412 second address: 5160426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E0885B40h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160426 second address: 516043E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E051BDADh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 516043E second address: 5160463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E0885B3Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160463 second address: 51604B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E051BDB7h 0x00000008 call 00007F14E051BDB8h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov cx, di 0x00000017 push ebx 0x00000018 mov dh, al 0x0000001a pop edx 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F14E051BDADh 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51604B4 second address: 51604BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51305F9 second address: 5130611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDB4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130611 second address: 5130629 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B3Dh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130629 second address: 513064F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E051BDB7h 0x00000008 mov edi, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513064F second address: 5130653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130653 second address: 5130659 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130659 second address: 513068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F14E0885B3Dh 0x00000013 pop ecx 0x00000014 mov edx, 679EBA94h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513068C second address: 51306AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 249D5530h 0x00000014 mov bx, 945Ch 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306AA second address: 51306B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306B0 second address: 51306B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306B4 second address: 51306C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306C3 second address: 51306C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306C9 second address: 51306CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306CD second address: 51306DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306DF second address: 51306F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306F6 second address: 5130723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E051BDADh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 511053F second address: 511055C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx edi, ax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E0885B3Fh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513012B second address: 5130137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130137 second address: 513013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513013B second address: 5130152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51303DC second address: 51303FA instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b call 00007F14E0885B3Fh 0x00000010 pop eax 0x00000011 mov esi, edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51303FA second address: 5130400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130400 second address: 513040F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513040F second address: 5130413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130413 second address: 5130419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130419 second address: 5130430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDB3h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130430 second address: 5130457 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130457 second address: 513045B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513045B second address: 513046E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513046E second address: 5130498 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E051BDAFh 0x00000008 mov si, C37Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F14E051BDACh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130498 second address: 51304A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 515082B second address: 515085F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov eax, edx 0x0000000e mov eax, edi 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F14E051BDB1h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 515085F second address: 5150863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150863 second address: 5150869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150869 second address: 51508A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F14E0885B40h 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F14E0885B47h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51508A5 second address: 51508DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F14E051BDB1h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51508DB second address: 51508EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51508EE second address: 5150918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 mov si, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [778065FCh] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F14E051BDB8h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150918 second address: 5150A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 jmp 00007F14E0885B3Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test eax, eax 0x00000010 jmp 00007F14E0885B40h 0x00000015 je 00007F1552EB8B5Fh 0x0000001b pushad 0x0000001c call 00007F14E0885B3Eh 0x00000021 mov cx, 45A1h 0x00000025 pop esi 0x00000026 pushfd 0x00000027 jmp 00007F14E0885B47h 0x0000002c jmp 00007F14E0885B43h 0x00000031 popfd 0x00000032 popad 0x00000033 mov ecx, eax 0x00000035 pushad 0x00000036 mov di, ax 0x00000039 popad 0x0000003a xor eax, dword ptr [ebp+08h] 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F14E0885B48h 0x00000044 jmp 00007F14E0885B45h 0x00000049 popfd 0x0000004a call 00007F14E0885B40h 0x0000004f pushad 0x00000050 popad 0x00000051 pop eax 0x00000052 popad 0x00000053 and ecx, 1Fh 0x00000056 jmp 00007F14E0885B47h 0x0000005b ror eax, cl 0x0000005d jmp 00007F14E0885B46h 0x00000062 leave 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F14E0885B47h 0x0000006a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A1E second address: 5150A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A24 second address: 5150A57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f mov esi, eax 0x00000011 lea eax, dword ptr [ebp-08h] 0x00000014 xor esi, dword ptr [00AC2014h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push eax 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call 00007F14E4F564AEh 0x00000026 push FFFFFFFEh 0x00000028 jmp 00007F14E0885B46h 0x0000002d pop eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A57 second address: 5150A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A5B second address: 5150A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A61 second address: 5150AE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 0531h 0x00000007 jmp 00007F14E051BDAEh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007F14E4BEC759h 0x00000017 mov edi, edi 0x00000019 jmp 00007F14E051BDB0h 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 mov bx, ax 0x00000023 pushfd 0x00000024 jmp 00007F14E051BDAAh 0x00000029 and ecx, 4B0ADF68h 0x0000002f jmp 00007F14E051BDABh 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 mov bl, B4h 0x0000003a mov dh, cl 0x0000003c popad 0x0000003d xchg eax, ebp 0x0000003e jmp 00007F14E051BDB3h 0x00000043 mov ebp, esp 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F14E051BDB5h 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150AE3 second address: 5150B2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 pushfd 0x00000006 jmp 00007F14E0885B43h 0x0000000b sub eax, 45DF256Eh 0x00000011 jmp 00007F14E0885B49h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e call 00007F14E0885B3Ah 0x00000023 pop esi 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 510001E second address: 5100024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100024 second address: 5100058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F14E0885B40h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F14E0885B3Eh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100058 second address: 51000B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F14E051BDB1h 0x00000009 sub ah, 00000016h 0x0000000c jmp 00007F14E051BDB1h 0x00000011 popfd 0x00000012 mov di, cx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F14E051BDAFh 0x00000022 jmp 00007F14E051BDB3h 0x00000027 popfd 0x00000028 push eax 0x00000029 pop edx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51000B3 second address: 5100100 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007F14E0885B3Dh 0x00000011 and esp, FFFFFFF8h 0x00000014 jmp 00007F14E0885B3Eh 0x00000019 xchg eax, ecx 0x0000001a pushad 0x0000001b mov di, cx 0x0000001e mov edx, ecx 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007F14E0885B3Fh 0x00000027 xchg eax, ecx 0x00000028 pushad 0x00000029 mov ecx, 5CA7493Bh 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100100 second address: 5100104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100104 second address: 5100141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esp 0x00000006 jmp 00007F14E0885B46h 0x0000000b mov dword ptr [esp], ebx 0x0000000e pushad 0x0000000f mov ecx, 002E5CCDh 0x00000014 mov ch, F8h 0x00000016 popad 0x00000017 mov ebx, dword ptr [ebp+10h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F14E0885B40h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100141 second address: 5100146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100146 second address: 51001E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F14E0885B47h 0x0000000a add si, E9DEh 0x0000000f jmp 00007F14E0885B49h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, esi 0x00000019 jmp 00007F14E0885B3Eh 0x0000001e push eax 0x0000001f pushad 0x00000020 call 00007F14E0885B41h 0x00000025 pushfd 0x00000026 jmp 00007F14E0885B40h 0x0000002b sbb ah, 00000038h 0x0000002e jmp 00007F14E0885B3Bh 0x00000033 popfd 0x00000034 pop eax 0x00000035 mov ecx, edi 0x00000037 popad 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a call 00007F14E0885B41h 0x0000003f mov edx, esi 0x00000041 pop ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51001E2 second address: 5100203 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov esi, dword ptr [ebp+08h] 0x0000000a jmp 00007F14E051BDB0h 0x0000000f xchg eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100203 second address: 5100207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100207 second address: 510020B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 510020B second address: 5100211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100211 second address: 5100217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100217 second address: 510021B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 510021B second address: 5100240 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E051BDAEh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100240 second address: 5100260 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E0885B41h 0x00000008 push eax 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100260 second address: 5100264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100264 second address: 510026A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 510026A second address: 5100270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100270 second address: 5100274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100274 second address: 51002E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop edx 0x0000000e mov esi, 2E209B73h 0x00000013 popad 0x00000014 jmp 00007F14E051BDB8h 0x00000019 popad 0x0000001a je 00007F1552B9A11Ah 0x00000020 jmp 00007F14E051BDB0h 0x00000025 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F14E051BDAEh 0x00000033 sub esi, 235034D8h 0x00000039 jmp 00007F14E051BDABh 0x0000003e popfd 0x0000003f push ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51002E3 second address: 510037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 je 00007F1552F03E78h 0x0000000c jmp 00007F14E0885B40h 0x00000011 mov edx, dword ptr [esi+44h] 0x00000014 jmp 00007F14E0885B40h 0x00000019 or edx, dword ptr [ebp+0Ch] 0x0000001c jmp 00007F14E0885B40h 0x00000021 test edx, 61000000h 0x00000027 pushad 0x00000028 call 00007F14E0885B3Eh 0x0000002d push ecx 0x0000002e pop edi 0x0000002f pop eax 0x00000030 mov dx, 8F12h 0x00000034 popad 0x00000035 jne 00007F1552F03E7Ch 0x0000003b jmp 00007F14E0885B49h 0x00000040 test byte ptr [esi+48h], 00000001h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 mov bx, 8FBEh 0x0000004b call 00007F14E0885B3Fh 0x00000050 pop eax 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F06C8 second address: 50F06D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a movsx edi, si 0x0000000d mov ebx, eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F06D8 second address: 50F06DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F06DE second address: 50F073A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F14E051BDB5h 0x00000012 add ecx, 3723CCF6h 0x00000018 jmp 00007F14E051BDB1h 0x0000001d popfd 0x0000001e movzx esi, bx 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007F14E051BDB3h 0x00000029 and esp, FFFFFFF8h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F073A second address: 50F073E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F073E second address: 50F0744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0744 second address: 50F0761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E0885B49h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0761 second address: 50F0792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov cl, 39h 0x0000000f movsx edx, ax 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F14E051BDADh 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0792 second address: 50F07A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07A7 second address: 50F07AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07AD second address: 50F07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07B1 second address: 50F07DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14E051BDB0h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07DF second address: 50F07E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07E5 second address: 50F0820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 04ABC4D3h 0x00000008 movzx ecx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F14E051BDB0h 0x00000014 mov dword ptr [esp], esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F14E051BDB7h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0820 second address: 50F0825 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0825 second address: 50F0882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F14E051BDB5h 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+08h] 0x00000010 pushad 0x00000011 call 00007F14E051BDADh 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 mov bl, A4h 0x0000001b popad 0x0000001c sub ebx, ebx 0x0000001e jmp 00007F14E051BDAFh 0x00000023 test esi, esi 0x00000025 pushad 0x00000026 mov cx, C4DBh 0x0000002a mov ecx, 1155D3B7h 0x0000002f popad 0x00000030 je 00007F1552BA18BDh 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0882 second address: 50F0887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0887 second address: 50F088D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F088D second address: 50F08B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov si, 69DDh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F08B5 second address: 50F08BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F08BB second address: 50F09B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edx, 641A3E50h 0x00000011 call 00007F14E0885B49h 0x00000016 pop ecx 0x00000017 popad 0x00000018 call 00007F14E0885B41h 0x0000001d mov ax, 0247h 0x00000021 pop esi 0x00000022 popad 0x00000023 je 00007F1552F0B5DBh 0x00000029 jmp 00007F14E0885B43h 0x0000002e test byte ptr [77806968h], 00000002h 0x00000035 jmp 00007F14E0885B46h 0x0000003a jne 00007F1552F0B5B8h 0x00000040 jmp 00007F14E0885B40h 0x00000045 mov edx, dword ptr [ebp+0Ch] 0x00000048 pushad 0x00000049 mov ax, CD5Dh 0x0000004d pushfd 0x0000004e jmp 00007F14E0885B3Ah 0x00000053 sub ecx, 018BA9B8h 0x00000059 jmp 00007F14E0885B3Bh 0x0000005e popfd 0x0000005f popad 0x00000060 xchg eax, ebx 0x00000061 jmp 00007F14E0885B46h 0x00000066 push eax 0x00000067 pushad 0x00000068 mov edx, 0C61A9C4h 0x0000006d pushfd 0x0000006e jmp 00007F14E0885B3Dh 0x00000073 adc si, BF06h 0x00000078 jmp 00007F14E0885B41h 0x0000007d popfd 0x0000007e popad 0x0000007f xchg eax, ebx 0x00000080 pushad 0x00000081 pushad 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F09B9 second address: 50F0A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F14E051BDB8h 0x0000000a sbb al, FFFFFFD8h 0x0000000d jmp 00007F14E051BDABh 0x00000012 popfd 0x00000013 popad 0x00000014 popad 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F14E051BDB7h 0x0000001d adc si, F04Eh 0x00000022 jmp 00007F14E051BDB9h 0x00000027 popfd 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F14E051BDB1h 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push edx 0x00000034 pop esi 0x00000035 call 00007F14E051BDAFh 0x0000003a pop esi 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100DD0 second address: 5100DF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009B3 second address: 51009EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F14E051BDB6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F14E051BDAEh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009EA second address: 51009F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009F0 second address: 51009F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009F4 second address: 51009F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009F8 second address: 5100A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F14E051BDB9h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov esi, ebx 0x00000015 call 00007F14E051BDAFh 0x0000001a pop ecx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100A32 second address: 5100A66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E0885B47h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100A66 second address: 5100A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F03 second address: 5170F0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F0A second address: 5170F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F18 second address: 5170F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F1C second address: 5170F22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F22 second address: 5170F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F28 second address: 5170F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F2C second address: 5170F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F30 second address: 5170F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007F14E051BDB8h 0x0000000f pushfd 0x00000010 jmp 00007F14E051BDB2h 0x00000015 or si, EE78h 0x0000001a jmp 00007F14E051BDABh 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 jmp 00007F14E051BDB6h 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov bl, 1Ah 0x0000002e mov al, 82h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D5A second address: 5170D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D60 second address: 5170D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D64 second address: 5170D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F14E0885B42h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D83 second address: 5170D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D87 second address: 5170D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D8D second address: 5170D93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D93 second address: 5170D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110135 second address: 5110195 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx ecx, di 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov si, di 0x00000011 pushfd 0x00000012 jmp 00007F14E051BDB9h 0x00000017 xor ax, 6F06h 0x0000001c jmp 00007F14E051BDB1h 0x00000021 popfd 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F14E051BDB8h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110195 second address: 51101A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51801EB second address: 5180288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F14E051BDB1h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F14E051BDB1h 0x0000000f sub eax, 304E6E66h 0x00000015 jmp 00007F14E051BDB1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f jmp 00007F14E051BDAEh 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 call 00007F14E051BDAEh 0x0000002c mov bx, ax 0x0000002f pop esi 0x00000030 mov ah, bl 0x00000032 popad 0x00000033 push dword ptr [ebp+0Ch] 0x00000036 pushad 0x00000037 push ecx 0x00000038 mov dh, F1h 0x0000003a pop eax 0x0000003b mov ax, di 0x0000003e popad 0x0000003f push dword ptr [ebp+08h] 0x00000042 pushad 0x00000043 jmp 00007F14E051BDB5h 0x00000048 movzx ecx, di 0x0000004b popad 0x0000004c push A1E4C6F0h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5180288 second address: 518028C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 518028C second address: 5180292 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51802C4 second address: 51802CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 2E6Eh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51802CD second address: 518030B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F14E051BDB2h 0x00000009 xor cl, FFFFFFB8h 0x0000000c jmp 00007F14E051BDABh 0x00000011 popfd 0x00000012 mov ch, AAh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 movzx eax, al 0x0000001a pushad 0x0000001b push edi 0x0000001c mov si, 4C83h 0x00000020 pop esi 0x00000021 mov si, dx 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 518030B second address: 518032C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F14E0885B3Ah 0x0000000a and cx, 1C48h 0x0000000f jmp 00007F14E0885B3Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51205D9 second address: 51205DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51205DD second address: 51205FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51205FA second address: 5120660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 017E2592h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F14E051BDB0h 0x00000019 xor ecx, 443825A8h 0x0000001f jmp 00007F14E051BDABh 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F14E051BDB8h 0x0000002b jmp 00007F14E051BDB5h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120660 second address: 5120728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F14E0885B47h 0x00000009 jmp 00007F14E0885B43h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F14E0885B48h 0x00000015 xor si, B7F8h 0x0000001a jmp 00007F14E0885B3Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 mov ebp, esp 0x00000025 jmp 00007F14E0885B46h 0x0000002a push FFFFFFFEh 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F14E0885B3Eh 0x00000033 xor al, FFFFFF88h 0x00000036 jmp 00007F14E0885B3Bh 0x0000003b popfd 0x0000003c pushad 0x0000003d mov ah, dl 0x0000003f popad 0x00000040 popad 0x00000041 push 32E455EFh 0x00000046 jmp 00007F14E0885B3Dh 0x0000004b xor dword ptr [esp], 459A95F7h 0x00000052 pushad 0x00000053 mov edx, ecx 0x00000055 mov ah, 4Fh 0x00000057 popad 0x00000058 call 00007F14E0885B39h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120728 second address: 512072C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512072C second address: 5120732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120732 second address: 5120761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 6532B648h 0x00000008 mov esi, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F14E051BDAAh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F14E051BDABh 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120761 second address: 5120765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120765 second address: 5120769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120769 second address: 512076F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512076F second address: 5120775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120775 second address: 5120779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120779 second address: 5120798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E051BDB1h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120798 second address: 512079E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512079E second address: 51207A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51207A2 second address: 512080B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov di, 2638h 0x0000000e pushfd 0x0000000f jmp 00007F14E0885B41h 0x00000014 adc cx, A626h 0x00000019 jmp 00007F14E0885B41h 0x0000001e popfd 0x0000001f popad 0x00000020 mov eax, dword ptr fs:[00000000h] 0x00000026 pushad 0x00000027 mov edx, eax 0x00000029 mov di, si 0x0000002c popad 0x0000002d nop 0x0000002e jmp 00007F14E0885B42h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F14E0885B3Eh 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512080B second address: 5120811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120811 second address: 512089F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F14E0885B3Ch 0x00000013 jmp 00007F14E0885B45h 0x00000018 popfd 0x00000019 jmp 00007F14E0885B40h 0x0000001e popad 0x0000001f sub esp, 1Ch 0x00000022 jmp 00007F14E0885B40h 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F14E0885B40h 0x0000002d push eax 0x0000002e jmp 00007F14E0885B3Bh 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F14E0885B40h 0x0000003d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: ACEE4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: CA15D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: ACED84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: C82C8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: D037EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7DEE4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 9B15D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7DED84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 992C8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A137EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Special instruction interceptor: First address: 187C55 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Special instruction interceptor: First address: 322BAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Special instruction interceptor: First address: 347740 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Special instruction interceptor: First address: 3EFA8A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Special instruction interceptor: First address: 593456 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Code function: 3_2_0518024D rdtsc

