Windows Analysis Report
LisectAVT_2403002A_228.exe

Overview

General Information

Sample name: LisectAVT_2403002A_228.exe
Analysis ID: 1482398
MD5: ce5a350b93125774aa74515271c6d8ad
SHA1: 4e7f67212bd95ece241d4914be2cdbf9d5dc9573
SHA256: 5dbdcfb4702811e2f7cdac39ba83dccdc4a16dfa6b29a02b3879a1a70b3019dd
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_228.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: TR/Redcap.hkdqs
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: TR/Redcap.hkdqs
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002A_228.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_228.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 193.233.132.74:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.74 193.233.132.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_0067E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket, 0_2_0067E0A0
Source: LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.4130999077.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4130773514.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000005.00000002.4131028142.000000000144D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTHr
Source: RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTmJ

System Summary
barindex
PE file contains section with special chars
Source: LisectAVT_2403002A_228.exe Static PE information: section name:
Source: LisectAVT_2403002A_228.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_228.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00759824 0_2_00759824
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_006D50B0 0_2_006D50B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_006E9880 0_2_006E9880
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_006691A0 0_2_006691A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_006D73F0 0_2_006D73F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_0074646A 0_2_0074646A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00742CE0 0_2_00742CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_006624F0 0_2_006624F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_007484A0 0_2_007484A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00668D70 0_2_00668D70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_006E6550 0_2_006E6550
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_006E55B0 0_2_006E55B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_0074BEAF 0_2_0074BEAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_0075F771 0_2_0075F771
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00679F50 0_2_00679F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00189824 5_2_00189824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00119880 5_2_00119880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001050B0 5_2_001050B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_000991A0 5_2_000991A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001073F0 5_2_001073F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0017646A 5_2_0017646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001784A0 5_2_001784A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00172CE0 5_2_00172CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_000924F0 5_2_000924F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00116550 5_2_00116550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00098D70 5_2_00098D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001155B0 5_2_001155B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0017BEAF 5_2_0017BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_000A9F50 5_2_000A9F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00189824 6_2_00189824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00119880 6_2_00119880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001050B0 6_2_001050B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_000991A0 6_2_000991A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001073F0 6_2_001073F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0017646A 6_2_0017646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001784A0 6_2_001784A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00172CE0 6_2_00172CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_000924F0 6_2_000924F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00116550 6_2_00116550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00098D70 6_2_00098D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001155B0 6_2_001155B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0017BEAF 6_2_0017BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_000A9F50 6_2_000A9F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00299824 7_2_00299824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_002150B0 7_2_002150B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00229880 7_2_00229880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_001A91A0 7_2_001A91A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_002173F0 7_2_002173F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_0028646A 7_2_0028646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_002884A0 7_2_002884A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00282CE0 7_2_00282CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_001A24F0 7_2_001A24F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_001A8D70 7_2_001A8D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00226550 7_2_00226550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_002255B0 7_2_002255B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_0028BEAF 7_2_0028BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_001B9F50 7_2_001B9F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_0029F771 7_2_0029F771
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00299824 9_2_00299824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_002150B0 9_2_002150B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00229880 9_2_00229880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_001A91A0 9_2_001A91A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_002173F0 9_2_002173F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0028646A 9_2_0028646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_002884A0 9_2_002884A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00282CE0 9_2_00282CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_001A24F0 9_2_001A24F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_001A8D70 9_2_001A8D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00226550 9_2_00226550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_002255B0 9_2_002255B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0028BEAF 9_2_0028BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_001B9F50 9_2_001B9F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0029F771 9_2_0029F771
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 0027FED0 appears 52 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0016FED0 appears 52 times
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_228.exe
Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4134077909.0000000004E90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_228.exe
Source: LisectAVT_2403002A_228.exe Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_228.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_228.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_228.exe Static PE information: Section: ZLIB complexity 0.9992069128787879
Source: LisectAVT_2403002A_228.exe Static PE information: Section: ycahdotv ZLIB complexity 0.9896050219265919
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9992069128787879
Source: RageMP131.exe.0.dr Static PE information: Section: ycahdotv ZLIB complexity 0.9896050219265919
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9992069128787879
Source: MPGPH131.exe.0.dr Static PE information: Section: ycahdotv ZLIB complexity 0.9896050219265919
Source: RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AT;.CMD;.VBS;.VBpg
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Command line argument: nIv 0_2_007648C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Command line argument: nI* 7_2_002A48C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Command line argument: nI* 9_2_002A48C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LisectAVT_2403002A_228.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe "C:\Users\user\Desktop\LisectAVT_2403002A_228.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_228.exe Static file information: File size 2337286 > 1048576
