Windows Analysis Report
LisectAVT_2403002A_376.exe

Overview

General Information

Sample name: LisectAVT_2403002A_376.exe
Analysis ID: 1482303
MD5: 45d835beaaf607e4ce243297cd053469
SHA1: f96c5d84a6d93983b106cdd5a3daf5900270285d
SHA256: e35b5f6aa2e9ffc815083030e2c09a5e55df2a02528db2fc24d6f480910f0036
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_376.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: TR/AD.Nekark.rxrem
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: TR/AD.Nekark.rxrem
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002A_376.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_376.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 193.233.132.74:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.74 193.233.132.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_0062E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket, 0_2_0062E0A0
Source: LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3320619593.000000000127A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319335738.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTWj

System Summary
barindex
PE file contains section with special chars
Source: LisectAVT_2403002A_376.exe Static PE information: section name:
Source: LisectAVT_2403002A_376.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_376.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00709824 0_2_00709824
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006850B0 0_2_006850B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00699880 0_2_00699880
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006191A0 0_2_006191A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006873F0 0_2_006873F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006F646A 0_2_006F646A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006F2CE0 0_2_006F2CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006124F0 0_2_006124F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006F84A0 0_2_006F84A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00618D70 0_2_00618D70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00696550 0_2_00696550
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006955B0 0_2_006955B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006FBEAF 0_2_006FBEAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_0070F771 0_2_0070F771
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00629F50 0_2_00629F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00569824 6_2_00569824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004F9880 6_2_004F9880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004E50B0 6_2_004E50B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004791A0 6_2_004791A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004E73F0 6_2_004E73F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0055646A 6_2_0055646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00552CE0 6_2_00552CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004724F0 6_2_004724F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005584A0 6_2_005584A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004F6550 6_2_004F6550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00478D70 6_2_00478D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004F55B0 6_2_004F55B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0055BEAF 6_2_0055BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00489F50 6_2_00489F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00569824 7_2_00569824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004F9880 7_2_004F9880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004E50B0 7_2_004E50B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004791A0 7_2_004791A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004E73F0 7_2_004E73F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0055646A 7_2_0055646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00552CE0 7_2_00552CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004724F0 7_2_004724F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_005584A0 7_2_005584A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004F6550 7_2_004F6550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00478D70 7_2_00478D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004F55B0 7_2_004F55B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0055BEAF 7_2_0055BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00489F50 7_2_00489F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E950B0 8_2_00E950B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00EA9880 8_2_00EA9880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F19824 8_2_00F19824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E291A0 8_2_00E291A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E973F0 8_2_00E973F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F42364 8_2_00F42364
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F42368 8_2_00F42368
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F42318 8_2_00F42318
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F02CE0 8_2_00F02CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E224F0 8_2_00E224F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F424C4 8_2_00F424C4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F084A0 8_2_00F084A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F42498 8_2_00F42498
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F0646A 8_2_00F0646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F42408 8_2_00F42408
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00EA55B0 8_2_00EA55B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E28D70 8_2_00E28D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00EA6550 8_2_00EA6550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F0BEAF 8_2_00F0BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F1F771 8_2_00F1F771
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E39F50 8_2_00E39F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00E950B0 10_2_00E950B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00EA9880 10_2_00EA9880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F19824 10_2_00F19824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00E291A0 10_2_00E291A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00E973F0 10_2_00E973F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F42364 10_2_00F42364
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F42368 10_2_00F42368
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F42318 10_2_00F42318
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F02CE0 10_2_00F02CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00E224F0 10_2_00E224F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F424C4 10_2_00F424C4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F084A0 10_2_00F084A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F42498 10_2_00F42498
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F0646A 10_2_00F0646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F42408 10_2_00F42408
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00EA55B0 10_2_00EA55B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00E28D70 10_2_00E28D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00EA6550 10_2_00EA6550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F0BEAF 10_2_00F0BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F1F771 10_2_00F1F771
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00E39F50 10_2_00E39F50
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0054FED0 appears 52 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 00EFFED0 appears 52 times
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_376.exe, 00000000.00000000.2049821270.0000000000748000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_376.exe
Source: LisectAVT_2403002A_376.exe Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_376.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_376.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_376.exe Static PE information: Section: ZLIB complexity 0.9931361607142857
Source: LisectAVT_2403002A_376.exe Static PE information: Section: sryzlqip ZLIB complexity 0.9946141311689481
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9931361607142857
Source: RageMP131.exe.0.dr Static PE information: Section: sryzlqip ZLIB complexity 0.9946141311689481
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9931361607142857
Source: MPGPH131.exe.0.dr Static PE information: Section: sryzlqip ZLIB complexity 0.9946141311689481
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Command line argument: nIq 0_2_007148C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Command line argument: nIW 6_2_005748C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Command line argument: nIW 7_2_005748C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LisectAVT_2403002A_376.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe "C:\Users\user\Desktop\LisectAVT_2403002A_376.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_376.exe Static file information: File size 2038792 > 1048576
Source: LisectAVT_2403002A_376.exe Static PE information: Raw size of sryzlqip is bigger than: 0x100000 < 0x15b000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Unpacked PE file: 0.2.LisectAVT_2403002A_376.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.470000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.470000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 10.2.RageMP131.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00629F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory, 0_2_00629F50
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: LisectAVT_2403002A_376.exe Static PE information: real checksum: 0x1f712c should be: 0x1ff09e
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x1f712c should be: 0x1ff09e
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x1f712c should be: 0x1ff09e
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_376.exe Static PE information: section name:
Source: LisectAVT_2403002A_376.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_376.exe Static PE information: section name:
Source: LisectAVT_2403002A_376.exe Static PE information: section name: sryzlqip
Source: LisectAVT_2403002A_376.exe Static PE information: section name: dhhlsvvc
Source: LisectAVT_2403002A_376.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: sryzlqip
Source: RageMP131.exe.0.dr Static PE information: section name: dhhlsvvc
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: sryzlqip
Source: MPGPH131.exe.0.dr Static PE information: section name: dhhlsvvc
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006EFA97 push ecx; ret 0_2_006EFAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0054FA97 push ecx; ret 6_2_0054FAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0054FA97 push ecx; ret 7_2_0054FAAA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00EFFA97 push ecx; ret 8_2_00EFFAAA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00EFFA97 push ecx; ret 10_2_00EFFAAA