3_2_0518024D

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe

Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe TID: 8000

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C82390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00C82390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00342390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00342390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00842390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00842390

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C85467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00C85467

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: skotes.exe, skotes.exe, 00000007.00000002.1319780323.0000000000967000.00000040.00000001.01000000.0000000A.sdmp, 2k1905.exe, 2k1905.exe, 0000000B.00000002.1338164815.0000000000302000.00000040.00000001.01000000.0000000B.sdmp, 3G94w.exe, 3G94w.exe, 0000000D.00000002.1407181233.0000000000569000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 1L26f6.exe, 00000003.00000002.1286483292.0000000001419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339360250.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 3G94w.exe, 0000000D.00000002.1407980260.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 1L26f6.exe, 00000003.00000002.1285062322.0000000000C57000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, 00000004.00000002.1311173465.0000000000967000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.1319780323.0000000000967000.00000040.00000001.01000000.0000000A.sdmp, 2k1905.exe, 0000000B.00000002.1338164815.0000000000302000.00000040.00000001.01000000.0000000B.sdmp, 3G94w.exe, 0000000D.00000002.1407181233.0000000000569000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Code function: 3_2_0518024D rdtsc

3_2_0518024D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C82F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00C82F1D

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A9652B mov eax, dword ptr fs:[00000030h]	3_2_00A9652B
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A9A302 mov eax, dword ptr fs:[00000030h]	3_2_00A9A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007AA302 mov eax, dword ptr fs:[00000030h]	4_2_007AA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007A652B mov eax, dword ptr fs:[00000030h]	4_2_007A652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007AA302 mov eax, dword ptr fs:[00000030h]	7_2_007AA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007A652B mov eax, dword ptr fs:[00000030h]	7_2_007A652B

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C86CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C86CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00346CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00346CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00846CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00846CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00846F40 SetUnhandledExceptionFilter,	2_2_00846F40

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 3G94w.exe PID: 8148, type: MEMORYSTR

LummaC encrypted strings found

Source: 2k1905.exe	String found in binary or memory: debonairnukk.xyz
Source: 2k1905.exe	String found in binary or memory: diffuculttan.xyz
Source: 2k1905.exe	String found in binary or memory: effecterectz.xyz
Source: 2k1905.exe	String found in binary or memory: deafeninggeh.biz
Source: 2k1905.exe	String found in binary or memory: immureprech.biz
Source: 2k1905.exe	String found in binary or memory: tacitglibbr.biz

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C817EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00C817EE

Source: 1L26f6.exe, 00000003.00000002.1285319764.0000000000CA0000.00000040.00000001.01000000.00000006.sdmp

Binary or memory string: {Program Manager

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C87155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00C87155

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C82BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00C82BFB

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 3.2.1L26f6.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.skotes.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.skotes.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1284777861.0000000000A61000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1244429209.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1269735826.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1310837173.0000000000771000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1278383056.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.1406937017.00000000001A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1363729713.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3G94w.exe PID: 8148, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.1406937017.00000000001A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1363729713.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3G94w.exe PID: 8148, type: MEMORYSTR