Source: LisectAVT_2403002A_228.exe Static PE information: Raw size of ycahdotv is bigger than: 0x100000 < 0x1a8000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Unpacked PE file: 0.2.LisectAVT_2403002A_228.exe.660000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 5.2.MPGPH131.exe.90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 7.2.RageMP131.exe.1a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 9.2.RageMP131.exe.1a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: urypsrur
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x24412a should be: 0x244130
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x24412a should be: 0x244130
Source: LisectAVT_2403002A_228.exe Static PE information: real checksum: 0x24412a should be: 0x244130
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_228.exe Static PE information: section name:
Source: LisectAVT_2403002A_228.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_228.exe Static PE information: section name:
Source: LisectAVT_2403002A_228.exe Static PE information: section name: ycahdotv
Source: LisectAVT_2403002A_228.exe Static PE information: section name: urypsrur
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: ycahdotv
Source: RageMP131.exe.0.dr Static PE information: section name: urypsrur
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: ycahdotv
Source: MPGPH131.exe.0.dr Static PE information: section name: urypsrur
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC032 push 5BB0774Eh; mov dword ptr [esp], esi 0_2_00BFC0D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC032 push 1E266FA6h; mov dword ptr [esp], ebx 0_2_00BFC0E7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC000 push edi; mov dword ptr [esp], 572ECACCh 0_2_00BFC001
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC000 push edi; mov dword ptr [esp], eax 0_2_00BFC00C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC000 push 5BB0774Eh; mov dword ptr [esp], esi 0_2_00BFC0D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC000 push 1E266FA6h; mov dword ptr [esp], ebx 0_2_00BFC0E7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC181 push 61718D2Ch; mov dword ptr [esp], edx 0_2_00BFC186
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC181 push edx; mov dword ptr [esp], edi 0_2_00BFC19F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC181 push ebp; mov dword ptr [esp], 778D7D56h 0_2_00BFC1A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC181 push 38B89D2Ch; mov dword ptr [esp], edx 0_2_00BFC1F8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00BFC181 push eax; mov dword ptr [esp], 0A15BB94h 0_2_00BFC26B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_0073FA97 push ecx; ret 0_2_0073FAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C032 push 5BB0774Eh; mov dword ptr [esp], esi 5_2_0062C0D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C032 push 1E266FA6h; mov dword ptr [esp], ebx 5_2_0062C0E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C000 push edi; mov dword ptr [esp], 572ECACCh 5_2_0062C001
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C000 push edi; mov dword ptr [esp], eax 5_2_0062C00C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C000 push 5BB0774Eh; mov dword ptr [esp], esi 5_2_0062C0D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C000 push 1E266FA6h; mov dword ptr [esp], ebx 5_2_0062C0E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C181 push 61718D2Ch; mov dword ptr [esp], edx 5_2_0062C186
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C181 push edx; mov dword ptr [esp], edi 5_2_0062C19F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C181 push ebp; mov dword ptr [esp], 778D7D56h 5_2_0062C1A9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C181 push 38B89D2Ch; mov dword ptr [esp], edx 5_2_0062C1F8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0062C181 push eax; mov dword ptr [esp], 0A15BB94h 5_2_0062C26B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0016FA97 push ecx; ret 5_2_0016FAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0062C032 push 5BB0774Eh; mov dword ptr [esp], esi 6_2_0062C0D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0062C032 push 1E266FA6h; mov dword ptr [esp], ebx 6_2_0062C0E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0062C000 push edi; mov dword ptr [esp], 572ECACCh 6_2_0062C001
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0062C000 push edi; mov dword ptr [esp], eax 6_2_0062C00C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0062C000 push 5BB0774Eh; mov dword ptr [esp], esi 6_2_0062C0D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0062C000 push 1E266FA6h; mov dword ptr [esp], ebx 6_2_0062C0E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0062C181 push 61718D2Ch; mov dword ptr [esp], edx 6_2_0062C186
Source: LisectAVT_2403002A_228.exe Static PE information: section name: entropy: 7.988928375890931
Source: LisectAVT_2403002A_228.exe Static PE information: section name: ycahdotv entropy: 7.949088772265462
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.988928375890931
Source: RageMP131.exe.0.dr Static PE information: section name: ycahdotv entropy: 7.949088772265462
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.988928375890931
Source: MPGPH131.exe.0.dr Static PE information: section name: ycahdotv entropy: 7.949088772265462
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 7A02DD second address: 7A02E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 7A02E1 second address: 7A02E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 79FBA3 second address: 79FBA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 8FFD72 second address: 8FFD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 90F517 second address: 90F53C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jp 00007F33ECB900D6h 0x00000012 jl 00007F33ECB900D6h 0x00000018 popad 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 90F53C second address: 90F549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 91276E second address: 912772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 912772 second address: 912776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 912776 second address: 9127D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+122D2ADDh] 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D1AEDh], ebx 0x00000017 call 00007F33ECB900D9h 0x0000001c jmp 00007F33ECB900E5h 0x00000021 push eax 0x00000022 jng 00007F33ECB900DEh 0x00000028 mov eax, dword ptr [esp+04h] 0x0000002c ja 00007F33ECB900DEh 0x00000032 mov eax, dword ptr [eax] 0x00000034 push ebx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 912881 second address: 91289B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC496h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 91289B second address: 91289F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 91289F second address: 9128AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9128AE second address: 91292D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F33ECB900E1h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F33ECB900D8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov edi, dword ptr [ebp+122D2AB5h] 0x0000002e call 00007F33ECB900D9h 0x00000033 jne 00007F33ECB900E8h 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F33ECB900E8h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 91292D second address: 91293C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33ECEDC486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 91293C second address: 912954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007F33ECB900E2h 0x00000010 js 00007F33ECB900DCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 912954 second address: 912963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F33ECEDC486h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 912963 second address: 912988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F33ECB900DCh 0x00000016 jnc 00007F33ECB900D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 924240 second address: 924244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 924244 second address: 924248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9331C2 second address: 9331C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9331C7 second address: 9331D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F33ECB900D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 906A00 second address: 906A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 906A04 second address: 906A14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 je 00007F33ECB900D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931034 second address: 9310A1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F33ECEDC498h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F33ECEDC496h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop esi 0x00000014 push eax 0x00000015 jne 00007F33ECEDC486h 0x0000001b jmp 00007F33ECEDC499h 0x00000020 pop eax 0x00000021 js 00007F33ECEDC48Eh 