Source: LisectAVT_2403002A_376.exe Static PE information: section name: entropy: 7.9345365893427315
Source: LisectAVT_2403002A_376.exe Static PE information: section name: sryzlqip entropy: 7.95317001843216
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.9345365893427315
Source: RageMP131.exe.0.dr Static PE information: section name: sryzlqip entropy: 7.95317001843216
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.9345365893427315
Source: MPGPH131.exe.0.dr Static PE information: section name: sryzlqip entropy: 7.95317001843216
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006955B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_006955B0

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C9887 second address: 8C989B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C989B second address: 8C98E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB75C865F96h 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d js 00007FB75C865FB0h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FB75C865FA8h 0x0000001a push eax 0x0000001b pushad 0x0000001c popad 0x0000001d jnl 00007FB75C865F96h 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB75C865F9Fh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C98E3 second address: 8C98E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8B94A4 second address: 8B94F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 jmp 00007FB75C865FA9h 0x0000000c jmp 00007FB75C865FA8h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB75C865FA2h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8B94F3 second address: 8B9510 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB75D0E6D86h 0x00000008 jmp 00007FB75D0E6D93h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C88AF second address: 8C88B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C88B3 second address: 8C88D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB75D0E6D97h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C88D3 second address: 8C88D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C88D9 second address: 8C8900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB75D0E6D96h 0x0000000c jmp 00007FB75D0E6D8Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C8D62 second address: 8C8D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C9025 second address: 8C9031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB75D0E6D86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8C9031 second address: 8C903A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EBC45 second address: 8EBC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EBC4A second address: 8EBC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8E9BCD second address: 8E9BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8E9BD1 second address: 8E9BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8E9BD5 second address: 8E9BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8E9BDF second address: 8E9BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8E9BE5 second address: 8E9BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8E9BE9 second address: 8E9BF3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB75C865F96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EA5A3 second address: 8EA5B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007FB75D0E6D86h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FB75D0E6D86h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EAC46 second address: 8EAC50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EAC50 second address: 8EAC68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EB370 second address: 8EB376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EB376 second address: 8EB38E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EB513 second address: 8EB517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EB517 second address: 8EB51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EB51D second address: 8EB54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865FA9h 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75C865F9Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EB68E second address: 8EB694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EB694 second address: 8EB6A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EB6A6 second address: 8EB6B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EB6B2 second address: 8EB6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EBAA8 second address: 8EBAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Fh 0x00000009 jnl 00007FB75D0E6D86h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EBAC2 second address: 8EBACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EBACA second address: 8EBB03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FB75D0E6D86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75D0E6D90h 0x00000015 jmp 00007FB75D0E6D99h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EBB03 second address: 8EBB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB75C865F96h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EEC36 second address: 8EEC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EEC3C second address: 8EEC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EEC41 second address: 8EEC57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D91h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EEC57 second address: 8EEC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865FA2h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FB75C865FA3h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8EEC8C second address: 8EEC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F02C7 second address: 8F02E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865F9Eh 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F246F second address: 8F2474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F36F9 second address: 8F3712 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jbe 00007FB75C865F98h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 ja 00007FB75C865F96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F715F second address: 8F7164 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F7164 second address: 8F7189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FB75C865F9Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jno 00007FB75C865F96h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F7189 second address: 8F71CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FB75D0E6D8Dh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007FB75D0E6D8Eh 0x00000019 pop eax 0x0000001a mov di, cx 0x0000001d push FE6F782Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007FB75D0E6D86h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F71CE second address: 8F71D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F71D2 second address: 8F71D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F75B2 second address: 8F75BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB75C865F96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F75BC second address: 8F75CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F79C9 second address: 8F79D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F79D8 second address: 8F79E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F8012 second address: 8F8016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F82AC second address: 8F82CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D94h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F8512 second address: 8F8518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F8518 second address: 8F851C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F8A23 second address: 8F8A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75C865FA0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F9235 second address: 8F9239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F9239 second address: 8F9247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F9247 second address: 8F924D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FA757 second address: 8FA75D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FB128 second address: 8FB137 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FB137 second address: 8FB13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FB13B second address: 8FB141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FB141 second address: 8FB147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FB147 second address: 8FB1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FB75D0E6D88h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov di, C544h 0x00000027 push 00000000h 0x00000029 call 00007FB75D0E6D8Ch 0x0000002e mov edi, dword ptr [ebp+122D37AEh] 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 jne 00007FB75D0E6D8Bh 0x0000003e add edx, dword ptr [ebp+12474F4Ah] 0x00000044 popad 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FB1A6 second address: 8FB1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FC76E second address: 8FC7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e jp 00007FB75D0E6D8Ch 0x00000014 jne 00007FB75D0E6D86h 0x0000001a popad 0x0000001b nop 0x0000001c mov si, 893Fh 0x00000020 push 00000000h 0x00000022 movsx edi, cx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007FB75D0E6D88h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov di, 8A13h 0x00000045 xchg eax, ebx 0x00000046 je 00007FB75D0E6D92h 0x0000004c jp 00007FB75D0E6D8Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FC7CD second address: 8FC7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FC7D8 second address: 8FC7DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FE98B second address: 8FE98F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FD084 second address: 8FD090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FE98F second address: 8FE995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8FD090 second address: 8FD094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90034A second address: 9003AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FB75C865F98h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+122D3101h] 0x0000002a push 00000000h 0x0000002c jmp 00007FB75C865FA3h 0x00000031 push 00000000h 0x00000033 sub ebx, dword ptr [ebp+122D29AAh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB75C865FA2h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 901362 second address: 901367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9004C1 second address: 9004CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB75C865F96h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 902195 second address: 902199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90314C second address: 90317B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB75C865FA6h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75C865F9Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9042A3 second address: 904314 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB75D0E6D88h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 or ebx, dword ptr [ebp+122D2BFAh] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB75D0E6D88h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007FB75D0E6D91h 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9054AC second address: 9054B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90639A second address: 9063A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB75D0E6D86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 907479 second address: 90747F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9082F4 second address: 9082F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9082F8 second address: 908311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FB75C865F9Ch 0x0000000f jnc 00007FB75C865F96h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 908311 second address: 908369 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FB75D0E6D88h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 pushad 0x00000027 mov dx, bx 0x0000002a cmc 0x0000002b popad 0x0000002c sub dword ptr [ebp+122D2FF1h], eax 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D2E0Ah] 0x0000003a push 00000000h 0x0000003c xchg eax, esi 0x0000003d jnl 00007FB75D0E6D91h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 908369 second address: 90837F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90A29C second address: 90A2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90A2B4 second address: 90A2B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90A530 second address: 90A535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9093E7 second address: 9093F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90B4BB second address: 90B4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90D40F second address: 90D414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90B4BF second address: 90B4C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90C59B second address: 90C59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8F9A91 second address: 8F9A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90C59F second address: 90C5A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90B5BE second address: 90B5C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90D751 second address: 90D755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90C5A9 second address: 90C5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90B5C4 second address: 90B5D7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90E6E8 second address: 90E6EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90C5AD second address: 90C5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90F631 second address: 90F636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90F636 second address: 90F6ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FB75C865F98h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007FB75C865F98h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 js 00007FB75C865F9Ch 0x00000048 mov ebx, dword ptr [ebp+122D3791h] 0x0000004e push 00000000h 0x00000050 pushad 0x00000051 mov bl, ah 0x00000053 pushad 0x00000054 jns 00007FB75C865F96h 0x0000005a popad 0x0000005b popad 0x0000005c xchg eax, esi 0x0000005d jne 00007FB75C865FADh 0x00000063 push eax 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FB75C865FA8h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90E7B2 second address: 90E7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90F6ED second address: 90F6F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 90F8D5 second address: 90F8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 912829 second address: 91282F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91282F second address: 912842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 912842 second address: 91284B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91F116 second address: 91F11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91F11A second address: 91F157 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB75C865FA9h 0x00000008 jmp 00007FB75C865FA2h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75C865F9Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91F157 second address: 91F194 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75D0E6DA0h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D99h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91F194 second address: 91F198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91F890 second address: 91F8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91F8A0 second address: 91F8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB75C865FA0h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91F8BD second address: 91F8E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FB75D0E6D8Eh 0x0000000e push edi 0x0000000f pop edi 0x00000010 jng 00007FB75D0E6D86h 0x00000016 pushad 0x00000017 jp 00007FB75D0E6D86h 0x0000001d jp 00007FB75D0E6D86h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91FB84 second address: 91FB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91FB8C second address: 91FB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB75D0E6D86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 91FE1A second address: 91FE32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865F9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007FB75C865F96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9200F7 second address: 9200FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9200FB second address: 9200FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9200FF second address: 920105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 920105 second address: 92010F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92010F second address: 920113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 920113 second address: 920119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 920119 second address: 920123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB75D0E6D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92BD5E second address: 92BD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92BD6C second address: 92BD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D8Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92BD83 second address: 92BD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92BD87 second address: 92BDA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75D0E6D93h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8B283D second address: 8B2843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8B2843 second address: 8B2851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 929FA1 second address: 929FA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 929FA7 second address: 929FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 929FAD second address: 929FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB75C865F9Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92A29A second address: 92A2BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92A44D second address: 92A462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB75C865F96h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FB75C865F96h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92A462 second address: 92A468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92A786 second address: 92A793 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92A8E1 second address: 92A906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jns 00007FB75D0E6D8Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75D0E6D8Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92A906 second address: 92A90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92AA60 second address: 92AA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB75D0E6D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92AA6A second address: 92AA75 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92AA75 second address: 92AA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007FB75D0E6D8Ch 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92AA8E second address: 92AA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92AD9E second address: 92ADA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92B467 second address: 92B489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB75C865F96h 0x0000000a popad 0x0000000b jmp 00007FB75C865FA3h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92B489 second address: 92B48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92B48F second address: 92B493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 92BBC8 second address: 92BC1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007FB75D0E6D86h 0x00000012 pop ecx 0x00000013 jc 00007FB75D0E6D88h 0x00000019 push eax 0x0000001a pop eax 0x0000001b ja 00007FB75D0E6D8Eh 0x00000021 push eax 0x00000022 pop eax 0x00000023 jl 00007FB75D0E6D86h 0x00000029 popad 0x0000002a pushad 0x0000002b jmp 00007FB75D0E6D8Dh 0x00000030 push eax 0x00000031 push edx 0x00000032 jng 00007FB75D0E6D86h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9299CC second address: 9299D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 933369 second address: 933396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D94h 0x00000009 pop ebx 0x0000000a jmp 00007FB75D0E6D8Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 933396 second address: 93339C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8BC9C5 second address: 8BC9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB75D0E6D97h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 932E9D second address: 932EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB75C865F9Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 932EB2 second address: 932EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007FB75D0E6D8Ch 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75D0E6D92h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 932EDC second address: 932EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 932EE0 second address: 932EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB75D0E6D86h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 933039 second address: 93303D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 93303D second address: 933043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 933043 second address: 93307F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB75C865F96h 0x00000008 jmp 00007FB75C865FA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FB75C865F9Fh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 jns 00007FB75C865F96h 0x0000001f jne 00007FB75C865F96h 0x00000025 pop esi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 93307F second address: 933092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75D0E6D8Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 933092 second address: 933096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9503C8 second address: 9503CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9558C9 second address: 9558FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB75C865FA2h 0x0000000a pushad 0x0000000b jmp 00007FB75C865FA1h 0x00000010 jc 00007FB75C865F96h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9558FB