Windows Analysis Report
LisectAVT_2403002B_242.exe

Overview

General Information

Sample name: LisectAVT_2403002B_242.exe
Analysis ID: 1481918
MD5: 814c7d754de0a807785f32a643082d2b
SHA1: a3f7abb4d5dc8bd5371f2e176b51e8c157b8f4bf
SHA256: 5e4f50a70deeb3a29049c06b1b3a73abb6def3ddd4bea47dbce78e4eaa941333
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002B_242.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: TR/Agent.kmrzu
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: TR/Agent.kmrzu
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002B_242.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002B_242.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49710 -> 193.233.132.74:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.74 193.233.132.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C3D4A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket, 0_2_00C3D4A0
Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe String found in binary or memory: https://ipinfo.io/
Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3377080253.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3376838901.00000000013BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3376567599.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT2F
Source: MPGPH131.exe, 00000007.00000002.3376838901.00000000013BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT5
Source: MPGPH131.exe, 00000006.00000002.3377080253.00000000014FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTO
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary
barindex
PE file contains section with special chars
Source: LisectAVT_2403002B_242.exe Static PE information: section name:
Source: LisectAVT_2403002B_242.exe Static PE information: section name: .idata
Source: LisectAVT_2403002B_242.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C28890 0_2_00C28890
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00D018B0 0_2_00D018B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00CA90B0 0_2_00CA90B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00D07070 0_2_00D07070
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00D05038 0_2_00D05038
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00D181A4 0_2_00D181A4
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C94290 0_2_00C94290
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00D0AA7F 0_2_00D0AA7F
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00CA1220 0_2_00CA1220
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C39360 0_2_00C39360
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C28CC0 0_2_00C28CC0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00CA5CE0 0_2_00CA5CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C224F0 0_2_00C224F0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C96470 0_2_00C96470
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00CA4D20 0_2_00CA4D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00828890 6_2_00828890
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_009018B0 6_2_009018B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_008A90B0 6_2_008A90B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00905038 6_2_00905038
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00907070 6_2_00907070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_009181A4 6_2_009181A4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00894290 6_2_00894290
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_008A1220 6_2_008A1220
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0090AA7F 6_2_0090AA7F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00839360 6_2_00839360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00828CC0 6_2_00828CC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_008A5CE0 6_2_008A5CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_008224F0 6_2_008224F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00896470 6_2_00896470
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_008A4D20 6_2_008A4D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00828890 7_2_00828890
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_009018B0 7_2_009018B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008A90B0 7_2_008A90B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00905038 7_2_00905038
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00907070 7_2_00907070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_009181A4 7_2_009181A4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00894290 7_2_00894290
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008A1220 7_2_008A1220
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0090AA7F 7_2_0090AA7F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00839360 7_2_00839360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00828CC0 7_2_00828CC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008A5CE0 7_2_008A5CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008224F0 7_2_008224F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00896470 7_2_00896470
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008A4D20 7_2_008A4D20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00547070 8_2_00547070
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00545038 8_2_00545038
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00468890 8_2_00468890
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005418B0 8_2_005418B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_004E90B0 8_2_004E90B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005581A4 8_2_005581A4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0054AA7F 8_2_0054AA7F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_004E1220 8_2_004E1220
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_004D4290 8_2_004D4290
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00479360 8_2_00479360
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_004D6470 8_2_004D6470
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00468CC0 8_2_00468CC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_004E5CE0 8_2_004E5CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_004624F0 8_2_004624F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_004E4D20 8_2_004E4D20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00547070 12_2_00547070
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00545038 12_2_00545038
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00468890 12_2_00468890
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_005418B0 12_2_005418B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_004E90B0 12_2_004E90B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_005581A4 12_2_005581A4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_0054AA7F 12_2_0054AA7F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_004E1220 12_2_004E1220
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_004D4290 12_2_004D4290
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00479360 12_2_00479360
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_004D6470 12_2_004D6470
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00468CC0 12_2_00468CC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_004E5CE0 12_2_004E5CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_004624F0 12_2_004624F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_004E4D20 12_2_004E4D20
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 008FEAB0 appears 50 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 0053EAB0 appears 50 times
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002B_242.exe, 00000000.00000000.2122353802.0000000000D53000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002B_242.exe
Source: LisectAVT_2403002B_242.exe Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002B_242.exe
Uses 32bit PE files
Source: LisectAVT_2403002B_242.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002B_242.exe Static PE information: Section: ZLIB complexity 0.9939268933496441
Source: LisectAVT_2403002B_242.exe Static PE information: Section: xdijjraj ZLIB complexity 0.9947976670506913
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9939268933496441
Source: RageMP131.exe.0.dr Static PE information: Section: xdijjraj ZLIB complexity 0.9947976670506913
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9939268933496441
Source: MPGPH131.exe.0.dr Static PE information: Section: xdijjraj ZLIB complexity 0.9947976670506913
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3548:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LisectAVT_2403002B_242.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: LisectAVT_2403002B_242.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe File read: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe "C:\Users\user\Desktop\LisectAVT_2403002B_242.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002B_242.exe Static file information: File size 2045964 > 1048576
Source: LisectAVT_2403002B_242.exe Static PE information: Raw size of xdijjraj is bigger than: 0x100000 < 0x160a00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Unpacked PE file: 0.2.LisectAVT_2403002B_242.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.460000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 12.2.RageMP131.exe.460000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C39360 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory, 0_2_00C39360
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: LisectAVT_2403002B_242.exe Static PE information: real checksum: 0x1fc5cb should be: 0x1fdff6
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x1fc5cb should be: 0x1fdff6
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x1fc5cb should be: 0x1fdff6
PE file contains sections with non-standard names
Source: LisectAVT_2403002B_242.exe Static PE information: section name:
Source: LisectAVT_2403002B_242.exe Static PE information: section name: .idata
Source: LisectAVT_2403002B_242.exe Static PE information: section name:
Source: LisectAVT_2403002B_242.exe Static PE information: section name: xdijjraj
Source: LisectAVT_2403002B_242.exe Static PE information: section name: xgxezfhn
Source: LisectAVT_2403002B_242.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: xdijjraj
Source: RageMP131.exe.0.dr Static PE information: section name: xgxezfhn
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: xdijjraj
Source: MPGPH131.exe.0.dr Static PE information: section name: xgxezfhn
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00CFE689 push ecx; ret 0_2_00CFE69C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_008FE689 push ecx; ret 6_2_008FE69C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008FE689 push ecx; ret 7_2_008FE69C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0053E689 push ecx; ret 8_2_0053E69C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_0053E689 push ecx; ret 12_2_0053E69C
Source: LisectAVT_2403002B_242.exe Static PE information: section name: entropy: 7.935474542943052
Source: LisectAVT_2403002B_242.exe Static PE information: section name: xdijjraj entropy: 7.953698825467194
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.935474542943052