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true
23.204.10.89	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

Contacted Domains

Name	IP	Active
steamcommunity.com	23.204.10.89	true
sordid-snaked.cyou	unknown	unknown
diffuculttan.xyz	unknown	unknown
effecterectz.xyz	unknown	unknown
tacitglibbr.biz	unknown	unknown
awake-weaves.cyou	unknown	unknown
immureprech.biz	unknown	unknown
wrathful-jammy.cyou	unknown	unknown
deafeninggeh.biz	unknown	unknown
debonairnukk.xyz	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199724331900	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rN9D2S747U.exe	Avira: detected
Source: rN9D2S747U.exe	Avira: detected

Antivirus detection for URL or domain

Source: https://awake-weaves.cyou:443/api	Avira URL Cloud: Label: malware
Source: https://debonairnukk.xyz:443/api	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou:443/api	Avira URL Cloud: Label: malware
Source: https://diffuculttan.xyz:443/api	Avira URL Cloud: Label: malware
Source: https://sordid-snaked.cyou:443/apiC	Avira URL Cloud: Label: malware
Source: https://tacitglibbr.biz:443/api	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe	Avira: detection malicious, Label: TR/Redcap.bmwcz
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: rN9D2S747U.exe	Virustotal: Detection: 54%			Perma Link
Source: rN9D2S747U.exe	ReversingLabs: Detection: 65%

Sample uses string decryption to hide its real strings

Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: 185.215.113.43
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: S-%lu-
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: abc3bc1985
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: skotes.exe
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Startup
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: rundll32
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Programs
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: %USERPROFILE%
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: cred.dll
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: clip.dll
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: http://
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: https://
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: /quiet
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: /Plugins/
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: &unit=
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: shell32.dll
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: kernel32.dll
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ProgramData\
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: AVAST Software
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Kaspersky Lab
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Panda Security
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Doctor Web
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: 360TotalSecurity
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Bitdefender
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Norton
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Sophos
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Comodo
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: WinDefender
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: 0123456789
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ------
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ?scr=1
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ComputerName
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: -unicode-
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: VideoID
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ProductName
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: CurrentBuild
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: rundll32.exe
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: "taskkill /f /im "
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: " && timeout 1 && del
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: && Exit"
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: " && ren
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Powershell.exe
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: shutdown -s -t 0
Source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: random

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C82F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	0_2_00C82F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00342F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	1_2_00342F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00842F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	2_2_00842F1D

Uses 32bit PE files

Source: rN9D2S747U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.204.10.89:443 -> 192.168.2.4:49719 version: TLS 1.2

Source: rN9D2S747U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: rN9D2S747U.exe, x7W52.exe.1.dr, P3z54.exe.0.dr
Source:	Binary string: wextract.pdbGCTL source: rN9D2S747U.exe, x7W52.exe.1.dr, P3z54.exe.0.dr

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C82390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00C82390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00342390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00342390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00842390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00842390

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058230 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tacitglibbr .biz) : 192.168.2.4:52204 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.4:55041 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.4:65131 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.4:57171 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.4:59770 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.4:52222 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.4:56804 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.4:56960 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.4:63163 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49719 -> 23.204.10.89:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.43

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 23.204.10.89 23.204.10.89

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49719 -> 23.204.10.89:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Code function: 3_2_00A6E0C0 recv,recv,recv,recv,

3_2_00A6E0C0

Source: global traffic

Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0fdf494db196883f47ed36dbff715bb0; path=/; secure; HttpOnly; SameSite=Nonesessionid=6063e3a9461ef33513ad6be8; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-M equals www.youtube.com (Youtube)
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: om/ https://www.youtube.com https://www.google.c equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: tacitglibbr.biz
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awake-weaves.cyou:443/api
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fa
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steamp
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowere
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=J1-T6FXbrr0Z&a
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=9RV1KkrS040q&l=english&_c
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=xihOpMrg
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=ewPC
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/steam_share_image.jpg
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://debonairnukk.xyz:443/api
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diffuculttan.xyz:443/api
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rec./
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou:443/apiC
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamai
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339076389.0000000000C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tacitglibbr.biz:443/api
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou:443/api
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.c
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptch
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 2k1905.exe, 0000000B.00000003.1331453556.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000003.1331582643.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339388742.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

Source: unknown

HTTPS traffic detected: 23.204.10.89:443 -> 192.168.2.4:49719 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 4B397a.exe.0.dr	Static PE information: section name:
Source: 4B397a.exe.0.dr	Static PE information: section name: .idata
Source: 3G94w.exe.1.dr	Static PE information: section name:
Source: 3G94w.exe.1.dr	Static PE information: section name: .idata
Source: 3G94w.exe.1.dr	Static PE information: section name:
Source: 1L26f6.exe.2.dr	Static PE information: section name:
Source: 1L26f6.exe.2.dr	Static PE information: section name: .idata
Source: 2k1905.exe.2.dr	Static PE information: section name:
Source: 2k1905.exe.2.dr	Static PE information: section name: .idata
Source: 2k1905.exe.2.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C81F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00C81F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00341F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_00341F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00841F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00841F90

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C83BA2	0_2_00C83BA2
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C85C9E	0_2_00C85C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00343BA2	1_2_00343BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00345C9E	1_2_00345C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00843BA2	2_2_00843BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00845C9E	2_2_00845C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA78BB	3_2_00AA78BB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA8860	3_2_00AA8860
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA7049	3_2_00AA7049
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA31A8	3_2_00AA31A8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00B781D3	3_2_00B781D3
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A64B30	3_2_00A64B30
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00B77B6E	3_2_00B77B6E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A64DE0	3_2_00A64DE0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA2D10	3_2_00AA2D10
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00AA779B	3_2_00AA779B
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A97F36	3_2_00A97F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B8860	4_2_007B8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B7049	4_2_007B7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B78BB	4_2_007B78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B31A8	4_2_007B31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00774B30	4_2_00774B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B2D10	4_2_007B2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00774DE0	4_2_00774DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007A7F36	4_2_007A7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007B779B	4_2_007B779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B8860	7_2_007B8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B7049	7_2_007B7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B78BB	7_2_007B78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B31A8	7_2_007B31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00774B30	7_2_00774B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B2D10	7_2_007B2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00774DE0	7_2_00774DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007A7F36	7_2_007A7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007B779B	7_2_007B779B

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe 62E97F2C558313F494A3554FE24BA552DA64F709A98E4880A5A6B621DC89F789
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe 5258BA33DED7480FB162FF25AF0DD7628D468B88D8160B79824301F50C7981AC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe 091BC5705EA1F8127DB8F1D53C883BA04B79AFB04BECE4F90C73D1311C546ADE

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: String function: 00A780C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0078DF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 007880C0 appears 260 times

PE file contains executable resources (Code or Archives)

Source: rN9D2S747U.exe	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 7036837 bytes, 2 files, at 0x2c +A "P3z54.exe" +A "4B397a.exe", ID 1472, number 1, 256 datablocks, 0x1503 compression
Source: rN9D2S747U.exe	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM)
Source: P3z54.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 5372344 bytes, 2 files, at 0x2c +A "x7W52.exe" +A "3G94w.exe", ID 1451, number 1, 167 datablocks, 0x1503 compression
Source: x7W52.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 3493948 bytes, 2 files, at 0x2c +A "1L26f6.exe" +A "2k1905.exe", ID 1485, number 1, 147 datablocks, 0x1503 compression

Sample file is different than original file name gathered from version info

Source: rN9D2S747U.exe

Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs rN9D2S747U.exe

Uses 32bit PE files

Source: rN9D2S747U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3G94w.exe.1.dr	Static PE information: Section: kbusnrxz ZLIB complexity 0.9948743793587023
Source: 1L26f6.exe.2.dr	Static PE information: Section: ZLIB complexity 0.998451336852861
Source: 2k1905.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9975251498287672
Source: 2k1905.exe.2.dr	Static PE information: Section: oxelpjbe ZLIB complexity 0.9946053361491747
Source: skotes.exe.3.dr	Static PE information: Section: ZLIB complexity 0.998451336852861

Source: 2k1905.exe.2.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 4B397a.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/8@10/2

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C83FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_00C83FEF

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C81F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00C81F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00341F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_00341F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00841F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00841F90

Source: C:\Users\user\Desktop\rN9D2S747U.exe

0_2_00C8597D

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C84FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

0_2_00C84FE0

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\rN9D2S747U.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Command line argument: Kernel32.dll	0_2_00C82BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Command line argument: Kernel32.dll	1_2_00342BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Command line argument: Kernel32.dll	2_2_00842BFB

Source: rN9D2S747U.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: rN9D2S747U.exe	Virustotal: Detection: 54%
Source: rN9D2S747U.exe	ReversingLabs: Detection: 65%

Source: 2k1905.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 3G94w.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\rN9D2S747U.exe "C:\Users\user\Desktop\rN9D2S747U.exe"
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\"
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: rN9D2S747U.exe

Static file information: File size 7193600 > 1048576

Source: rN9D2S747U.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x6d3e00

Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rN9D2S747U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rN9D2S747U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: rN9D2S747U.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: rN9D2S747U.exe, x7W52.exe.1.dr, P3z54.exe.0.dr
Source:	Binary string: wextract.pdbGCTL source: rN9D2S747U.exe, x7W52.exe.1.dr, P3z54.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Unpacked PE file: 3.2.1L26f6.exe.a60000.0.unpack :EW;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 4.2.skotes.exe.770000.0.unpack :EW;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 7.2.skotes.exe.770000.0.unpack :EW;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;diabzkav:EW;eighdbaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Unpacked PE file: 11.2.2k1905.exe.130000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oxelpjbe:EW;rxotcwhb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oxelpjbe:EW;rxotcwhb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Unpacked PE file: 13.2.3G94w.exe.1a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kbusnrxz:EW;yvqiegwt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kbusnrxz:EW;yvqiegwt:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C82F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00C82F1D

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 2k1905.exe.2.dr	Static PE information: real checksum: 0x1c0cdb should be: 0x1c66f2
Source: 1L26f6.exe.2.dr	Static PE information: real checksum: 0x2e94ab should be: 0x2e559c
Source: skotes.exe.3.dr	Static PE information: real checksum: 0x2e94ab should be: 0x2e559c
Source: 4B397a.exe.0.dr	Static PE information: real checksum: 0x2b7e27 should be: 0x2bafdd
Source: 3G94w.exe.1.dr	Static PE information: real checksum: 0x1c67a1 should be: 0x1be774