second address: 955905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 955905 second address: 95590D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9555F1 second address: 9555FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB75D0E6D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9555FB second address: 955605 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75C865F96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 957AAD second address: 957AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB75D0E6D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 957AB7 second address: 957ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 963009 second address: 96300E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 96300E second address: 96304E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007FB75C865FA5h 0x00000011 pushad 0x00000012 popad 0x00000013 jo 00007FB75C865F96h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB75C865FA0h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 96304E second address: 96305E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB75D0E6D86h 0x00000008 js 00007FB75D0E6D86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 8B5D77 second address: 8B5DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FB75C865F96h 0x0000000c popad 0x0000000d jmp 00007FB75C865FA0h 0x00000012 pushad 0x00000013 jmp 00007FB75C865FA5h 0x00000018 jng 00007FB75C865F9Ah 0x0000001e push edx 0x0000001f pop edx 0x00000020 pushad 0x00000021 popad 0x00000022 jc 00007FB75C865F9Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 96F878 second address: 96F886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FB75D0E6D8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 96F886 second address: 96F8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d ja 00007FB75C865F96h 0x00000013 jg 00007FB75C865F96h 0x00000019 pop eax 0x0000001a jl 00007FB75C865F9Eh 0x00000020 jbe 00007FB75C865F96h 0x00000026 push esi 0x00000027 pop esi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 96F8B4 second address: 96F8CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D92h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 972299 second address: 9722A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB75C865F96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9722A4 second address: 9722E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D97h 0x00000009 ja 00007FB75D0E6D86h 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 jmp 00007FB75D0E6D95h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9956BB second address: 9956C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9949F5 second address: 994A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D96h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 994A0F second address: 994A15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 994A15 second address: 994A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB75D0E6D86h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 994A23 second address: 994A2F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 994A2F second address: 994A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 994A3F second address: 994A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB75C865F96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 994A49 second address: 994A78 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB75D0E6D86h 0x00000008 jmp 00007FB75D0E6D99h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FB75D0E6D86h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 994BA1 second address: 994BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 994BAC second address: 994BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 994E42 second address: 994E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007FB75C865F96h 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 99800F second address: 998013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9985E4 second address: 998626 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c sub dx, E1FFh 0x00000011 push dword ptr [ebp+122D3076h] 0x00000017 jg 00007FB75C865FA2h 0x0000001d push EF668F1Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FB75C865F9Eh 0x0000002a push edi 0x0000002b pop edi 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 9997E5 second address: 999803 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB75D0E6D86h 0x00000008 ja 00007FB75D0E6D86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FB75D0E6D8Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 99B4E8 second address: 99B50F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB75C865F96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FB75C865FABh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 99B50F second address: 99B519 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75D0E6D8Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 99CEC2 second address: 99CEEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB75C865F9Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007FB75C865FA2h 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 99CEEF second address: 99CEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe RDTSC instruction interceptor: First address: 99CEF4 second address: 99CEFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB75C865F96h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 729887 second address: 72989B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 72989B second address: 7298E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB75C865F96h 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d js 00007FB75C865FB0h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FB75C865FA8h 0x0000001a push eax 0x0000001b pushad 0x0000001c popad 0x0000001d jnl 00007FB75C865F96h 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB75C865F9Fh 0x0000002b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7298E3 second address: 7298E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7194A4 second address: 7194F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 jmp 00007FB75C865FA9h 0x0000000c jmp 00007FB75C865FA8h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB75C865FA2h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7194F3 second address: 719510 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB75D0E6D86h 0x00000008 jmp 00007FB75D0E6D93h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7288AF second address: 7288B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7288B3 second address: 7288D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB75D0E6D97h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7288D3 second address: 7288D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7288D9 second address: 728900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB75D0E6D96h 0x0000000c jmp 00007FB75D0E6D8Ah 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 728D62 second address: 728D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 729025 second address: 729031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB75D0E6D86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 729031 second address: 72903A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74BC45 second address: 74BC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74BC4A second address: 74BC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 749BCD second address: 749BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 749BD1 second address: 749BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 749BD5 second address: 749BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 749BDF second address: 749BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 749BE5 second address: 749BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 749BE9 second address: 749BF3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB75C865F96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74A5A3 second address: 74A5B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007FB75D0E6D86h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FB75D0E6D86h 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74AC46 second address: 74AC50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74AC50 second address: 74AC68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74B370 second address: 74B376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74B376 second address: 74B38E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74B513 second address: 74B517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74B517 second address: 74B51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74B51D second address: 74B54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865FA9h 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75C865F9Bh 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74B68E second address: 74B694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74B694 second address: 74B6A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74B6A6 second address: 74B6B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74B6B2 second address: 74B6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74BAA8 second address: 74BAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Fh 0x00000009 jnl 00007FB75D0E6D86h 0x0000000f popad 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74BAC2 second address: 74BACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74BACA second address: 74BB03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FB75D0E6D86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75D0E6D90h 0x00000015 jmp 00007FB75D0E6D99h 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74BB03 second address: 74BB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB75C865F96h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74EC36 second address: 74EC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74EC3C second address: 74EC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74EC41 second address: 74EC57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D91h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74EC57 second address: 74EC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865FA2h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FB75C865FA3h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 74EC8C second address: 74EC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7502C7 second address: 7502E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865F9Eh 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75246F second address: 752474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7536F9 second address: 753712 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jbe 00007FB75C865F98h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 ja 00007FB75C865F96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75715F second address: 757164 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 757164 second address: 757189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FB75C865F9Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jno 00007FB75C865F96h 