Source: RageMP131.exe.0.dr Static PE information: section name: xdijjraj entropy: 7.953698825467194
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.935474542943052
Source: MPGPH131.exe.0.dr Static PE information: section name: xdijjraj entropy: 7.953698825467194
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00CA4D20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00CA4D20

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: D5B108 second address: D5B10C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: D5B10C second address: D5B112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4A85 second address: ED4A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4A89 second address: ED4AA7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCBB4F3EEABh 0x00000010 jns 00007FCBB4F3EEA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4D4B second address: ED4D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8170h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4D60 second address: ED4D7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4F3EEAEh 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FCBB4F3EEA6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4D7C second address: ED4D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4D80 second address: ED4D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4D86 second address: ED4DB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCBB4EE8179h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FCBB4EE8166h 0x00000012 jng 00007FCBB4EE8166h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4EE4 second address: ED4EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4EEE second address: ED4EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4EFA second address: ED4EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4EFE second address: ED4F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4EE8166h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED4F0D second address: ED4F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ED52FE second address: ED5317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8175h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EBF468 second address: EBF470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF45CE second address: EF45D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF45D4 second address: EF45DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF45DA second address: EF45DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF4715 second address: EF4719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF4719 second address: EF471F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF471F second address: EF4725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF48ED second address: EF4903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FCBB4EE816Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF4903 second address: EF490F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF4BDB second address: EF4BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF4EEB second address: EF4EFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FCBB4F3EEA6h 0x00000009 pop ecx 0x0000000a jbe 00007FCBB4F3EEBBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF507C second address: EF509B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jne 00007FCBB4EE8166h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FCBB4EE8170h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF55E2 second address: EF55ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF5750 second address: EF5757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF5757 second address: EF5770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4F3EEB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF5770 second address: EF5774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EEC419 second address: EEC42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FCBB4F3EEA6h 0x0000000d jo 00007FCBB4F3EEA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EEC42C second address: EEC430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF58C3 second address: EF58C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF58C7 second address: EF58D5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF58D5 second address: EF58D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF9386 second address: EF938B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF97F7 second address: EF98F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4F3EEB3h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e stc 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jmp 00007FCBB4F3EEB0h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jnl 00007FCBB4F3EEAAh 0x00000028 pushad 0x00000029 push esi 0x0000002a ja 00007FCBB4F3EEA6h 0x00000030 pop ecx 0x00000031 mov bh, 99h 0x00000033 popad 0x00000034 lea eax, dword ptr [ebp+12472BD6h] 0x0000003a pushad 0x0000003b and dh, 0000003Bh 0x0000003e mov ah, 04h 0x00000040 popad 0x00000041 mov dword ptr [eax+01h], esp 0x00000044 pushad 0x00000045 jmp 00007FCBB4F3EEB7h 0x0000004a xor si, 6884h 0x0000004f popad 0x00000050 lea eax, dword ptr [ebp+12472C02h] 0x00000056 ja 00007FCBB4F3EEB4h 0x0000005c mov dword ptr [eax+01h], ebp 0x0000005f jnp 00007FCBB4F3EEA7h 0x00000065 mov byte ptr [ebp+122D36D9h], 0000004Fh 0x0000006c push 00000000h 0x0000006e push esi 0x0000006f call 00007FCBB4F3EEA8h 0x00000074 pop esi 0x00000075 mov dword ptr [esp+04h], esi 0x00000079 add dword ptr [esp+04h], 0000001Ch 0x00000081 inc esi 0x00000082 push esi 0x00000083 ret 0x00000084 pop esi 0x00000085 ret 0x00000086 jmp 00007FCBB4F3EEB3h 0x0000008b push B0892644h 0x00000090 push eax 0x00000091 push edx 0x00000092 jmp 00007FCBB4F3EEB8h 0x00000097 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF8144 second address: EF814B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF814B second address: EF8158 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF998A second address: EF998E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF998E second address: EF99BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a je 00007FCBB4F3EEA6h 0x00000010 pop ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007FCBB4F3EEABh 0x00000021 mov eax, dword ptr [eax] 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EF99BC second address: EF99E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FCBB4EE816Ch 0x00000016 jnp 00007FCBB4EE8166h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFB994 second address: EFB99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFB99A second address: EFB99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFB99E second address: EFB9C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FCBB4F3EEA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FCBB4F3EEB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFFC09 second address: EFFC0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFFC0D second address: EFFC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFFC13 second address: EFFC40 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jg 00007FCBB4EE816Ah 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FCBB4EE8173h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFFC40 second address: EFFC82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a movzx esi, cx 0x0000000d call 00007FCBB4F3EEA9h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FCBB4F3EEB9h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFFC82 second address: EFFC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFFC88 second address: EFFC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFFC8C second address: EFFCCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FCBB4EE816Dh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jbe 00007FCBB4EE816Eh 0x00000018 push esi 0x00000019 jl 00007FCBB4EE8166h 0x0000001f pop esi 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FCBB4EE816Fh 0x0000002a jg 00007FCBB4EE8166h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EFFE11 second address: EFFE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F000A7 second address: F000AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F001AB second address: F001AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F001AF second address: F001B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F00891 second address: F00897 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F00897 second address: F0089C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F00982 second address: F00988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F00988 second address: F0098D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F00E40 second address: F00E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F00E46 second address: F00E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F022AC second address: F022B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F0310C second address: F03110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F03110 second address: F03116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F03D46 second address: F03D67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4EE8173h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F03D67 second address: F03D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F03D6B second address: F03D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F04789 second address: F047BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FCBB4F3EEB8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCBB4F3EEB1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F04575 second address: F0457F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F05294 second address: F0529F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F06713 second address: F06717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F0C995 second address: F0C999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F0C999 second address: F0C99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F07084 second address: F07088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F0EFD4 second address: F0F04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007FCBB4EE8173h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FCBB4EE8168h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 movsx ebx, ax 0x0000002a push 00000000h 0x0000002c mov edi, dword ptr [ebp+122D2BC5h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FCBB4EE8168h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov bx, 6F32h 0x00000052 push eax 0x00000053 push eax 0x00000054 jl 00007FCBB4EE816Ch 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F111A9 second address: F111AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F111AE second address: F111B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F144D4 second address: F144D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F144D8 second address: F144EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBB4EE816Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F144EC second address: F144F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F144F2 second address: F144F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F144F6 second address: F144FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1658B second address: F1658F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1026E second address: F1028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007FCBB4F3EEAFh 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1658F second address: F16608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FCBB4EE8170h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FCBB4EE8168h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b pushad 0x0000002c sbb dh, 0000006Dh 0x0000002f sub dword ptr [ebp+122D369Fh], edi 0x00000035 popad 0x00000036 push 00000000h 0x00000038 mov di, B8DEh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FCBB4EE8168h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 mov ebx, dword ptr [ebp+122D2BE5h] 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1028D second address: F10320 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov bh, 3Dh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 call 00007FCBB4F3EEB3h 0x0000001a mov edi, edx 0x0000001c pop ebx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov bl, 2Eh 0x00000026 mov eax, dword ptr [ebp+122D090Dh] 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007FCBB4F3EEA8h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 push FFFFFFFFh 0x00000048 jc 00007FCBB4F3EEACh 0x0000004e mov ebx, dword ptr [ebp+122D3837h] 0x00000054 nop 0x00000055 jns 00007FCBB4F3EEBBh 0x0000005b push eax 0x0000005c pushad 0x0000005d jnp 00007FCBB4F3EEA8h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F16608 second address: F1662D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FCBB4EE8175h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F14716 second address: F14729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1662D second address: F16636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F14729 second address: F14730 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F16636 second address: F1663A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F158DD second address: F158E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F158E7 second address: F158EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F175AC second address: F175DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FCBB4F3EEB4h 0x0000000f jmp 00007FCBB4F3EEAEh 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F16763 second address: F1676D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F175DF second address: F175E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F186B6 second address: F18703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCBB4EE8166h 0x0000000a popad 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FCBB4EE8168h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f cld 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 mov edi, dword ptr [ebp+12476AABh] 0x00000039 pop edi 0x0000003a mov dword ptr [ebp+122D373Ah], ebx 0x00000040 xchg eax, esi 0x00000041 push edi 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1777A second address: F1778C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4F3EEAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F19549 second address: F1954F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F18817 second address: F1881C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1881C second address: F18821 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F18821 second address: F1882D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1A51A second address: F1A55D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d ja 00007FCBB4EE8166h 0x00000013 pop ebx 0x00000014 pop edi 0x00000015 push 00000000h 0x00000017 mov di, 8A0Eh 0x0000001b call 00007FCBB4EE8172h 0x00000020 mov edi, dword ptr [ebp+122D29ADh] 0x00000026 pop ebx 0x00000027 push 00000000h 0x00000029 mov edi, dword ptr [ebp+122D29A1h] 0x0000002f stc 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F197FC second address: F19806 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1A55D second address: F1A562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1A562 second address: F1A56D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FCBB4F3EEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1B75A second address: F1B760 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1B760 second address: F1B765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1B803 second address: F1B809 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F1C61C second address: F1C6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FCBB4F3EEACh 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FCBB4F3EEB3h 0x00000011 nop 0x00000012 movzx ebx, di 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FCBB4F3EEA8h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d xor edi, dword ptr [ebp+122D29C1h] 0x00000043 pushad 0x00000044 mov edi, dword ptr [ebp+122D372Eh] 0x0000004a add ax, 94B7h 0x0000004f popad 0x00000050 mov eax, dword ptr [ebp+122D07B5h] 0x00000056 or di, 84C1h 0x0000005b push FFFFFFFFh 0x0000005d and ebx, dword ptr [ebp+122D2945h] 0x00000063 call 00007FCBB4F3EEB4h 0x00000068 mov dword ptr [ebp+122D3077h], ebx 0x0000006e pop ebx 0x0000006f nop 0x00000070 jmp 00007FCBB4F3EEB5h 0x00000075 push eax 0x00000076 jc 00007FCBB4F3EEB4h 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F2A33C second address: F2A34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jno 00007FCBB4EE816Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F29790 second address: F29794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F29794 second address: F29798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F29798 second address: F297CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a jnc 00007FCBB4F3EEAEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FCBB4F3EEA6h 0x00000018 jmp 00007FCBB4F3EEB4h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F297CC second address: F297D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F29C18 second address: F29C24 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4F3EEAEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F29D85 second address: F29D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F29EEB second address: F29F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FCBB4F3EEA6h 0x0000000c jmp 00007FCBB4F3EEB5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F37141 second address: F37173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4EE8172h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCBB4EE8171h 0x00000010 pushad 0x00000011 ja 00007FCBB4EE8166h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F37173 second address: F37179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F37179 second address: F37184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F37184 second address: F3718A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3718A second address: F37194 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F35051 second address: F35069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F35069 second address: F3506E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3506E second address: F35074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F35233 second address: F35252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8179h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F35694 second address: F35698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F35994 second address: F3599C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3599C second address: F359A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F35B40 second address: F35B73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8175h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FCBB4EE8172h 0x00000011 jp 00007FCBB4EE8166h 0x00000017 js 00007FCBB4EE8166h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F35E14 second address: F35E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F35F76 second address: F35F7B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3685A second address: F36860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F36860 second address: F3686F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007FCBB4EE816Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3686F second address: F368A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4F3EEBFh 0x00000008 jmp 00007FCBB4F3EEB3h 0x0000000d je 00007FCBB4F3EEA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCBB4F3EEB0h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F368A2 second address: F368A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F34D89 second address: F34D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F34D91 second address: F34D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ECC6C9 second address: ECC6CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3DD50 second address: F3DD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3DD56 second address: F3DD5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3DD5A second address: F3DD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBB4EE8173h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3DD73 second address: F3DD78 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3DD78 second address: F3DD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F3DEBF second address: F3DECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007FCBB4F3EEA6h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EBBF2E second address: EBBF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EBBF33 second address: EBBF49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FCBB4F3EEA6h 0x0000000b jns 00007FCBB4F3EEA6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EBBF49 second address: EBBF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EBBF4F second address: EBBF53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F4F51B second address: F4F527 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F4F527 second address: F4F52E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F587C0 second address: F587DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8178h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EC0EFC second address: EC0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EC0F00 second address: EC0F29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 jc 00007FCBB4EE8166h 0x0000000f jmp 00007FCBB4EE8171h 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EC0F29 second address: EC0F44 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBB4F3EEA6h 0x00000008 jmp 00007FCBB4F3EEAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F5860D second address: F5863D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8174h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCBB4EE8174h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F5863D second address: F58641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F611C0 second address: F611C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F611C7 second address: F611DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCBB4F3EEAAh 0x0000000a pop edi 