PE file contains sections with non-standard names

Source: 4B397a.exe.0.dr	Static PE information: section name:
Source: 4B397a.exe.0.dr	Static PE information: section name: .idata
Source: 4B397a.exe.0.dr	Static PE information: section name: zhbmyutw
Source: 4B397a.exe.0.dr	Static PE information: section name: tkykhzdh
Source: 4B397a.exe.0.dr	Static PE information: section name: .taggant
Source: 3G94w.exe.1.dr	Static PE information: section name:
Source: 3G94w.exe.1.dr	Static PE information: section name: .idata
Source: 3G94w.exe.1.dr	Static PE information: section name:
Source: 3G94w.exe.1.dr	Static PE information: section name: kbusnrxz
Source: 3G94w.exe.1.dr	Static PE information: section name: yvqiegwt
Source: 3G94w.exe.1.dr	Static PE information: section name: .taggant
Source: 1L26f6.exe.2.dr	Static PE information: section name:
Source: 1L26f6.exe.2.dr	Static PE information: section name: .idata
Source: 1L26f6.exe.2.dr	Static PE information: section name: diabzkav
Source: 1L26f6.exe.2.dr	Static PE information: section name: eighdbaz
Source: 1L26f6.exe.2.dr	Static PE information: section name: .taggant
Source: 2k1905.exe.2.dr	Static PE information: section name:
Source: 2k1905.exe.2.dr	Static PE information: section name: .idata
Source: 2k1905.exe.2.dr	Static PE information: section name:
Source: 2k1905.exe.2.dr	Static PE information: section name: oxelpjbe
Source: 2k1905.exe.2.dr	Static PE information: section name: rxotcwhb
Source: 2k1905.exe.2.dr	Static PE information: section name: .taggant
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.3.dr	Static PE information: section name: diabzkav
Source: skotes.exe.3.dr	Static PE information: section name: eighdbaz
Source: skotes.exe.3.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C8724D push ecx; ret	0_2_00C87260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_0034724D push ecx; ret	1_2_00347260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_0084724D push ecx; ret	2_2_00847260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A7D91C push ecx; ret	3_2_00A7D92F
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A71359 push es; ret	3_2_00A7135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_0078D91C push ecx; ret	4_2_0078D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_0078D91C push ecx; ret	7_2_0078D92F

Source: 4B397a.exe.0.dr	Static PE information: section name: entropy: 7.777592768894132
Source: 3G94w.exe.1.dr	Static PE information: section name: kbusnrxz entropy: 7.9545496097424495
Source: 1L26f6.exe.2.dr	Static PE information: section name: entropy: 7.986948480140589
Source: 2k1905.exe.2.dr	Static PE information: section name: entropy: 7.983477399534379
Source: 2k1905.exe.2.dr	Static PE information: section name: oxelpjbe entropy: 7.9533529811209425
Source: skotes.exe.3.dr	Static PE information: section name: entropy: 7.986948480140589

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Jump to dropped file
Source: C:\Users\user\Desktop\rN9D2S747U.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Jump to dropped file
Source: C:\Users\user\Desktop\rN9D2S747U.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Jump to dropped file

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C81AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	0_2_00C81AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00341AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	1_2_00341AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00841AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	2_2_00841AE8