0x0000001c popad 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 757189 second address: 7571CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FB75D0E6D8Dh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007FB75D0E6D8Eh 0x00000019 pop eax 0x0000001a mov di, cx 0x0000001d push FE6F782Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007FB75D0E6D86h 0x0000002c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7571CE second address: 7571D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7571D2 second address: 7571D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7575B2 second address: 7575BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB75C865F96h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7575BC second address: 7575CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7579C9 second address: 7579D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7579D8 second address: 7579E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 758012 second address: 758016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7582AC second address: 7582CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D94h 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 758512 second address: 758518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 758518 second address: 75851C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 758A23 second address: 758A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75C865FA0h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 759235 second address: 759239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 759239 second address: 759247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 759247 second address: 75924D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75A757 second address: 75A75D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75B128 second address: 75B137 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75B137 second address: 75B13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75B13B second address: 75B141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75B141 second address: 75B147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75B147 second address: 75B1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FB75D0E6D88h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov di, C544h 0x00000027 push 00000000h 0x00000029 call 00007FB75D0E6D8Ch 0x0000002e mov edi, dword ptr [ebp+122D37AEh] 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 jne 00007FB75D0E6D8Bh 0x0000003e add edx, dword ptr [ebp+12474F4Ah] 0x00000044 popad 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75B1A6 second address: 75B1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75C76E second address: 75C7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e jp 00007FB75D0E6D8Ch 0x00000014 jne 00007FB75D0E6D86h 0x0000001a popad 0x0000001b nop 0x0000001c mov si, 893Fh 0x00000020 push 00000000h 0x00000022 movsx edi, cx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007FB75D0E6D88h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov di, 8A13h 0x00000045 xchg eax, ebx 0x00000046 je 00007FB75D0E6D92h 0x0000004c jp 00007FB75D0E6D8Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75C7CD second address: 75C7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75C7D8 second address: 75C7DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75E98B second address: 75E98F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75E98F second address: 75E995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75D084 second address: 75D090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 75D090 second address: 75D094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76034A second address: 7603AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FB75C865F98h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+122D3101h] 0x0000002a push 00000000h 0x0000002c jmp 00007FB75C865FA3h 0x00000031 push 00000000h 0x00000033 sub ebx, dword ptr [ebp+122D29AAh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB75C865FA2h 0x00000041 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 761362 second address: 761367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7604C1 second address: 7604CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB75C865F96h 0x0000000a popad 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 762195 second address: 762199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76314C second address: 76317B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB75C865FA6h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75C865F9Eh 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7642A3 second address: 764314 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB75D0E6D88h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 or ebx, dword ptr [ebp+122D2BFAh] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB75D0E6D88h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007FB75D0E6D91h 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7654AC second address: 7654B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76639A second address: 7663A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB75D0E6D86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7682F4 second address: 7682F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7682F8 second address: 768311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FB75D0E6D8Ch 0x0000000f jnc 00007FB75D0E6D86h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 768311 second address: 768369 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FB75C865F98h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 pushad 0x00000027 mov dx, bx 0x0000002a cmc 0x0000002b popad 0x0000002c sub dword ptr [ebp+122D2FF1h], eax 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D2E0Ah] 0x0000003a push 00000000h 0x0000003c xchg eax, esi 0x0000003d jnl 00007FB75C865FA1h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 768369 second address: 76837F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 767479 second address: 76747F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76A29C second address: 76A2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76A2B4 second address: 76A2B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7693E7 second address: 7693F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76A530 second address: 76A535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76B4BB second address: 76B4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76B4BF second address: 76B4C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76B5BE second address: 76B5C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76B5C4 second address: 76B5D7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76D40F second address: 76D414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76C59B second address: 76C59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76C59F second address: 76C5A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76C5A9 second address: 76C5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76C5AD second address: 76C5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76D751 second address: 76D755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76F631 second address: 76F636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76F636 second address: 76F6ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FB75C865F98h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007FB75C865F98h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 js 00007FB75C865F9Ch 0x00000048 mov ebx, dword ptr [ebp+122D3791h] 0x0000004e push 00000000h 0x00000050 pushad 0x00000051 mov bl, ah 0x00000053 pushad 0x00000054 jns 00007FB75C865F96h 0x0000005a popad 0x0000005b popad 0x0000005c xchg eax, esi 0x0000005d jne 00007FB75C865FADh 0x00000063 push eax 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FB75C865FA8h 0x0000006c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76F6ED second address: 76F6F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76E6E8 second address: 76E6EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76E7B2 second address: 76E7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 772829 second address: 77282F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77282F second address: 772842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 772842 second address: 77284B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76F8D5 second address: 76F8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F116 second address: 77F11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F11A second address: 77F157 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB75D0E6D99h 0x00000008 jmp 00007FB75D0E6D92h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75D0E6D8Ah 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F157 second address: 77F194 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75C865FB0h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75C865FA9h 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F194 second address: 77F198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F890 second address: 77F8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F8A0 second address: 77F8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB75D0E6D90h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F8BD second address: 77F8E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FB75C865F9Eh 0x0000000e push edi 0x0000000f pop edi 0x00000010 jng 00007FB75C865F96h 0x00000016 pushad 0x00000017 jp 00007FB75C865F96h 0x0000001d jp 00007FB75C865F96h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77FB84 second address: 77FB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77FB8C second address: 77FB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB75C865F96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77FE1A second address: 77FE32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007FB75D0E6D86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7800F7 second address: 7800FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7800FB second address: 7800FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7800FF second address: 780105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 780105 second address: 78010F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78010F second address: 780113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 780113 second address: 780119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 780119 second address: 780123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB75C865F96h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78BD5E second address: 78BD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78BD6C second address: 78BD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75C865F9Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78BD83 second address: 78BD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78BD87 second address: 78BDA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865FA3h 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 