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F60D4A second address: F60D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FCBB4EE8179h 0x0000000c js 00007FCBB4EE817Dh 0x00000012 jmp 00007FCBB4EE8171h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: ECFC09 second address: ECFC28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FCBB4F3EEA6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: EC4488 second address: EC44A4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBB4EE8172h 0x00000008 jmp 00007FCBB4EE816Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F74C3B second address: F74C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F74C45 second address: F74C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4EE8166h 0x0000000a jmp 00007FCBB4EE8178h 0x0000000f popad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007FCBB4EE8173h 0x0000001c popad 0x0000001d popad 0x0000001e pushad 0x0000001f pushad 0x00000020 jl 00007FCBB4EE8166h 0x00000026 push edx 0x00000027 pop edx 0x00000028 jnp 00007FCBB4EE8166h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F77085 second address: F77090 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FCBB4F3EEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7A3D4 second address: F7A3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCBB4EE816Ah 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jns 00007FCBB4EE8166h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7A3EF second address: F7A410 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBB4F3EEA6h 0x00000008 jmp 00007FCBB4F3EEB4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7A410 second address: F7A42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCBB4EE8176h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7A27C second address: F7A284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7A284 second address: F7A28A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7A28A second address: F7A298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEAAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7A298 second address: F7A29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7A29C second address: F7A2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F8040E second address: F80425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FCBB4EE8166h 0x00000011 jp 00007FCBB4EE8166h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F80425 second address: F80434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7FFD9 second address: F7FFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7FFDD second address: F7FFE9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7FFE9 second address: F7FFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7FFED second address: F7FFF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7FFF3 second address: F7FFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FCBB4EE8166h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F7FFFF second address: F80011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FCBB4F3EEA6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F80011 second address: F80027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FCBB4EE817Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FCBB4EE8166h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F80027 second address: F80032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F80175 second address: F80199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4EE8179h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F80199 second address: F801A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: F801A2 second address: F801A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA42E5 second address: FA42EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA42EB second address: FA42FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FCBB4EE8166h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA42FF second address: FA4309 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA4309 second address: FA432A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4EE816Eh 0x00000008 jng 00007FCBB4EE8166h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA376A second address: FA3772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA3772 second address: FA3776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA4011 second address: FA401A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA401A second address: FA4029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FCBB4EE8166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA4029 second address: FA403F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA403F second address: FA405B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBB4EE816Dh 0x0000000e jns 00007FCBB4EE8166h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA6EE0 second address: FA6EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA83E1 second address: FA8413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCBB4EE8166h 0x0000000a jns 00007FCBB4EE8166h 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push edi 0x00000018 jmp 00007FCBB4EE816Eh 0x0000001d pop edi 0x0000001e popad 0x0000001f jo 00007FCBB4EE81ABh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FA8413 second address: FA841D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FAAF35 second address: FAAF61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FCBB4EE8176h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCBB4EE8166h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FAAF61 second address: FAAF65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FAD7C5 second address: FAD7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FAD7CC second address: FAD7D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FAD7D2 second address: FAD7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FAD7D6 second address: FAD7F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FAD8C9 second address: FAD8E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE816Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FADE8B second address: FADE91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe RDTSC instruction interceptor: First address: FB106C second address: FB108F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCBB4EE8173h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FCBB4EE8166h 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 95B108 second address: 95B10C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 95B10C second address: 95B112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4A85 second address: AD4A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4A89 second address: AD4AA7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCBB4EE816Bh 0x00000010 jns 00007FCBB4EE8166h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4D4B second address: AD4D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4D60 second address: AD4D7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4EE816Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FCBB4EE8166h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4D7C second address: AD4D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4D80 second address: AD4D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4D86 second address: AD4DB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCBB4F3EEB9h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FCBB4F3EEA6h 0x00000012 jng 00007FCBB4F3EEA6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4EE4 second address: AD4EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4EEE second address: AD4EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4EFA second address: AD4EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4EFE second address: AD4F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4F3EEA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4F0D second address: AD4F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD52FE second address: AD5317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB5h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4A89 second address: AD4AA7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCBB4F3EEABh 0x00000010 jns 00007FCBB4F3EEA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4D4B second address: AD4D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8170h 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4D60 second address: AD4D7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4F3EEAEh 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FCBB4F3EEA6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4D86 second address: AD4DB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCBB4EE8179h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FCBB4EE8166h 0x00000012 jng 00007FCBB4EE8166h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4EE4 second address: AD4EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD4EFE second address: AD4F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4EE8166h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AD52FE second address: AD5317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8175h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: ABF468 second address: ABF470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF45CE second address: AF45D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF45D4 second address: AF45DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF45DA second address: AF45DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF4715 second address: AF4719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF4719 second address: AF471F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF471F second address: AF4725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF48ED second address: AF4903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FCBB4EE816Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF4903 second address: AF490F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF4BDB second address: AF4BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF4EEB second address: AF4EFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FCBB4F3EEA6h 0x00000009 pop ecx 0x0000000a jbe 00007FCBB4F3EEBBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF507C second address: AF509B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jne 00007FCBB4EE8166h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FCBB4EE8170h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF55E2 second address: AF55ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF5750 second address: AF5757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF5757 second address: AF5770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4F3EEB5h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF5770 second address: AF5774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AEC419 second address: AEC42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FCBB4F3EEA6h 0x0000000d jo 00007FCBB4F3EEA6h 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AEC42C second address: AEC430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF58C3 second address: AF58C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF58C7 second address: AF58D5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF58D5 second address: AF58D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF9386 second address: AF938B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF97F7 second address: AF98F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4F3EEB3h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e stc 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jmp 00007FCBB4F3EEB0h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jnl 00007FCBB4F3EEAAh 0x00000028 pushad 0x00000029 push esi 0x0000002a ja 00007FCBB4F3EEA6h 0x00000030 pop ecx 0x00000031 mov bh, 99h 0x00000033 popad 0x00000034 lea eax, dword ptr [ebp+12472BD6h] 0x0000003a pushad 0x0000003b and dh, 0000003Bh 0x0000003e mov ah, 04h 0x00000040 popad 0x00000041 mov dword ptr [eax+01h], esp 0x00000044 pushad 0x00000045 jmp 00007FCBB4F3EEB7h 0x0000004a xor si, 6884h 0x0000004f popad 0x00000050 lea eax, dword ptr [ebp+12472C02h] 0x00000056 ja 00007FCBB4F3EEB4h 0x0000005c mov dword ptr [eax+01h], ebp 0x0000005f jnp 00007FCBB4F3EEA7h 0x00000065 mov byte ptr [ebp+122D36D9h], 0000004Fh 0x0000006c push 00000000h 0x0000006e push esi 0x0000006f call 00007FCBB4F3EEA8h 0x00000074 pop esi 0x00000075 mov dword ptr [esp+04h], esi 0x00000079 add dword ptr [esp+04h], 0000001Ch 0x00000081 inc esi 0x00000082 push esi 0x00000083 ret 0x00000084 pop esi 0x00000085 ret 0x00000086 jmp 00007FCBB4F3EEB3h 0x0000008b push B0892644h 0x00000090 push eax 0x00000091 push edx 0x00000092 jmp 00007FCBB4F3EEB8h 0x00000097 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF8144 second address: AF814B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF814B second address: AF8158 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF998A second address: AF998E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF998E second address: AF99BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a je 00007FCBB4F3EEA6h 0x00000010 pop ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007FCBB4F3EEABh 0x00000021 mov eax, dword ptr [eax] 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AF99BC second address: AF99E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FCBB4EE816Ch 0x00000016 jnp 00007FCBB4EE8166h 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFB994 second address: AFB99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFB99A second address: AFB99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFB99E second address: AFB9C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FCBB4F3EEA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FCBB4F3EEB6h 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFFC09 second address: AFFC0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFFC0D second address: AFFC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFFC13 second address: AFFC40 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jg 00007FCBB4EE816Ah 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FCBB4EE8173h 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFFC40 second address: AFFC82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a movzx esi, cx 0x0000000d call 00007FCBB4F3EEA9h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FCBB4F3EEB9h 0x0000001c popad 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFFC82 second address: AFFC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFFC88 second address: AFFC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFFC8C second address: AFFCCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FCBB4EE816Dh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jbe 00007FCBB4EE816Eh 0x00000018 push esi 0x00000019 jl 00007FCBB4EE8166h 0x0000001f pop esi 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FCBB4EE816Fh 0x0000002a jg 00007FCBB4EE8166h 0x00000030 popad 0x00000031 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AFFE11 second address: AFFE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B000A7 second address: B000AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B001AB second address: B001AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B001AF second address: B001B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B00891 second address: B00897 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B00897 second address: B0089C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B00982 second address: B00988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B00988 second address: B0098D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B00E40 second address: B00E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B00E46 second address: B00E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B022AC second address: B022B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B0310C second address: B03110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B03110 second address: B03116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B03D46 second address: B03D67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4EE8173h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B03D67 second address: B03D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B03D6B second address: B03D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B04789 second address: B047BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FCBB4F3EEB8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCBB4F3EEB1h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B04575 second address: B0457F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B05294 second address: B0529F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B06713 second address: B06717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B07084 second address: B07088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B0C995 second address: B0C999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B0C999 second address: B0C99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B0EFD4 second address: B0F04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007FCBB4EE8173h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FCBB4EE8168h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 movsx ebx, ax 0x0000002a push 00000000h 0x0000002c mov edi, dword ptr [ebp+122D2BC5h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FCBB4EE8168h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov bx, 6F32h 0x00000052 push eax 0x00000053 push eax 0x00000054 jl 00007FCBB4EE816Ch 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B111A9 second address: B111AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B111AE second address: B111B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1026E second address: B1028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007FCBB4F3EEAFh 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1028D second address: B10320 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov bh, 3Dh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 call 00007FCBB4EE8173h 0x0000001a mov edi, edx 0x0000001c pop ebx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov bl, 2Eh 0x00000026 mov eax, dword ptr [ebp+122D090Dh] 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007FCBB4EE8168h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 push FFFFFFFFh 0x00000048 jc 00007FCBB4EE816Ch 0x0000004e mov ebx, dword ptr [ebp+122D3837h] 0x00000054 nop 0x00000055 jns 00007FCBB4EE817Bh 0x0000005b push eax 0x0000005c pushad 0x0000005d jnp 00007FCBB4EE8168h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B144D4 second address: B144D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B144D8 second address: B144EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBB4EE816Ah 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B144EC second address: B144F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B144F2 second address: B144F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B144F6 second address: B144FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B14716 second address: B14729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE816Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B14729 second address: B14730 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1658B second address: B1658F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1658F second address: B16608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FCBB4F3EEB0h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FCBB4F3EEA8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b pushad 0x0000002c sbb dh, 0000006Dh 0x0000002f sub dword ptr [ebp+122D369Fh], edi 0x00000035 popad 0x00000036 push 00000000h 0x00000038 mov di, B8DEh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FCBB4F3EEA8h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 mov ebx, dword ptr [ebp+122D2BE5h] 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B16608 second address: B1662D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FCBB4EE8175h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1662D second address: B16636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B16636 second address: B1663A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B158DD second address: B158E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B158E7 second address: B158EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B175AC second address: B175DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FCBB4F3EEB4h 0x0000000f jmp 00007FCBB4F3EEAEh 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B175DF second address: B175E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B16763 second address: B1676D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B186B6 second address: B18703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCBB4EE8166h 0x0000000a popad 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FCBB4EE8168h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f cld 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 mov edi, dword ptr [ebp+12476AABh] 0x00000039 pop edi 0x0000003a mov dword ptr [ebp+122D373Ah], ebx 0x00000040 xchg eax, esi 0x00000041 push edi 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1777A second address: B1778C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4F3EEAEh 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B19549 second address: B1954F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B18817 second address: B1881C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1881C second address: B18821 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B18821 second address: B1882D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1A51A second address: B1A55D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d ja 00007FCBB4EE8166h 0x00000013 pop ebx 0x00000014 pop edi 0x00000015 push 00000000h 0x00000017 mov di, 8A0Eh 0x0000001b call 00007FCBB4EE8172h 0x00000020 mov edi, dword ptr [ebp+122D29ADh] 0x00000026 pop ebx 0x00000027 push 00000000h 0x00000029 mov edi, dword ptr [ebp+122D29A1h] 0x0000002f stc 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1A55D second address: B1A562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1A562 second address: B1A56D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FCBB4EE8166h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B197FC second address: B19806 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1B75A second address: B1B760 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1B760 second address: B1B765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1B803 second address: B1B809 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B2A33C second address: B2A34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jno 00007FCBB4F3EEACh 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B1C61C second address: B1C6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FCBB4EE816Ch 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FCBB4EE8173h 0x00000011 nop 0x00000012 movzx ebx, di 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FCBB4EE8168h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d xor edi, dword ptr [ebp+122D29C1h] 0x00000043 pushad 0x00000044 mov edi, dword ptr [ebp+122D372Eh] 0x0000004a add ax, 94B7h 0x0000004f popad 0x00000050 mov eax, dword ptr [ebp+122D07B5h] 0x00000056 or di, 84C1h 0x0000005b push FFFFFFFFh 0x0000005d and ebx, dword ptr [ebp+122D2945h] 0x00000063 call 00007FCBB4EE8174h 0x00000068 mov dword ptr [ebp+122D3077h], ebx 0x0000006e pop ebx 0x0000006f nop 0x00000070 jmp 00007FCBB4EE8175h 0x00000075 push eax 0x00000076 jc 00007FCBB4EE8174h 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f popad 0x00000080 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B29790 second address: B29794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B29794 second address: B29798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B29798 second address: B297CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a jnc 00007FCBB4F3EEAEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FCBB4F3EEA6h 0x00000018 jmp 00007FCBB4F3EEB4h 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B297CC second address: B297D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B29C18 second address: B29C24 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4F3EEAEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B29D85 second address: B29D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B29EEB second address: B29F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FCBB4F3EEA6h 0x0000000c jmp 00007FCBB4F3EEB5h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B37141 second address: B37173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4EE8172h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCBB4EE8171h 0x00000010 pushad 0x00000011 ja 00007FCBB4EE8166h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B37173 second address: B37179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B37179 second address: B37184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B37184 second address: B3718A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3718A second address: B37194 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35051 second address: B35069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35069 second address: B3506E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3506E second address: B35074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35233 second address: B35252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8179h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35694 second address: B35698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35994 second address: B3599C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3599C second address: B359A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35B40 second address: B35B73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8175h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FCBB4EE8172h 0x00000011 jp 00007FCBB4EE8166h 0x00000017 js 00007FCBB4EE8166h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35E14 second address: B35E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35F76 second address: B35F7B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3685A second address: B36860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B36860 second address: B3686F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007FCBB4EE816Ah 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3686F second address: B368A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4F3EEBFh 0x00000008 jmp 00007FCBB4F3EEB3h 0x0000000d je 00007FCBB4F3EEA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCBB4F3EEB0h 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B368A2 second address: B368A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B34D89 second address: B34D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B34D91 second address: B34D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: ACC6C9 second address: ACC6CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3DD50 second address: B3DD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3DD56 second address: B3DD5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3DD5A second address: B3DD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBB4EE8173h 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3DD73 second address: B3DD78 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3DD78 second address: B3DD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3DEBF second address: B3DECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007FCBB4F3EEA6h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: ABBF2E second address: ABBF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: ABBF33 second address: ABBF49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FCBB4F3EEA6h 0x0000000b jns 00007FCBB4F3EEA6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: ABBF49 second address: ABBF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: ABBF4F second address: ABBF53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B4F51B second address: B4F527 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B4F527 second address: B4F52E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B587C0 second address: B587DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8178h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AC0EFC second address: AC0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AC0F00 second address: AC0F29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 jc 00007FCBB4EE8166h 0x0000000f jmp 00007FCBB4EE8171h 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AC0F29 second address: AC0F44 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBB4F3EEA6h 0x00000008 jmp 00007FCBB4F3EEAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B5860D second address: B5863D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8174h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCBB4EE8174h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B5863D second address: B58641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B611C0 second address: B611C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B611C7 second address: B611DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCBB4F3EEAAh 0x0000000a pop edi 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B60D4A second address: B60D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FCBB4EE8179h 0x0000000c js 00007FCBB4EE817Dh 0x00000012 jmp 00007FCBB4EE8171h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: ACFC09 second address: ACFC28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FCBB4EE8166h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: AC4488 second address: AC44A4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBB4EE8172h 0x00000008 jmp 00007FCBB4EE816Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B74C3B second address: B74C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B74C45 second address: B74C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4EE8166h 0x0000000a jmp 00007FCBB4EE8178h 0x0000000f popad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007FCBB4EE8173h 0x0000001c popad 0x0000001d popad 0x0000001e pushad 0x0000001f pushad 0x00000020 jl 00007FCBB4EE8166h 0x00000026 push edx 0x00000027 pop edx 0x00000028 jnp 00007FCBB4EE8166h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B77085 second address: B77090 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FCBB4F3EEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7A3D4 second address: B7A3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCBB4EE816Ah 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jns 00007FCBB4EE8166h 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7A3EF second address: B7A410 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBB4F3EEA6h 0x00000008 jmp 00007FCBB4F3EEB4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7A410 second address: B7A42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCBB4EE8176h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7A27C second address: B7A284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7A284 second address: B7A28A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7A28A second address: B7A298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEAAh 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7A298 second address: B7A29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7A29C second address: B7A2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B29798 second address: B297CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a jnc 00007FCBB4EE816Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FCBB4EE8166h 0x00000018 jmp 00007FCBB4EE8174h 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B29C18 second address: B29C24 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4EE816Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B29EEB second address: B29F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FCBB4EE8166h 0x0000000c jmp 00007FCBB4EE8175h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B37141 second address: B37173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4F3EEB2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCBB4F3EEB1h 0x00000010 pushad 0x00000011 ja 00007FCBB4F3EEA6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3718A second address: B37194 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4F3EEA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35051 second address: B35069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8173h 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35233 second address: B35252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B35B40 second address: B35B73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FCBB4F3EEB2h 0x00000011 jp 00007FCBB4F3EEA6h 0x00000017 js 00007FCBB4F3EEA6h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B36860 second address: B3686F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007FCBB4F3EEAAh 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3686F second address: B368A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4EE817Fh 0x00000008 jmp 00007FCBB4EE8173h 0x0000000d je 