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: ACEE14 second address: ACEE34 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F14E087E8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E087E8D2h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C47DC3 second address: C47DCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C47DCF second address: C47DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EA7C second address: C4EA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EA82 second address: C4EA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EA8B second address: C4EA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EA91 second address: C4EA95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C4EBF0 second address: C4EBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jno 00007F14E0885B36h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C509E9 second address: C509ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50D55 second address: C50DB8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F14E0885B38h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sub dword ptr [ebp+122D3529h], eax 0x00000015 push 00000000h 0x00000017 jmp 00007F14E0885B3Ah 0x0000001c push FC07A49Ah 0x00000021 push eax 0x00000022 push esi 0x00000023 jmp 00007F14E0885B42h 0x00000028 pop esi 0x00000029 pop eax 0x0000002a add dword ptr [esp], 03F85BE6h 0x00000031 mov dx, cx 0x00000034 push 00000003h 0x00000036 sbb dh, 00000000h 0x00000039 push 00000000h 0x0000003b mov edx, eax 0x0000003d push 00000003h 0x0000003f push ebx 0x00000040 mov dword ptr [ebp+122D3608h], edx 0x00000046 pop edi 0x00000047 push A9B27319h 0x0000004c push eax 0x0000004d push edx 0x0000004e push ecx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DB8 second address: C50DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DBD second address: C50DC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DC2 second address: C50DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 164D8CE7h 0x0000000e mov cx, EBEBh 0x00000012 lea ebx, dword ptr [ebp+1245588Fh] 0x00000018 clc 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F14E051BDACh 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DEC second address: C50DF2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DF2 second address: C50DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DF8 second address: C50DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C50DFC second address: C50E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C63D32 second address: C63D38 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C725AA second address: C725B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 jnc 00007F14E051BDA6h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C725B9 second address: C725BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C42A96 second address: C42AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F14E051BDA6h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C42AA6 second address: C42AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7088F second address: C70895 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C709DF second address: C709EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F14E0885B36h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C709EB second address: C709F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C709F3 second address: C70A2E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F14E0885B3Ch 0x00000008 jnl 00007F14E0885B36h 0x0000000e push ebx 0x0000000f push esi 0x00000010 pop esi 0x00000011 je 00007F14E0885B36h 0x00000017 pop ebx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push esi 0x0000001c pushad 0x0000001d popad 0x0000001e pop esi 0x0000001f pushad 0x00000020 jmp 00007F14E0885B40h 0x00000025 jl 00007F14E0885B36h 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C70A2E second address: C70A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F14E051BDA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C70B7F second address: C70BC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ah 0x00000007 jmp 00007F14E0885B46h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 ja 00007F14E0885B55h 0x00000016 jmp 00007F14E0885B49h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C70BC6 second address: C70BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C70BD1 second address: C70BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C71039 second address: C71043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C71043 second address: C71061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E0885B48h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7132F second address: C71338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C71338 second address: C7133E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7133E second address: C7134E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F14E051BDA6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7134E second address: C7135E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F14E0885B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7147F second address: C71491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7161F second address: C7163D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007F14E0885B49h 0x0000000b jmp 00007F14E0885B43h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C49A5D second address: C49A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F14E051BDAAh 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007F14E051BDA6h 0x00000013 popad 0x00000014 jnl 00007F14E051BDA8h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C71DC4 second address: C71DDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B46h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C78C9A second address: C78CAA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C78CAA second address: C78CCE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F14E0885B3Ah 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jg 00007F14E0885B36h 0x0000001c push esi 0x0000001d pop esi 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7D941 second address: C7D948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7DC55 second address: C7DC5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7DC5B second address: C7DC5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7DDD5 second address: C7DDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C7F747 second address: C7F74C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C84635 second address: C8463A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8463A second address: C8463F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8472D second address: C8474D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F14E0885B48h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C852C6 second address: C852D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F14E051BDA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C87E6D second address: C87E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C87E71 second address: C87EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+1245DECFh], edi 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D3BD6h], ebx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F14E051BDA8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 add dword ptr [ebp+1245E253h], ebx 0x0000003a xchg eax, ebx 0x0000003b push ebx 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8A8F6 second address: C8A90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E0885B42h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8A90D second address: C8A993 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F14E051BDA6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e jmp 00007F14E051BDB7h 0x00000013 pop esi 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F14E051BDA8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 mov edi, 1F298961h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F14E051BDA8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 mov dword ptr [ebp+1247F3B0h], edi 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c jmp 00007F14E051BDAAh 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8A993 second address: C8A998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8C544 second address: C8C554 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F14E051BDA6h 0x00000008 jc 00007F14E051BDA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3D734 second address: C3D738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3D738 second address: C3D73E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCA9 second address: C8DCAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCAD second address: C8DCBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCBC second address: C8DCC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCC2 second address: C8DCC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCC6 second address: C8DCCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DCCA second address: C8DD2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b jp 00007F14E051BDA6h 0x00000011 jmp 00007F14E051BDB7h 0x00000016 popad 0x00000017 pop ebx 0x00000018 nop 0x00000019 mov di, ax 0x0000001c push 00000000h 0x0000001e and edi, dword ptr [ebp+122D35C0h] 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F14E051BDA8h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 xchg eax, esi 0x00000041 push ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 je 00007F14E051BDA6h 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DD2C second address: C8DD30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DD30 second address: C8DD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DD3C second address: C8DD55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E0885B40h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8DD55 second address: C8DD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8EDA4 second address: C8EDA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8FCB3 second address: C8FCBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F14E051BDA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C931FE second address: C9320F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F14E0885B36h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9320F second address: C93220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C941BE second address: C941D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C93399 second address: C933A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C933A5 second address: C933AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C96270 second address: C9627A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F14E051BDA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C97461 second address: C974A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F14E0885B36h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F14E0885B48h 0x00000016 push 00000000h 0x00000018 jnp 00007F14E0885B36h 0x0000001e push 00000000h 0x00000020 mov ebx, edx 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F14E0885B3Bh 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C96497 second address: C964A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F14E051BDA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C974A6 second address: C974AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C974AC second address: C974C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDB4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C99492 second address: C99496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A4B6 second address: C9A4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F14E051BDA6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C975ED second address: C97662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jno 00007F14E0885B38h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F14E0885B38h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov bl, ch 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov dword ptr [ebp+122D219Fh], edi 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d jg 00007F14E0885B39h 0x00000043 mov eax, dword ptr [ebp+122D1499h] 0x00000049 and bh, 00000071h 0x0000004c mov dword ptr [ebp+12455AFBh], esi 0x00000052 push FFFFFFFFh 0x00000054 sub dword ptr [ebp+122D3529h], eax 0x0000005a push eax 0x0000005b pushad 0x0000005c jmp 00007F14E0885B3Ch 0x00000061 push eax 0x00000062 push edx 0x00000063 push edi 0x00000064 pop edi 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A4C3 second address: C9A52A instructions: 0x00000000 rdtsc 0x00000002 je 00007F14E051BDA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F14E051BDA8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 adc di, 6396h 0x0000002d push 00000000h 0x0000002f call 00007F14E051BDB8h 0x00000034 add edi, dword ptr [ebp+122D1D78h] 0x0000003a pop ebx 0x0000003b push 00000000h 0x0000003d or dword ptr [ebp+12456B0Ah], edi 0x00000043 xchg eax, esi 0x00000044 push edi 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A52A second address: C9A52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A52E second address: C9A548 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A548 second address: C9A54C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A54C second address: C9A552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B5C3 second address: C9B5D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A6B6 second address: C9A6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B5D4 second address: C9B5E6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jnc 00007F14E0885B3Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9A6BA second address: C9A6BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B5E6 second address: C9B645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007F14E0885B38h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 0000001Ah 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 push 00000000h 0x00000022 jno 00007F14E0885B4Bh 0x00000028 push 00000000h 0x0000002a or dword ptr [ebp+122D1FC4h], esi 0x00000030 jng 00007F14E0885B3Ch 0x00000036 mov dword ptr [ebp+122D21A4h], edi 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B645 second address: C9B649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B649 second address: C9B657 instructions: 0x00000000 rdtsc 0x00000002 je 00007F14E0885B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B657 second address: C9B65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B78E second address: C9B799 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9D763 second address: C9D7A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push edx 0x0000000b movsx ebx, si 0x0000000e pop edi 0x0000000f push 00000000h 0x00000011 mov ebx, dword ptr [ebp+12456529h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F14E051BDA8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 movsx ebx, bx 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a jbe 00007F14E051BDA6h 0x00000040 pop ebx 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9B8B7 second address: C9B8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9D7A7 second address: C9D7AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C9E880 second address: C9E895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA6708 second address: CA670E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5D20 second address: CA5D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5D2B second address: CA5D4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F14E051BDACh 0x00000012 jc 00007F14E051BDA6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5D4D second address: CA5D65 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F14E0885B43h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5EC9 second address: CA5EE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E051BDAEh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5EE3 second address: CA5EEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA5EEF second address: CA5F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F14E051BDA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F14E051BDAAh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA607E second address: CA6082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA6082 second address: CA608B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CA608B second address: CA6091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CABD89 second address: CABDAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F14E051BDB9h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CABDAA second address: ACEE14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 19141651h 0x0000000e jmp 00007F14E0885B3Bh 0x00000013 push dword ptr [ebp+122D0689h] 0x00000019 jmp 00007F14E0885B40h 0x0000001e call dword ptr [ebp+122D21C8h] 0x00000024 pushad 0x00000025 jmp 00007F14E0885B3Ah 0x0000002a sub dword ptr [ebp+122D386Eh], edx 0x00000030 xor eax, eax 0x00000032 mov dword ptr [ebp+122D39A0h], eax 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c ja 00007F14E0885B37h 0x00000042 clc 0x00000043 mov dword ptr [ebp+122D2EBAh], eax 0x00000049 clc 0x0000004a mov esi, 0000003Ch 0x0000004f sub dword ptr [ebp+122D386Eh], eax 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 jo 00007F14E0885B3Ch 0x0000005f add dword ptr [ebp+122D39A0h], esi 0x00000065 pushad 0x00000066 add dword ptr [ebp+122D386Eh], ecx 0x0000006c movzx eax, cx 0x0000006f popad 0x00000070 lodsw 0x00000072 jmp 00007F14E0885B3Ah 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b stc 0x0000007c mov ebx, dword ptr [esp+24h] 0x00000080 pushad 0x00000081 jmp 00007F14E0885B46h 0x00000086 or esi, dword ptr [ebp+122D2E46h] 0x0000008c popad 0x0000008d nop 0x0000008e push edx 0x0000008f push eax 0x00000090 push edx 0x00000091 jmp 00007F14E0885B49h 0x00000096 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CAD2E2 second address: CAD2E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3F81 second address: CB3F90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F14E0885B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB2C47 second address: CB2C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDB5h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB31F0 second address: CB31FF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F14E0885B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push esi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB34B7 second address: CB34BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB34BC second address: CB34D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F14E0885B44h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3781 second address: CB3793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3793 second address: CB37CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E0885B48h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14E0885B47h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB37CD second address: CB37D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB391D second address: CB3989 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B45h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F14E0885B41h 0x00000010 jnc 00007F14E0885B52h 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 push edi 0x0000001a pop edi 0x0000001b jno 00007F14E0885B36h 0x00000021 jmp 00007F14E0885B3Fh 0x00000026 popad 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3C24 second address: CB3C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3C28 second address: CB3C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F14E0885B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3DEA second address: CB3E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB3E05 second address: CB3E34 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F14E0885B3Ch 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14E0885B49h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB81E6 second address: CB8210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F14E051BDA8h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14E051BDB8h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8210 second address: CB8214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB837B second address: CB8388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F14E051BDA6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8388 second address: CB838E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB838E second address: CB8392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8392 second address: CB8398 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8BFC second address: CB8C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDB1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB8C18 second address: CB8C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB9057 second address: CB9061 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F14E051BDA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB962D second address: CB9633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB9633 second address: CB9637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CB7EB4 second address: CB7EE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F14E0885B45h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C82AFC second address: C68B0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F14E051BDA6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F14E051BDA8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b jmp 00007F14E051BDB8h 0x00000030 lea eax, dword ptr [ebp+12487867h] 0x00000036 or dword ptr [ebp+122D1D4Ah], ebx 0x0000003c and di, 7444h 0x00000041 nop 0x00000042 jnc 00007F14E051BDACh 0x00000048 push eax 0x00000049 jmp 00007F14E051BDABh 0x0000004e nop 0x0000004f or ch, FFFFFFAAh 0x00000052 call dword ptr [ebp+12454269h] 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F14E051BDAEh 0x0000005f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C831BC second address: C831CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C831CE second address: C831FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDB8h 0x00000009 popad 0x0000000a pop edx 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F14E051BDAAh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83A81 second address: C83A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83E09 second address: C83E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007F14E051BDA6h 0x0000000c jmp 00007F14E051BDB6h 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007F14E051BDB6h 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83F3A second address: C83F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E0885B3Fh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83F60 second address: C83F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83F64 second address: C83FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F14E0885B42h 0x0000000b popad 0x0000000c nop 0x0000000d call 00007F14E0885B48h 0x00000012 pop edx 0x00000013 mov edx, dword ptr [ebp+122D1D27h] 0x00000019 lea eax, dword ptr [ebp+124878ABh] 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F14E0885B38h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 nop 0x0000003a push eax 0x0000003b push edx 0x0000003c ja 00007F14E0885B4Bh 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C83FE6 second address: C8402E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F14E051BDB3h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F14E051BDB0h 0x00000010 nop 0x00000011 push esi 0x00000012 sub dword ptr [ebp+122D36B5h], ecx 0x00000018 pop ecx 0x00000019 lea eax, dword ptr [ebp+12487867h] 0x0000001f or dword ptr [ebp+122D3969h], esi 0x00000025 push eax 0x00000026 jbe 00007F14E051BDB8h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C8402E second address: C84032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC1F8E second address: CC1F98 instructions: 0x00000000 rdtsc 0x00000002 js 00007F14E051BDA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC20ED second address: CC20F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC20F4 second address: CC20FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC20FB second address: CC210E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F14E0885B36h 0x0000000d jl 00007F14E0885B36h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC210E second address: CC2112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC2541 second address: CC2560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 jc 00007F14E0885B4Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E0885B41h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC26A8 second address: CC26D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDB7h 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007F14E051BDA6h 0x00000011 popad 0x00000012 popad 0x00000013 push ecx 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC7054 second address: CC705A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC705A second address: CC7060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC719C second address: CC71A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC71A2 second address: CC71B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F14E051BDACh 0x0000000b jg 00007F14E051BDA6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC75EE second address: CC75FB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F14E0885B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC7764 