71283D second address: 712843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 712843 second address: 712851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Ah 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 789FA1 second address: 789FA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 789FA7 second address: 789FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 789FAD second address: 789FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB75D0E6D8Dh 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78A29A second address: 78A2BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78A44D second address: 78A462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB75D0E6D86h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FB75D0E6D86h 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78A462 second address: 78A468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78A786 second address: 78A793 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78A8E1 second address: 78A906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jns 00007FB75C865F9Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75C865F9Eh 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78A906 second address: 78A90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78AA60 second address: 78AA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB75C865F96h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78AA6A second address: 78AA75 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78AA75 second address: 78AA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007FB75C865F9Ch 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78AA8E second address: 78AA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78AD9E second address: 78ADA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78B467 second address: 78B489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB75D0E6D86h 0x0000000a popad 0x0000000b jmp 00007FB75D0E6D93h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78B489 second address: 78B48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78B48F second address: 78B493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 759A91 second address: 759A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 78BBC8 second address: 78BC1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007FB75D0E6D86h 0x00000012 pop ecx 0x00000013 jc 00007FB75D0E6D88h 0x00000019 push eax 0x0000001a pop eax 0x0000001b ja 00007FB75D0E6D8Eh 0x00000021 push eax 0x00000022 pop eax 0x00000023 jl 00007FB75D0E6D86h 0x00000029 popad 0x0000002a pushad 0x0000002b jmp 00007FB75D0E6D8Dh 0x00000030 push eax 0x00000031 push edx 0x00000032 jng 00007FB75D0E6D86h 0x00000038 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7899CC second address: 7899D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 793369 second address: 793396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D94h 0x00000009 pop ebx 0x0000000a jmp 00007FB75D0E6D8Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 793396 second address: 79339C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 71C9C5 second address: 71C9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB75D0E6D97h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 792E9D second address: 792EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB75C865F9Ch 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 792EB2 second address: 792EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007FB75D0E6D8Ch 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75D0E6D92h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 792EDC second address: 792EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 792EE0 second address: 792EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB75D0E6D86h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 793039 second address: 79303D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 79303D second address: 793043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 793043 second address: 79307F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB75C865F96h 0x00000008 jmp 00007FB75C865FA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FB75C865F9Fh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 jns 00007FB75C865F96h 0x0000001f jne 00007FB75C865F96h 0x00000025 pop esi 0x00000026 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 79307F second address: 793092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75D0E6D8Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 793092 second address: 793096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 76314C second address: 76317B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB75D0E6D96h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75D0E6D8Eh 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7642A3 second address: 764314 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB75C865F98h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 or ebx, dword ptr [ebp+122D2BFAh] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB75C865F98h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007FB75C865FA1h 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7B03C8 second address: 7B03CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77282F second address: 772842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865F9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7B58C9 second address: 7B58FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB75C865FA2h 0x0000000a pushad 0x0000000b jmp 00007FB75C865FA1h 0x00000010 jc 00007FB75C865F96h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7B58FB second address: 7B5905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7B5905 second address: 7B590D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7B55F1 second address: 7B55FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB75D0E6D86h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7B55FB second address: 7B5605 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75C865F96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7B7AAD second address: 7B7AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB75D0E6D86h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7B7AB7 second address: 7B7ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F11A second address: 77F157 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB75C865FA9h 0x00000008 jmp 00007FB75C865FA2h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75C865F9Ah 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F157 second address: 77F194 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75D0E6DA0h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D99h 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F890 second address: 77F8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F8A0 second address: 77F8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB75C865FA0h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77F8BD second address: 77F8E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FB75D0E6D8Eh 0x0000000e push edi 0x0000000f pop edi 0x00000010 jng 00007FB75D0E6D86h 0x00000016 pushad 0x00000017 jp 00007FB75D0E6D86h 0x0000001d jp 00007FB75D0E6D86h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 77FB8C second address: 77FB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB75D0E6D86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7C3009 second address: 7C300E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7C300E second address: 7C304E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007FB75D0E6D95h 0x00000011 pushad 0x00000012 popad 0x00000013 jo 00007FB75D0E6D86h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB75D0E6D90h 0x00000025 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7C304E second address: 7C305E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB75C865F96h 0x00000008 js 00007FB75C865F96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 715D77 second address: 715DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FB75D0E6D86h 0x0000000c popad 0x0000000d jmp 00007FB75D0E6D90h 0x00000012 pushad 0x00000013 jmp 00007FB75D0E6D95h 0x00000018 jng 00007FB75D0E6D8Ah 0x0000001e push edx 0x0000001f pop edx 0x00000020 pushad 0x00000021 popad 0x00000022 jc 00007FB75D0E6D8Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7CF878 second address: 7CF886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FB75C865F9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7CF886 second address: 7CF8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d ja 00007FB75D0E6D86h 0x00000013 jg 00007FB75D0E6D86h 0x00000019 pop eax 0x0000001a jl 00007FB75D0E6D8Eh 0x00000020 jbe 00007FB75D0E6D86h 0x00000026 push esi 0x00000027 pop esi 0x00000028 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7CF8B4 second address: 7CF8CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA2h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7D2299 second address: 7D22A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB75D0E6D86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7D22A4 second address: 7D22E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865FA7h 0x00000009 ja 00007FB75C865F96h 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 jmp 00007FB75C865FA5h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F56BB second address: 7F56C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F49F5 second address: 7F4A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865FA6h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F4A0F second address: 7F4A15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F4A15 second address: 7F4A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB75C865F96h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F4A23 second address: 7F4A2F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F4A2F second address: 7F4A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F4A3F second address: 7F4A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB75D0E6D86h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F4A49 second address: 7F4A78 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB75C865F96h 0x00000008 jmp 00007FB75C865FA9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FB75C865F96h 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F4BA1 second address: 7F4BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F4BAC second address: 7F4BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F4E42 second address: 7F4E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007FB75D0E6D86h 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F800F second address: 7F8013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F85E4 second address: 7F8626 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c sub dx, E1FFh 0x00000011 push dword ptr [ebp+122D3076h] 0x00000017 jg 00007FB75D0E6D92h 0x0000001d push EF668F1Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FB75D0E6D8Eh 0x0000002a push edi 0x0000002b pop edi 0x0000002c popad 0x0000002d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7F97E5 second