00007FCBB4EE8166h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCBB4EE8170h 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3DD5A second address: B3DD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBB4F3EEB3h 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B3DEBF second address: B3DECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007FCBB4EE8166h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: ABBF33 second address: ABBF49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FCBB4EE8166h 0x0000000b jns 00007FCBB4EE8166h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B8040E second address: B80425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FCBB4F3EEA6h 0x00000011 jp 00007FCBB4F3EEA6h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B80425 second address: B80434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE816Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7FFD9 second address: B7FFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7FFDD second address: B7FFE9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7FFE9 second address: B7FFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7FFED second address: B7FFF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7FFF3 second address: B7FFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FCBB4F3EEA6h 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7FFFF second address: B80011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FCBB4EE8166h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B80011 second address: B80027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FCBB4F3EEBEh 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FCBB4F3EEA6h 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B80027 second address: B80032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B80175 second address: B80199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4F3EEB9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B80199 second address: B801A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B801A2 second address: B801A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA42E5 second address: BA42EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA42EB second address: BA42FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FCBB4F3EEA6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA42FF second address: BA4309 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA4309 second address: BA432A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4F3EEAEh 0x00000008 jng 00007FCBB4F3EEA6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA376A second address: BA3772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA3772 second address: BA3776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA4011 second address: BA401A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA401A second address: BA4029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA4029 second address: BA403F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8170h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA403F second address: BA405B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBB4F3EEADh 0x0000000e jns 00007FCBB4F3EEA6h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA6EE0 second address: BA6EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCBB4EE8166h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA83E1 second address: BA8413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCBB4F3EEA6h 0x0000000a jns 00007FCBB4F3EEA6h 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push edi 0x00000018 jmp 00007FCBB4F3EEAEh 0x0000001d pop edi 0x0000001e popad 0x0000001f jo 00007FCBB4F3EEEBh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA8413 second address: BA841D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B4F51B second address: B4F527 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4F3EEA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAAF35 second address: BAAF61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FCBB4F3EEB6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCBB4F3EEA6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAAF61 second address: BAAF65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAD7C5 second address: BAD7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAD7CC second address: BAD7D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAD7D2 second address: BAD7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAD7D6 second address: BAD7F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8176h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAD8C9 second address: BAD8E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BADE8B second address: BADE91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BB106C second address: BB108F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCBB4F3EEB3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FCBB4F3EEA6h 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: ACFC09 second address: ACFC28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FCBB4F3EEA6h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B8040E second address: B80425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FCBB4EE8166h 0x00000011 jp 00007FCBB4EE8166h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B80425 second address: B80434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7FFF3 second address: B7FFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FCBB4EE8166h 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B7FFFF second address: B80011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FCBB4F3EEA6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B80011 second address: B80027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FCBB4EE817Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FCBB4EE8166h 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: B80175 second address: B80199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4EE8179h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA42EB second address: BA42FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FCBB4EE8166h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA42FF second address: BA4309 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA4309 second address: BA432A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4EE816Eh 0x00000008 jng 00007FCBB4EE8166h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA401A second address: BA4029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FCBB4EE8166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA4029 second address: BA403F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA403F second address: BA405B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBB4EE816Dh 0x0000000e jns 00007FCBB4EE8166h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA6EE0 second address: BA6EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA83E1 second address: BA8413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCBB4EE8166h 0x0000000a jns 00007FCBB4EE8166h 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push edi 0x00000018 jmp 00007FCBB4EE816Eh 0x0000001d pop edi 0x0000001e popad 0x0000001f jo 00007FCBB4EE81ABh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BA8413 second address: BA841D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAAF35 second address: BAAF61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FCBB4EE8176h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCBB4EE8166h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAD7D6 second address: BAD7F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BAD8C9 second address: BAD8E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE816Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: BB106C second address: BB108F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCBB4EE8173h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FCBB4EE8166h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 59B108 second address: 59B10C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 59B10C second address: 59B112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714A85 second address: 714A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714A89 second address: 714AA7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCBB4EE816Bh 0x00000010 jns 00007FCBB4EE8166h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714D4B second address: 714D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714D60 second address: 714D7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4EE816Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FCBB4EE8166h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714D7C second address: 714D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714D80 second address: 714D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714D86 second address: 714DB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCBB4F3EEB9h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FCBB4F3EEA6h 0x00000012 jng 00007FCBB4F3EEA6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714EE4 second address: 714EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714EEE second address: 714EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714EFA second address: 714EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714EFE second address: 714F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4F3EEA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 714F0D second address: 714F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 7152FE second address: 715317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB5h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 6FF468 second address: 6FF470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 7345CE second address: 7345D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 7345D4 second address: 7345DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 7345DA second address: 7345DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 734715 second address: 734719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 734719 second address: 73471F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 73471F second address: 734725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 7348ED second address: 734903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FCBB4F3EEAEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 734903 second address: 73490F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 734BDB second address: 734BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 734EEB second address: 734EFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FCBB4EE8166h 0x00000009 pop ecx 0x0000000a jbe 00007FCBB4EE817Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 73507C second address: 73509B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jne 00007FCBB4F3EEA6h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FCBB4F3EEB0h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 7355E2 second address: 7355ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 735750 second address: 735757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 735757 second address: 