second address: CC777C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F14E051BDACh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC777C second address: CC7789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC7789 second address: CC778D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC778D second address: CC77A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B43h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC6DA0 second address: CC6DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CC7AAA second address: CC7AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCACE9 second address: CCACED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCACED second address: CCACF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCD345 second address: CCD35A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F14E051BDAFh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCDBD second address: CCCDE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B3Bh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCDE5 second address: CCCE02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCFC5 second address: CCCFCF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F14E0885B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCFCF second address: CCCFDF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F14E051BDAAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCFDF second address: CCCFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCCFE3 second address: CCD01D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB4h 0x00000007 jbe 00007F14E051BDA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F14E051BDB3h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCD01D second address: CCD032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F14E0885B36h 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jne 00007F14E0885B36h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCFB25 second address: CCFB2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCFB2D second address: CCFB31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CCFCBB second address: CCFCC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD4F45 second address: CD4F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD4F4B second address: CD4F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD4F4F second address: CD4F53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD539A second address: CD53A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD53A0 second address: CD53C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B40h 0x00000007 js 00007F14E0885B36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F14E0885B3Ah 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89C6 second address: CD89D0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F14E051BDA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89D0 second address: CD89DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F14E0885B3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89DE second address: CD89E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89E2 second address: CD89E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD89E9 second address: CD89EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3F30A second address: C3F325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F14E0885B43h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3F325 second address: C3F329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3F329 second address: C3F340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B43h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: C3F340 second address: C3F346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD82B7 second address: CD82C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F14E0885B3Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD82C5 second address: CD82CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8411 second address: CD8416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8416 second address: CD841C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD841C second address: CD8422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8422 second address: CD8426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8426 second address: CD8442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F14E0885B3Bh 0x0000000e jnc 00007F14E0885B36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CD8703 second address: CD8707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDC910 second address: CDC916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDCA69 second address: CDCA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDCC17 second address: CDCC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E0885B44h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDCC30 second address: CDCC3A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F14E051BDACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDD19A second address: CDD1B3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F14E0885B36h 0x00000008 jmp 00007F14E0885B3Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CDDD72 second address: CDDD77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE3E35 second address: CE3E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4365 second address: CE436B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE436B second address: CE436F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE436F second address: CE4373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4624 second address: CE4643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F14E0885B3Dh 0x0000000c pushad 0x0000000d jnc 00007F14E0885B36h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4643 second address: CE4681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F14E051BDA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F14E051BDB9h 0x00000012 jmp 00007F14E051BDB8h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4C1F second address: CE4C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4EEE second address: CE4EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4EF4 second address: CE4EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4EF8 second address: CE4F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE4F0C second address: CE4F27 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F14E0885B46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE577A second address: CE5793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F14E051BDB0h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE5793 second address: CE5799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE5799 second address: CE57B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F14E051BDB3h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE57B3 second address: CE57B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CE57B7 second address: CE57BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE026 second address: CEE02A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE02A second address: CEE03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F14E051BDA6h 0x0000000d je 00007F14E051BDA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE03F second address: CEE044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE044 second address: CEE04B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CEE04B second address: CEE053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF3898 second address: CF38C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F14E051BDA6h 0x00000011 jmp 00007F14E051BDB7h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF38C0 second address: CF38E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ah 0x00000007 jmp 00007F14E0885B41h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF38E2 second address: CF38EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F14E051BDA6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF3FD8 second address: CF3FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F14E0885B48h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF4298 second address: CF42A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF42A2 second address: CF42BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jnp 00007F14E0885B36h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF42BA second address: CF42CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F14E051BDA6h 0x0000000d jng 00007F14E051BDA6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF42CD second address: CF42D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF4E06 second address: CF4E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CF4E0E second address: CF4E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F14E0885B45h 0x0000000a popad 0x0000000b push esi 0x0000000c jnp 00007F14E0885B3Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: CFDEF1 second address: CFDEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F14E051BDA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D09480 second address: D09484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D09484 second address: D09494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDACh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D09494 second address: D094A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F14E0885B52h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D09623 second address: D09627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D104DC second address: D104E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F14E0885B36h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D104E6 second address: D104F0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F14E051BDACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D1D8A3 second address: D1D8B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F14E0885B3Ah 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D1D75A second address: D1D762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D1D762 second address: D1D766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D1D766 second address: D1D786 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F14E051BDB5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2344A second address: D23459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23459 second address: D23466 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23466 second address: D2346A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2346A second address: D2347C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F14E051BDACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D235BC second address: D235C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D235C4 second address: D235CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D235CD second address: D235DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E0885B3Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23856 second address: D2385C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2385C second address: D23869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23869 second address: D2386D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2386D second address: D23871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23871 second address: D23877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23A27 second address: D23A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23A2B second address: D23A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23A2F second address: D23A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D23E46 second address: D23E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D2846B second address: D28473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D28473 second address: D28479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D34ED1 second address: D34ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D34ED7 second address: D34F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F14E051BDB3h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F14E051BDAEh 0x00000015 jnl 00007F14E051BDBAh 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D34D76 second address: D34D8C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e jc 00007F14E0885B3Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3C3F0 second address: D3C414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F14E051BDAAh 0x0000000d jmp 00007F14E051BDB2h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3C414 second address: D3C41F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3C41F second address: D3C427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3C427 second address: D3C453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F14E0885B3Dh 0x0000000a jg 00007F14E0885B3Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F14E0885B36h 0x00000018 jo 00007F14E0885B36h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3871F second address: D3874A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 jmp 00007F14E051BDAEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D3874A second address: D3876A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B40h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D48EE1 second address: D48EEB instructions: 0x00000000 rdtsc 0x00000002 js 00007F14E051BDAEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D4AB17 second address: D4AB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B3D second address: D63B58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B58 second address: D63B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B5D second address: D63B62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B62 second address: D63B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B68 second address: D63B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F14E051BDAAh 0x00000009 jns 00007F14E051BDA6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F14E051BDA6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63B85 second address: D63B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B45h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63E49 second address: D63E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63E4D second address: D63E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F14E0885B47h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63E6C second address: D63E73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D63FB0 second address: D63FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D646B6 second address: D646BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D646BD second address: D646C7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F14E0885B42h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D646C7 second address: D646CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D649AE second address: D649B6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D649B6 second address: D649BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D676CD second address: D676DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D6787A second address: D67880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D67BC3 second address: D67C3A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F14E0885B36h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F14E0885B38h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 or dx, F8DCh 0x0000002e push dword ptr [ebp+122D1E89h] 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F14E0885B38h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov dword ptr [ebp+12485B07h], ebx 0x00000054 push D8FF36C2h 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F14E0885B3Dh 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D67C3A second address: D67C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D67C3E second address: D67C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D6AB0E second address: D6AB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jmp 00007F14E051BDB9h 0x0000000c jo 00007F14E051BDA6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: D6A664 second address: D6A66E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F14E0885B36h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513029A second address: 513029E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513029E second address: 51302A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51302A4 second address: 51302A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E1B second address: 5110E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, D9h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E22 second address: 5110E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E30 second address: 5110E45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E45 second address: 5110E96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F14E051BDB1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F14E051BDAEh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F14E051BDB7h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110E96 second address: 5110E9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51604F2 second address: 5160586 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F14E051BDACh 0x00000011 jmp 00007F14E051BDB5h 0x00000016 popfd 0x00000017 pushfd 0x00000018 jmp 00007F14E051BDB0h 0x0000001d and ax, 2F08h 0x00000022 jmp 00007F14E051BDABh 0x00000027 popfd 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F14E051BDB9h 0x0000002f xchg eax, ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F14E051BDB8h 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160586 second address: 5160595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160595 second address: 5160604 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F14E051BDB3h 0x00000012 or ch, 0000006Eh 0x00000015 jmp 00007F14E051BDB9h 0x0000001a popfd 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F14E051BDB8h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160604 second address: 5160608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160608 second address: 516060E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 516060E second address: 5160614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160614 second address: 5160618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160618 second address: 516061C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F01E5 second address: 50F01EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F01EB second address: 50F01F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F01F1 second address: 50F0200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0200 second address: 50F0215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B20 second address: 5110B49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, E02Eh 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dx, si 0x00000017 mov eax, 02D43819h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B49 second address: 5110B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B4F second address: 5110B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B53 second address: 5110B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B63 second address: 5110B79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B79 second address: 5110B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B7F second address: 5110B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B83 second address: 5110B92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B92 second address: 5110B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110B96 second address: 5110B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106B4 second address: 51106BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106BC second address: 51106E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F14E0885B42h 0x00000008 pop ecx 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cl, dh 0x00000014 mov dx, ax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106E1 second address: 51106E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106E7 second address: 51106EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51106EB second address: 51106EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51105EA second address: 5110605 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110605 second address: 511061D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDB4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 511061D second address: 5110635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B3Dh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110635 second address: 5110669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E051BDB7h 0x00000008 mov bx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F14E051BDB1h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110669 second address: 5110671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110352 second address: 5110358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110358 second address: 511035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 511035C second address: 5110360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110360 second address: 511039C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a movzx eax, di 0x0000000d mov dl, C8h 0x0000000f popad 0x00000010 mov dword ptr [esp], ebp 0x00000013 jmp 00007F14E0885B3Eh 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F14E0885B47h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 511039C second address: 51103C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, dx 0x00000010 movsx edi, si 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51103C4 second address: 51103D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E0885B3Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51103D4 second address: 51103D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512027B second address: 512027F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512027F second address: 5120285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120285 second address: 51202F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F14E0885B42h 0x00000009 and si, 9F08h 0x0000000e jmp 00007F14E0885B3Bh 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F14E0885B41h 0x00000023 xor si, 7A26h 0x00000028 jmp 00007F14E0885B41h 0x0000002d popfd 0x0000002e call 00007F14E0885B40h 0x00000033 pop eax 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51202F0 second address: 5120310 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx eax, di 0x00000010 mov bx, 923Ch 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120310 second address: 5120316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120316 second address: 512031A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512031A second address: 5120334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B3Fh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120334 second address: 5120353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E051BDB3h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120353 second address: 512035A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 516040A second address: 5160412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, si 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160412 second address: 5160426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E0885B40h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160426 second address: 516043E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E051BDADh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 516043E second address: 5160463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E0885B3Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5160463 second address: 51604B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E051BDB7h 0x00000008 call 00007F14E051BDB8h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov cx, di 0x00000017 push ebx 0x00000018 mov dh, al 0x0000001a pop edx 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F14E051BDADh 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51604B4 second address: 51604BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51305F9 second address: 5130611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDB4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130611 second address: 5130629 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F14E0885B3Dh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130629 second address: 513064F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E051BDB7h 0x00000008 mov edi, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513064F second address: 5130653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130653 second address: 5130659 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130659 second address: 513068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F14E0885B3Dh 0x00000013 pop ecx 0x00000014 mov edx, 679EBA94h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513068C second address: 51306AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 249D5530h 0x00000014 mov bx, 945Ch 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306AA second address: 51306B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306B0 second address: 51306B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306B4 second address: 51306C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306C3 second address: 51306C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306C9 second