address: 7F9803 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB75C865F96h 0x00000008 ja 00007FB75C865F96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FB75C865F9Eh 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7FB4E8 second address: 7FB50F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB75D0E6D86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FB75D0E6D9Bh 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7FB50F second address: 7FB519 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75C865F9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7FCEC2 second address: 7FCEEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB75D0E6D8Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007FB75D0E6D92h 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7FCEEF second address: 7FCEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 7FCEF4 second address: 7FCEFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB75D0E6D86h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D9887 second address: 10D989B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865F9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D989B second address: 10D98E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB75D0E6D86h 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d js 00007FB75D0E6DA0h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FB75D0E6D98h 0x0000001a push eax 0x0000001b pushad 0x0000001c popad 0x0000001d jnl 00007FB75D0E6D86h 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB75D0E6D8Fh 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D98E3 second address: 10D98E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10C94A4 second address: 10C94F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 jmp 00007FB75D0E6D99h 0x0000000c jmp 00007FB75D0E6D98h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB75D0E6D92h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10C94F3 second address: 10C9510 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB75C865F96h 0x00000008 jmp 00007FB75C865FA3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D88AF second address: 10D88B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D88B3 second address: 10D88D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB75C865FA7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D88D3 second address: 10D88D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D88D9 second address: 10D8900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB75C865FA6h 0x0000000c jmp 00007FB75C865F9Ah 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D8D62 second address: 10D8D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D9025 second address: 10D9031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB75C865F96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10D9031 second address: 10D903A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FBC45 second address: 10FBC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FBC4A second address: 10FBC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10F9BCD second address: 10F9BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10F9BD1 second address: 10F9BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10F9BD5 second address: 10F9BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10F9BDF second address: 10F9BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10F9BE5 second address: 10F9BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10F9BE9 second address: 10F9BF3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB75D0E6D86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FA5A3 second address: 10FA5B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007FB75C865F96h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FB75C865F96h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FAC46 second address: 10FAC50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FAC50 second address: 10FAC68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FB370 second address: 10FB376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FB376 second address: 10FB38E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FB513 second address: 10FB517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FB517 second address: 10FB51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FB51D second address: 10FB54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75D0E6D99h 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75D0E6D8Bh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FB68E second address: 10FB694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FB694 second address: 10FB6A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FB6A6 second address: 10FB6B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FB6B2 second address: 10FB6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FBAA8 second address: 10FBAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Fh 0x00000009 jnl 00007FB75C865F96h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FBAC2 second address: 10FBACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FBACA second address: 10FBB03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FB75C865F96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75C865FA0h 0x00000015 jmp 00007FB75C865FA9h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FBB03 second address: 10FBB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB75D0E6D86h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FEC36 second address: 10FEC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FEC3C second address: 10FEC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FEC41 second address: 10FEC57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA1h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FEC57 second address: 10FEC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D92h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FB75D0E6D93h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 10FEC8C second address: 10FEC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11002C7 second address: 11002E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75D0E6D8Eh 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110246F second address: 1102474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11036F9 second address: 1103712 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jbe 00007FB75D0E6D88h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 ja 00007FB75D0E6D86h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110715F second address: 1107164 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1107164 second address: 1107189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FB75D0E6D8Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jno 00007FB75D0E6D86h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1107189 second address: 11071CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865F9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FB75C865F9Dh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007FB75C865F9Eh 0x00000019 pop eax 0x0000001a mov di, cx 0x0000001d push FE6F782Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007FB75C865F96h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11071CE second address: 11071D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11071D2 second address: 11071D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11075B2 second address: 11075BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB75D0E6D86h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11075BC second address: 11075CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11079C9 second address: 11079D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11079D8 second address: 11079E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1108012 second address: 1108016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11082AC second address: 11082CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75C865FA4h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1108512 second address: 1108518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1108518 second address: 110851C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1108A23 second address: 1108A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75D0E6D90h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1109235 second address: 1109239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1109239 second address: 1109247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1109247 second address: 110924D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110A757 second address: 110A75D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110B128 second address: 110B137 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110B137 second address: 110B13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110B13B second address: 110B141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110B141 second address: 110B147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110B147 second address: 110B1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FB75C865F98h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov di, C544h 0x00000027 push 00000000h 0x00000029 call 00007FB75C865F9Ch 0x0000002e mov edi, dword ptr [ebp+122D37AEh] 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 jne 00007FB75C865F9Bh 0x0000003e add edx, dword ptr [ebp+12474F4Ah] 0x00000044 popad 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110B1A6 second address: 110B1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110C76E second address: 110C7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e jp 00007FB75C865F9Ch 0x00000014 jne 00007FB75C865F96h 0x0000001a popad 0x0000001b nop 0x0000001c mov si, 893Fh 0x00000020 push 00000000h 0x00000022 movsx edi, cx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007FB75C865F98h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov di, 8A13h 0x00000045 xchg eax, ebx 0x00000046 je 00007FB75C865FA2h 0x0000004c jp 00007FB75C865F9Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110C7CD second address: 110C7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110C7D8 second address: 110C7DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110E98B second address: 110E98F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110E98F second address: 110E995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110D084 second address: 110D090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 110D090 second address: 110D094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 111034A second address: 11103AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FB75D0E6D88h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+122D3101h] 0x0000002a push 00000000h 0x0000002c jmp 00007FB75D0E6D93h 0x00000031 push 00000000h 0x00000033 sub ebx, dword ptr [ebp+122D29AAh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB75D0E6D92h 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1111362 second address: 1111367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11104C1 second address: 