735770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4EE8175h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 735770 second address: 735774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 72C419 second address: 72C42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FCBB4EE8166h 0x0000000d jo 00007FCBB4EE8166h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 72C42C second address: 72C430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 7358C3 second address: 7358C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 7358C7 second address: 7358D5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 7358D5 second address: 7358D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 739386 second address: 73938B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Special instruction interceptor: First address: D5A897 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Special instruction interceptor: First address: EF949A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Special instruction interceptor: First address: EF9857 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 95A897 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: AF949A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: AF9857 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 59A897 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 73949A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 739857 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 0_2_00C83320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 6_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 7_2_00883320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 8_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 12_2_004C3320
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 936 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 524 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 958 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 595 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1106 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1178 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1233 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 6252 Thread sleep time: -56028s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 5092 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 5092 Thread sleep time: -82041s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 2852 Thread sleep count: 300 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 2852 Thread sleep time: -30300s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 3840 Thread sleep count: 258 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7116 Thread sleep count: 130 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7116 Thread sleep time: -260130s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2740 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2740 Thread sleep time: -124062s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3640 Thread sleep count: 936 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3640 Thread sleep time: -94536s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7156 Thread sleep count: 524 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7156 Thread sleep count: 196 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 612 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 612 Thread sleep time: -110055s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2704 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2704 Thread sleep time: -110055s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3908 Thread sleep count: 116 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3908 Thread sleep time: -232116s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2120 Thread sleep count: 958 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2120 Thread sleep time: -96758s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1968 Thread sleep count: 595 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1968 Thread sleep count: 263 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6456 Thread sleep time: -56028s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4904 Thread sleep count: 1106 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4904 Thread sleep time: -2213106s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5280 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5280 Thread sleep count: 316 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5280 Thread sleep time: -31916s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6472 Thread sleep count: 270 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1088 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 736 Thread sleep count: 1178 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 736 Thread sleep time: -2357178s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5828 Thread sleep count: 1233 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5828 Thread sleep time: -2467233s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2220 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2220 Thread sleep count: 307 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2220 Thread sleep time: -31007s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7204 Thread sleep count: 257 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: RageMP131.exe, RageMP131.exe, 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.00000000004D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Nscsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}owsf
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000K
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000D20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.00000000004DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: !M#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.3377080253.000000000153F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: N-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7B33DA32
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000051E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}3
Source: MPGPH131.exe, 00000006.00000002.3376693028.00000000012FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}85S
Source: RageMP131.exe, 0000000C.00000003.2362394351.0000000000D32000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7B33DA32
Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2143235948.0000000000516000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}2
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000D20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPGPH131.exe, 00000006.00000002.3377080253.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3376838901.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPGPH131.exe, 00000007.00000002.3376838901.00000000013CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!g
Source: MPGPH131.exe, 00000007.00000002.3376463341.00000000010FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}pe=
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000D20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 0000000C.00000003.2362394351.0000000000D34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b})
Source: MPGPH131.exe, 00000007.00000002.3376838901.00000000013CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}?`
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.3377080253.000000000153F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7B33DA323
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}h
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}F
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&M
Source: MPGPH131.exe, 00000006.00000002.3377080253.000000000153F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i]
Source: MPGPH131.exe, 00000006.00000003.2165077681.0000000001537000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000D34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7B33DA32
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M
Source: MPGPH131.exe, 00000006.00000002.3377080253.000000000153F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C39360 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory, 0_2_00C39360
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C83320 mov eax, dword ptr fs:[00000030h] 0_2_00C83320
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C83320 mov eax, dword ptr fs:[00000030h] 0_2_00C83320
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00C33F10 mov eax, dword ptr fs:[00000030h] 0_2_00C33F10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00883320 mov eax, dword ptr fs:[00000030h] 6_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00883320 mov eax, dword ptr fs:[00000030h] 6_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00833F10 mov eax, dword ptr fs:[00000030h] 6_2_00833F10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00883320 mov eax, dword ptr fs:[00000030h] 7_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00883320 mov eax, dword ptr fs:[00000030h] 7_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00833F10 mov eax, dword ptr fs:[00000030h] 7_2_00833F10
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_004C3320 mov eax, dword ptr fs:[00000030h] 8_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_004C3320 mov eax, dword ptr fs:[00000030h] 8_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00473F10 mov eax, dword ptr fs:[00000030h] 8_2_00473F10
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_004C3320 mov eax, dword ptr fs:[00000030h] 12_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_004C3320 mov eax, dword ptr fs:[00000030h] 12_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00473F10 mov eax, dword ptr fs:[00000030h] 12_2_00473F10
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Code function: 0_2_00CFDE2D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00CFDE2D
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002B_242.exe PID: 4156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3220, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002B_242.exe PID: 4156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3220, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1481918 Sample: LisectAVT_2403002B_242.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002B_242.exe 1 9 2->7         started        12 RageMP131.exe 2 2->12         started        14 MPGPH131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.74, 49710, 49712, 49713 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->46 48 Found API chain indicative of sandbox detection 7->48 50 Uses schtasks.exe or at.exe to add and modify task schedules 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Antivirus detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 56 Found stalling execution ending in API Sleep call 12->56 58 Tries to evade debugger and weak emulator (self modifying code) 14->58 60 Tries to detect virtualization through RDTSC time measurements 14->60 62 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->62 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.74
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true