address: 51306CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306CD second address: 51306DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306DF second address: 51306F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51306F6 second address: 5130723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E051BDADh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 511053F second address: 511055C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx edi, ax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E0885B3Fh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513012B second address: 5130137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130137 second address: 513013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513013B second address: 5130152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51303DC second address: 51303FA instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b call 00007F14E0885B3Fh 0x00000010 pop eax 0x00000011 mov esi, edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51303FA second address: 5130400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130400 second address: 513040F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513040F second address: 5130413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130413 second address: 5130419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130419 second address: 5130430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E051BDB3h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130430 second address: 5130457 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130457 second address: 513045B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513045B second address: 513046E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 513046E second address: 5130498 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E051BDAFh 0x00000008 mov si, C37Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F14E051BDACh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5130498 second address: 51304A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 515082B second address: 515085F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov eax, edx 0x0000000e mov eax, edi 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F14E051BDB1h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 515085F second address: 5150863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150863 second address: 5150869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150869 second address: 51508A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F14E0885B40h 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F14E0885B47h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51508A5 second address: 51508DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F14E051BDB1h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51508DB second address: 51508EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51508EE second address: 5150918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 mov si, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [778065FCh] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F14E051BDB8h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150918 second address: 5150A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 jmp 00007F14E0885B3Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test eax, eax 0x00000010 jmp 00007F14E0885B40h 0x00000015 je 00007F1552EB8B5Fh 0x0000001b pushad 0x0000001c call 00007F14E0885B3Eh 0x00000021 mov cx, 45A1h 0x00000025 pop esi 0x00000026 pushfd 0x00000027 jmp 00007F14E0885B47h 0x0000002c jmp 00007F14E0885B43h 0x00000031 popfd 0x00000032 popad 0x00000033 mov ecx, eax 0x00000035 pushad 0x00000036 mov di, ax 0x00000039 popad 0x0000003a xor eax, dword ptr [ebp+08h] 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F14E0885B48h 0x00000044 jmp 00007F14E0885B45h 0x00000049 popfd 0x0000004a call 00007F14E0885B40h 0x0000004f pushad 0x00000050 popad 0x00000051 pop eax 0x00000052 popad 0x00000053 and ecx, 1Fh 0x00000056 jmp 00007F14E0885B47h 0x0000005b ror eax, cl 0x0000005d jmp 00007F14E0885B46h 0x00000062 leave 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F14E0885B47h 0x0000006a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A1E second address: 5150A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A24 second address: 5150A57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f mov esi, eax 0x00000011 lea eax, dword ptr [ebp-08h] 0x00000014 xor esi, dword ptr [00AC2014h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push eax 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call 00007F14E4F564AEh 0x00000026 push FFFFFFFEh 0x00000028 jmp 00007F14E0885B46h 0x0000002d pop eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A57 second address: 5150A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A5B second address: 5150A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150A61 second address: 5150AE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 0531h 0x00000007 jmp 00007F14E051BDAEh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007F14E4BEC759h 0x00000017 mov edi, edi 0x00000019 jmp 00007F14E051BDB0h 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 mov bx, ax 0x00000023 pushfd 0x00000024 jmp 00007F14E051BDAAh 0x00000029 and ecx, 4B0ADF68h 0x0000002f jmp 00007F14E051BDABh 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 mov bl, B4h 0x0000003a mov dh, cl 0x0000003c popad 0x0000003d xchg eax, ebp 0x0000003e jmp 00007F14E051BDB3h 0x00000043 mov ebp, esp 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F14E051BDB5h 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5150AE3 second address: 5150B2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 pushfd 0x00000006 jmp 00007F14E0885B43h 0x0000000b sub eax, 45DF256Eh 0x00000011 jmp 00007F14E0885B49h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e call 00007F14E0885B3Ah 0x00000023 pop esi 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 510001E second address: 5100024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100024 second address: 5100058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F14E0885B40h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F14E0885B3Eh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100058 second address: 51000B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F14E051BDB1h 0x00000009 sub ah, 00000016h 0x0000000c jmp 00007F14E051BDB1h 0x00000011 popfd 0x00000012 mov di, cx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F14E051BDAFh 0x00000022 jmp 00007F14E051BDB3h 0x00000027 popfd 0x00000028 push eax 0x00000029 pop edx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51000B3 second address: 5100100 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007F14E0885B3Dh 0x00000011 and esp, FFFFFFF8h 0x00000014 jmp 00007F14E0885B3Eh 0x00000019 xchg eax, ecx 0x0000001a pushad 0x0000001b mov di, cx 0x0000001e mov edx, ecx 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007F14E0885B3Fh 0x00000027 xchg eax, ecx 0x00000028 pushad 0x00000029 mov ecx, 5CA7493Bh 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100100 second address: 5100104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100104 second address: 5100141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esp 0x00000006 jmp 00007F14E0885B46h 0x0000000b mov dword ptr [esp], ebx 0x0000000e pushad 0x0000000f mov ecx, 002E5CCDh 0x00000014 mov ch, F8h 0x00000016 popad 0x00000017 mov ebx, dword ptr [ebp+10h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F14E0885B40h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100141 second address: 5100146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100146 second address: 51001E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F14E0885B47h 0x0000000a add si, E9DEh 0x0000000f jmp 00007F14E0885B49h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, esi 0x00000019 jmp 00007F14E0885B3Eh 0x0000001e push eax 0x0000001f pushad 0x00000020 call 00007F14E0885B41h 0x00000025 pushfd 0x00000026 jmp 00007F14E0885B40h 0x0000002b sbb ah, 00000038h 0x0000002e jmp 00007F14E0885B3Bh 0x00000033 popfd 0x00000034 pop eax 0x00000035 mov ecx, edi 0x00000037 popad 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a call 00007F14E0885B41h 0x0000003f mov edx, esi 0x00000041 pop ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51001E2 second address: 5100203 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov esi, dword ptr [ebp+08h] 0x0000000a jmp 00007F14E051BDB0h 0x0000000f xchg eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100203 second address: 5100207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100207 second address: 510020B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 510020B second address: 5100211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100211 second address: 5100217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100217 second address: 510021B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 510021B second address: 5100240 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E051BDAEh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100240 second address: 5100260 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F14E0885B41h 0x00000008 push eax 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100260 second address: 5100264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100264 second address: 510026A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 510026A second address: 5100270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100270 second address: 5100274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100274 second address: 51002E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop edx 0x0000000e mov esi, 2E209B73h 0x00000013 popad 0x00000014 jmp 00007F14E051BDB8h 0x00000019 popad 0x0000001a je 00007F1552B9A11Ah 0x00000020 jmp 00007F14E051BDB0h 0x00000025 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F14E051BDAEh 0x00000033 sub esi, 235034D8h 0x00000039 jmp 00007F14E051BDABh 0x0000003e popfd 0x0000003f push ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51002E3 second address: 510037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 je 00007F1552F03E78h 0x0000000c jmp 00007F14E0885B40h 0x00000011 mov edx, dword ptr [esi+44h] 0x00000014 jmp 00007F14E0885B40h 0x00000019 or edx, dword ptr [ebp+0Ch] 0x0000001c jmp 00007F14E0885B40h 0x00000021 test edx, 61000000h 0x00000027 pushad 0x00000028 call 00007F14E0885B3Eh 0x0000002d push ecx 0x0000002e pop edi 0x0000002f pop eax 0x00000030 mov dx, 8F12h 0x00000034 popad 0x00000035 jne 00007F1552F03E7Ch 0x0000003b jmp 00007F14E0885B49h 0x00000040 test byte ptr [esi+48h], 00000001h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 mov bx, 8FBEh 0x0000004b call 00007F14E0885B3Fh 0x00000050 pop eax 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F06C8 second address: 50F06D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a movsx edi, si 0x0000000d mov ebx, eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F06D8 second address: 50F06DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F06DE second address: 50F073A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F14E051BDB5h 0x00000012 add ecx, 3723CCF6h 0x00000018 jmp 00007F14E051BDB1h 0x0000001d popfd 0x0000001e movzx esi, bx 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007F14E051BDB3h 0x00000029 and esp, FFFFFFF8h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F073A second address: 50F073E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F073E second address: 50F0744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0744 second address: 50F0761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F14E0885B49h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0761 second address: 50F0792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov cl, 39h 0x0000000f movsx edx, ax 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F14E051BDADh 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0792 second address: 50F07A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07A7 second address: 50F07AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07AD second address: 50F07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07B1 second address: 50F07DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F14E051BDB0h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07DF second address: 50F07E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F07E5 second address: 50F0820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 04ABC4D3h 0x00000008 movzx ecx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F14E051BDB0h 0x00000014 mov dword ptr [esp], esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F14E051BDB7h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0820 second address: 50F0825 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0825 second address: 50F0882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F14E051BDB5h 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+08h] 0x00000010 pushad 0x00000011 call 00007F14E051BDADh 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 mov bl, A4h 0x0000001b popad 0x0000001c sub ebx, ebx 0x0000001e jmp 00007F14E051BDAFh 0x00000023 test esi, esi 0x00000025 pushad 0x00000026 mov cx, C4DBh 0x0000002a mov ecx, 1155D3B7h 0x0000002f popad 0x00000030 je 00007F1552BA18BDh 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0882 second address: 50F0887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F0887 second address: 50F088D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F088D second address: 50F08B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov si, 69DDh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F08B5 second address: 50F08BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F08BB second address: 50F09B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edx, 641A3E50h 0x00000011 call 00007F14E0885B49h 0x00000016 pop ecx 0x00000017 popad 0x00000018 call 00007F14E0885B41h 0x0000001d mov ax, 0247h 0x00000021 pop esi 0x00000022 popad 0x00000023 je 00007F1552F0B5DBh 0x00000029 jmp 00007F14E0885B43h 0x0000002e test byte ptr [77806968h], 00000002h 0x00000035 jmp 00007F14E0885B46h 0x0000003a jne 00007F1552F0B5B8h 0x00000040 jmp 00007F14E0885B40h 0x00000045 mov edx, dword ptr [ebp+0Ch] 0x00000048 pushad 0x00000049 mov ax, CD5Dh 0x0000004d pushfd 0x0000004e jmp 00007F14E0885B3Ah 0x00000053 sub ecx, 018BA9B8h 0x00000059 jmp 00007F14E0885B3Bh 0x0000005e popfd 0x0000005f popad 0x00000060 xchg eax, ebx 0x00000061 jmp 00007F14E0885B46h 0x00000066 push eax 0x00000067 pushad 0x00000068 mov edx, 0C61A9C4h 0x0000006d pushfd 0x0000006e jmp 00007F14E0885B3Dh 0x00000073 adc si, BF06h 0x00000078 jmp 00007F14E0885B41h 0x0000007d popfd 0x0000007e popad 0x0000007f xchg eax, ebx 0x00000080 pushad 0x00000081 pushad 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 50F09B9 second address: 50F0A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F14E051BDB8h 0x0000000a sbb al, FFFFFFD8h 0x0000000d jmp 00007F14E051BDABh 0x00000012 popfd 0x00000013 popad 0x00000014 popad 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F14E051BDB7h 0x0000001d adc si, F04Eh 0x00000022 jmp 00007F14E051BDB9h 0x00000027 popfd 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F14E051BDB1h 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push edx 0x00000034 pop esi 0x00000035 call 00007F14E051BDAFh 0x0000003a pop esi 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100DD0 second address: 5100DF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009B3 second address: 51009EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E051BDABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F14E051BDB6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F14E051BDAEh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009EA second address: 51009F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009F0 second address: 51009F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009F4 second address: 51009F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51009F8 second address: 5100A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F14E051BDB9h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov esi, ebx 0x00000015 call 00007F14E051BDAFh 0x0000001a pop ecx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100A32 second address: 5100A66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F14E0885B47h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5100A66 second address: 5100A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F03 second address: 5170F0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F0A second address: 5170F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F18 second address: 5170F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F1C second address: 5170F22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F22 second address: 5170F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F28 second address: 5170F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F2C second address: 5170F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170F30 second address: 5170F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007F14E051BDB8h 0x0000000f pushfd 0x00000010 jmp 00007F14E051BDB2h 0x00000015 or si, EE78h 0x0000001a jmp 00007F14E051BDABh 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 jmp 00007F14E051BDB6h 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov bl, 1Ah 0x0000002e mov al, 82h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D5A second address: 5170D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D60 second address: 5170D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D64 second address: 5170D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F14E0885B42h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D83 second address: 5170D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D87 second address: 5170D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D8D second address: 5170D93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5170D93 second address: 5170D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110135 second address: 5110195 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx ecx, di 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov si, di 0x00000011 pushfd 0x00000012 jmp 00007F14E051BDB9h 0x00000017 xor ax, 6F06h 0x0000001c jmp 00007F14E051BDB1h 0x00000021 popfd 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F14E051BDB8h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5110195 second address: 51101A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51801EB second address: 5180288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F14E051BDB1h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F14E051BDB1h 0x0000000f sub eax, 304E6E66h 0x00000015 jmp 00007F14E051BDB1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f jmp 00007F14E051BDAEh 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 call 00007F14E051BDAEh 0x0000002c mov bx, ax 0x0000002f pop esi 0x00000030 mov ah, bl 0x00000032 popad 0x00000033 push dword ptr [ebp+0Ch] 0x00000036 pushad 0x00000037 push ecx 0x00000038 mov dh, F1h 0x0000003a pop eax 0x0000003b mov ax, di 0x0000003e popad 0x0000003f push dword ptr [ebp+08h] 0x00000042 pushad 0x00000043 jmp 00007F14E051BDB5h 0x00000048 movzx ecx, di 0x0000004b popad 0x0000004c push A1E4C6F0h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5180288 second address: 518028C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 518028C second address: 5180292 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51802C4 second address: 51802CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 2E6Eh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51802CD second address: 518030B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F14E051BDB2h 0x00000009 xor cl, FFFFFFB8h 0x0000000c jmp 00007F14E051BDABh 0x00000011 popfd 0x00000012 mov ch, AAh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 movzx eax, al 0x0000001a pushad 0x0000001b push edi 0x0000001c mov si, 4C83h 0x00000020 pop esi 0x00000021 mov si, dx 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 518030B second address: 518032C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F14E0885B3Ah 0x0000000a and cx, 1C48h 0x0000000f jmp 00007F14E0885B3Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51205D9 second address: 51205DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51205DD second address: 51205FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51205FA second address: 5120660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 017E2592h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F14E051BDB0h 0x00000019 xor ecx, 443825A8h 0x0000001f jmp 00007F14E051BDABh 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F14E051BDB8h 0x0000002b jmp 00007F14E051BDB5h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120660 second address: 5120728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F14E0885B47h 0x00000009 jmp 00007F14E0885B43h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F14E0885B48h 0x00000015 xor si, B7F8h 0x0000001a jmp 00007F14E0885B3Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 mov ebp, esp 0x00000025 jmp 00007F14E0885B46h 0x0000002a push FFFFFFFEh 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F14E0885B3Eh 0x00000033 xor al, FFFFFF88h 0x00000036 jmp 00007F14E0885B3Bh 0x0000003b popfd 0x0000003c pushad 0x0000003d mov ah, dl 0x0000003f popad 0x00000040 popad 0x00000041 push 32E455EFh 0x00000046 jmp 00007F14E0885B3Dh 0x0000004b xor dword ptr [esp], 459A95F7h 0x00000052 pushad 0x00000053 mov edx, ecx 0x00000055 mov ah, 4Fh 0x00000057 popad 0x00000058 call 00007F14E0885B39h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120728 second address: 512072C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512072C second address: 5120732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120732 second address: 5120761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 6532B648h 0x00000008 mov esi, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F14E051BDAAh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F14E051BDABh 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120761 second address: 5120765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120765 second address: 5120769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120769 second address: 512076F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512076F second address: 5120775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120775 second address: 5120779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120779 second address: 5120798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F14E051BDB1h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120798 second address: 512079E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512079E second address: 51207A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 51207A2 second address: 512080B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov di, 2638h 0x0000000e pushfd 0x0000000f jmp 00007F14E0885B41h 0x00000014 adc cx, A626h 0x00000019 jmp 00007F14E0885B41h 0x0000001e popfd 0x0000001f popad 0x00000020 mov eax, dword ptr fs:[00000000h] 0x00000026 pushad 0x00000027 mov edx, eax 0x00000029 mov di, si 0x0000002c popad 0x0000002d nop 0x0000002e jmp 00007F14E0885B42h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F14E0885B3Eh 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 512080B second address: 5120811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	RDTSC instruction interceptor: First address: 5120811 second address: 512089F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F14E0885B3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F14E0885B3Ch 0x00000013 jmp 00007F14E0885B45h 0x00000018 popfd 0x00000019 jmp 00007F14E0885B40h 0x0000001e popad 0x0000001f sub esp, 1Ch 0x00000022 jmp 00007F14E0885B40h 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F14E0885B40h 0x0000002d push eax 0x0000002e jmp 00007F14E0885B3Bh 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F14E0885B40h 0x0000003d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: ACEE4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: CA15D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: ACED84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: C82C8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Special instruction interceptor: First address: D037EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7DEE4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 9B15D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7DED84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 992C8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A137EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Special instruction interceptor: First address: 187C55 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Special instruction interceptor: First address: 322BAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Special instruction interceptor: First address: 347740 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Special instruction interceptor: First address: 3EFA8A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Special instruction interceptor: First address: 593456 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Code function: 3_2_0518024D rdtsc