11104CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB75D0E6D86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1112195 second address: 1112199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 111314C second address: 111317B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB75D0E6D96h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75D0E6D8Eh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11142A3 second address: 1114314 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB75C865F98h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 or ebx, dword ptr [ebp+122D2BFAh] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB75C865F98h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007FB75C865FA1h 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11154AC second address: 11154B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 111639A second address: 11163A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB75C865F96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11182F4 second address: 11182F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11182F8 second address: 1118311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FB75C865F9Ch 0x0000000f jnc 00007FB75C865F96h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1118311 second address: 1118369 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FB75D0E6D88h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 pushad 0x00000027 mov dx, bx 0x0000002a cmc 0x0000002b popad 0x0000002c sub dword ptr [ebp+122D2FF1h], eax 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D2E0Ah] 0x0000003a push 00000000h 0x0000003c xchg eax, esi 0x0000003d jnl 00007FB75D0E6D91h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1118369 second address: 111837F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Special instruction interceptor: First address: 93A2F8 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 79A2F8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 114A2F8 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 0_2_00673A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 6_2_004D3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 7_2_004D3A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 8_2_00E83A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos, 10_2_00E83A40
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Window / User API: threadDelayed 875 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Window / User API: threadDelayed 877 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Window / User API: threadDelayed 2321 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1013 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 437 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1069 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 420 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1426 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1221 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1251 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 360 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 2892 Thread sleep count: 875 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 2892 Thread sleep time: -1750875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 3144 Thread sleep count: 284 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 4524 Thread sleep count: 251 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 5680 Thread sleep count: 877 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 5680 Thread sleep time: -1754877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 5532 Thread sleep count: 2321 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 5532 Thread sleep time: -4644321s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5508 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5508 Thread sleep time: -210105s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5780 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5780 Thread sleep time: -244122s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4112 Thread sleep count: 1013 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4112 Thread sleep time: -102313s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1272 Thread sleep count: 437 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1272 Thread sleep count: 159 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2408 Thread sleep count: 100 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2408 Thread sleep time: -200100s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4080 Thread sleep count: 83 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4080 Thread sleep time: -166083s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3436 Thread sleep count: 75 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3436 Thread sleep time: -150075s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2508 Thread sleep count: 1069 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2508 Thread sleep time: -107969s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1784 Thread sleep count: 420 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1784 Thread sleep count: 159 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5732 Thread sleep count: 74 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5732 Thread sleep time: -148074s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6020 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6020 Thread sleep time: -62031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1900 Thread sleep count: 1426 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1900 Thread sleep time: -2853426s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3924 Thread sleep count: 297 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7220 Thread sleep count: 257 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7468 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7468 Thread sleep time: -76038s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7460 Thread sleep count: 1221 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7460 Thread sleep time: -2443221s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7428 Thread sleep count: 280 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7552 Thread sleep count: 226 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7452 Thread sleep count: 1251 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7452 Thread sleep time: -2503251s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}e
Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000117E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000007.00000002.3320411319.0000000000EFD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}&
Source: MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}j4h-
Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B12000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B12000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prosb
Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&+
Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B12000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000008.00000002.3320468771.000000000176E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_52766DF3
Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_52766DF3
Source: RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 00000008.00000003.2213925700.000000000176E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000007.00000002.3320619593.000000000127A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&]9
Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000117E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}U
Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000s\user\AppData\Local\Temp\h
Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.0000000001130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000s
Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3320619593.000000000127A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPGPH131.exe, 00000006.00000002.3320441207.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_52766DF37
Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00629F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory, 0_2_00629F50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00673A40 mov eax, dword ptr fs:[00000030h] 0_2_00673A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00673A40 mov eax, dword ptr fs:[00000030h] 0_2_00673A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_00624100 mov eax, dword ptr fs:[00000030h] 0_2_00624100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004D3A40 mov eax, dword ptr fs:[00000030h] 6_2_004D3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004D3A40 mov eax, dword ptr fs:[00000030h] 6_2_004D3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00484100 mov eax, dword ptr fs:[00000030h] 6_2_00484100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004D3A40 mov eax, dword ptr fs:[00000030h] 7_2_004D3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004D3A40 mov eax, dword ptr fs:[00000030h] 7_2_004D3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00484100 mov eax, dword ptr fs:[00000030h] 7_2_00484100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E83A40 mov eax, dword ptr fs:[00000030h] 8_2_00E83A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E83A40 mov eax, dword ptr fs:[00000030h] 8_2_00E83A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E34100 mov eax, dword ptr fs:[00000030h] 8_2_00E34100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00E83A40 mov eax, dword ptr fs:[00000030h] 10_2_00E83A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00E83A40 mov eax, dword ptr fs:[00000030h] 10_2_00E83A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00E34100 mov eax, dword ptr fs:[00000030h] 10_2_00E34100
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Code function: 0_2_006EF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_006EF26A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_376.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7424, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_376.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7424, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482303 Sample: LisectAVT_2403002A_376.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002A_376.exe 1 9 2->7         started        12 MPGPH131.exe 2 2->12         started        14 RageMP131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.74, 49704, 49705, 49706 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->46 48 Found API chain indicative of sandbox detection 7->48 50 Uses schtasks.exe or at.exe to add and modify task schedules 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Antivirus detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 56 Tries to evade debugger and weak emulator (self modifying code) 12->56 58 Tries to detect virtualization through RDTSC time measurements 14->58 60 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->60 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.74
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true