3_2_0518024D

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe

Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\rN9D2S747U.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe TID: 8000

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C82390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00C82390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00342390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00342390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00842390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00842390

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C85467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00C85467

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: skotes.exe, skotes.exe, 00000007.00000002.1319780323.0000000000967000.00000040.00000001.01000000.0000000A.sdmp, 2k1905.exe, 2k1905.exe, 0000000B.00000002.1338164815.0000000000302000.00000040.00000001.01000000.0000000B.sdmp, 3G94w.exe, 3G94w.exe, 0000000D.00000002.1407181233.0000000000569000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 1L26f6.exe, 00000003.00000002.1286483292.0000000001419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 2k1905.exe, 0000000B.00000003.1331508845.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, 2k1905.exe, 0000000B.00000002.1339360250.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 3G94w.exe, 0000000D.00000002.1407980260.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 1L26f6.exe, 00000003.00000002.1285062322.0000000000C57000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, 00000004.00000002.1311173465.0000000000967000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.1319780323.0000000000967000.00000040.00000001.01000000.0000000A.sdmp, 2k1905.exe, 0000000B.00000002.1338164815.0000000000302000.00000040.00000001.01000000.0000000B.sdmp, 3G94w.exe, 0000000D.00000002.1407181233.0000000000569000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 2k1905.exe, 0000000B.00000002.1339076389.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Code function: 3_2_0518024D rdtsc

3_2_0518024D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C82F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00C82F1D

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A9652B mov eax, dword ptr fs:[00000030h]	3_2_00A9652B
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	Code function: 3_2_00A9A302 mov eax, dword ptr fs:[00000030h]	3_2_00A9A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007AA302 mov eax, dword ptr fs:[00000030h]	4_2_007AA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_007A652B mov eax, dword ptr fs:[00000030h]	4_2_007A652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007AA302 mov eax, dword ptr fs:[00000030h]	7_2_007AA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_007A652B mov eax, dword ptr fs:[00000030h]	7_2_007A652B

Source: C:\Users\user\Desktop\rN9D2S747U.exe	Code function: 0_2_00C86CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C86CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	Code function: 1_2_00346CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00346CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00846CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00846CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	Code function: 2_2_00846F40 SetUnhandledExceptionFilter,	2_2_00846F40

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 3G94w.exe PID: 8148, type: MEMORYSTR

LummaC encrypted strings found

Source: 2k1905.exe	String found in binary or memory: debonairnukk.xyz
Source: 2k1905.exe	String found in binary or memory: diffuculttan.xyz
Source: 2k1905.exe	String found in binary or memory: effecterectz.xyz
Source: 2k1905.exe	String found in binary or memory: deafeninggeh.biz
Source: 2k1905.exe	String found in binary or memory: immureprech.biz
Source: 2k1905.exe	String found in binary or memory: tacitglibbr.biz

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe

Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C817EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00C817EE

Source: 1L26f6.exe, 00000003.00000002.1285319764.0000000000CA0000.00000040.00000001.01000000.00000006.sdmp

Binary or memory string: {Program Manager

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C87155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00C87155

Source: C:\Users\user\Desktop\rN9D2S747U.exe

Code function: 0_2_00C82BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00C82BFB

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 3.2.1L26f6.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.skotes.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.skotes.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1318726698.0000000000771000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1284777861.0000000000A61000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1244429209.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1269735826.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1310837173.0000000000771000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1278383056.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.1406937017.00000000001A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1363729713.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3G94w.exe PID: 8148, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.1406937017.00000000001A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1363729713.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3G94w.exe PID: 8148, type: MEMORYSTR

Windows Analysis Report
rN9D2S747U.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1651337
Product:	CloudBasic
Start time:	16:58:06
Start date:	28.03.2025
Sample:	rN9D2S747U.txt
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	08391c46059bd63c5973cc9bc12e08d1
SHA1:	0c2ab65b7b5c89e506aa746b3fd33f34b13f6ceb
SHA256:	d467b9c94ce07d4f539491f5cd2fc7219008cf196eff6a62880095b06c345b75
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\IXP000.TMP\4B397a.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7D60D18DCC44E074D7392384743481FE	FE4D910529C03762FBA8F8DF5CF405F5E6F1C30F	62E97F2C558313F494A3554FE24BA552DA64F709A98E4880A5A6B621DC89F789
C:\Users\user\AppData\Local\Temp\IXP000.TMP\P3z54.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F9A19E4ED429ADD314E032223C4DC891	55D4DB0F0B474819EDD0C9F124F5307FD2796222	A8C8E016F67F62A18105DE79EB0C41089AAE6E96C09C29D85649BBE659DDE0E4
C:\Users\user\AppData\Local\Temp\IXP001.TMP\3G94w.exe	PE32 executable (GUI) Intel 80386, for MS Windows	014FE2951180116A9EB43716B0A2B669	24468A745C1B4CDD34CF350FD018181DF5A228DB	5258BA33DED7480FB162FF25AF0DD7628D468B88D8160B79824301F50C7981AC
C:\Users\user\AppData\Local\Temp\IXP001.TMP\x7W52.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7051C8BF410240B87A38DD1839B5F446	248D22A31BB444EE55A6C32EF89A6DDF874A0446	45318AE5BB0C92F955F7344669C269ABE6221BA5B0F77BD9EA88E926F4504026
C:\Users\user\AppData\Local\Temp\IXP002.TMP\1L26f6.exe	PE32 executable (GUI) Intel 80386, for MS Windows	657B1D5BADA53A94C7EB16A8F6780AEF	3F913ED5CA66F8D29D2EA004792BA71FD3B157BC	091BC5705EA1F8127DB8F1D53C883BA04B79AFB04BECE4F90C73D1311C546ADE
C:\Users\user\AppData\Local\Temp\IXP002.TMP\2k1905.exe	PE32 executable (GUI) Intel 80386, for MS Windows	05AB70A5F1FE4D80A81DAC0F7DAA1EE9	10610D11086F195EB82AE7A2530438D255C2C66E	21B94EA67584F0FE3883BF9557C9054709337FA8FE80879DA30341FF96CC5315
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	PE32 executable (GUI) Intel 80386, for MS Windows	657B1D5BADA53A94C7EB16A8F6780AEF	3F913ED5CA66F8D29D2EA004792BA71FD3B157BC	091BC5705EA1F8127DB8F1D53C883BA04B79AFB04BECE4F90C73D1311C546ADE
C:\Windows\Tasks\skotes.job	data	8716D0ECB714040EBA5603E0163E5A3E	EE2B48D07B577724194CF22253F62C6DDADBFBA5	3DD69F0DB27FE3BDA68976A91B67E98752480C61614E64742402A6B7D790DAE3

Windows Analysis Report rN9D2S747U.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
rN9D2S747U.exe

Malware Threat Intel
Provided by