0x00000027 push eax 0x00000028 pop eax 0x00000029 jnl 00007F33ECEDC486h 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9310A1 second address: 9310A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9310A7 second address: 9310AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931260 second address: 931273 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931273 second address: 931287 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F33ECEDC48Eh 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F33ECEDC486h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93140E second address: 931412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931412 second address: 931428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F33ECEDC486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F33ECEDC486h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931428 second address: 931438 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931438 second address: 93144E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jnp 00007F33ECEDC486h 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93144E second address: 931454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931454 second address: 931465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007F33ECEDC48Ch 0x0000000b jne 00007F33ECEDC486h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9315B9 second address: 9315BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9316E9 second address: 9316EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9316EF second address: 931700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F33ECB900DCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931700 second address: 93171A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F33ECEDC495h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93187A second address: 931883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931883 second address: 931897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC48Eh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931897 second address: 9318BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E5h 0x00000007 jc 00007F33ECB900D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9318BB second address: 9318CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931A1D second address: 931AA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F33ECB900DBh 0x0000000f jmp 00007F33ECB900E0h 0x00000014 jl 00007F33ECB900D6h 0x0000001a popad 0x0000001b jns 00007F33ECB900DCh 0x00000021 popad 0x00000022 pushad 0x00000023 jnp 00007F33ECB900DAh 0x00000029 pushad 0x0000002a jmp 00007F33ECB900E7h 0x0000002f jmp 00007F33ECB900E3h 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 jbe 00007F33ECB900E8h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931C66 second address: 931C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931C6A second address: 931C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F33ECB900DBh 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931DF9 second address: 931E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 931E01 second address: 931E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 932086 second address: 9320B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F33ECEDC486h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007F33ECEDC499h 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9275BC second address: 9275C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9275C0 second address: 9275C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9275C4 second address: 9275CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9275CC second address: 9275F7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33ECEDC488h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F33ECEDC490h 0x00000010 jng 00007F33ECEDC48Ah 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 932327 second address: 93233D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F33ECB900DEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93233D second address: 932347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 932347 second address: 93234B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93234B second address: 932384 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F33ECEDC486h 0x00000008 jmp 00007F33ECEDC498h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jbe 00007F33ECEDC48Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007F33ECEDC486h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 932384 second address: 932388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 932865 second address: 93286A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93286A second address: 93288B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F33ECB900DBh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F33ECB900DCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9329FD second address: 932A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F33ECEDC491h 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 932A18 second address: 932A1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 932D59 second address: 932D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F33ECEDC486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 933049 second address: 93304F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93304F second address: 933053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 937A37 second address: 937A54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 937EA3 second address: 937EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F33ECEDC486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 937EAD second address: 937EC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jc 00007F33ECB900D6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 937EC2 second address: 937ECD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F33ECEDC486h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 936FE8 second address: 936FEE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 8FFD6B second address: 8FFD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93CDD8 second address: 93CDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93D201 second address: 93D21C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC494h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9409E7 second address: 9409F1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F33ECB900D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9409F1 second address: 9409F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 940E51 second address: 940E56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 940E56 second address: 940E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 940E5C second address: 940E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F33ECB900E2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 940E7B second address: 940E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 940E80 second address: 940E85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 940E85 second address: 940E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 940F98 second address: 940F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 941592 second address: 9415C0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33ECEDC48Ch 0x00000008 jg 00007F33ECEDC486h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F33ECEDC493h 0x00000016 nop 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jp 00007F33ECEDC486h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9415C0 second address: 9415EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jg 00007F33ECB900D6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jnc 00007F33ECB900D6h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 94183F second address: 941843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 941AFB second address: 941B05 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33ECB900DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 941B05 second address: 941B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 941B13 second address: 941B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 941FEA second address: 942003 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 942003 second address: 942007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 942007 second address: 942023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC498h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 942023 second address: 942029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 942029 second address: 9420BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F33ECEDC488h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 call 00007F33ECEDC48Eh 0x00000028 or dword ptr [ebp+122D1A84h], ecx 0x0000002e pop esi 0x0000002f mov di, cx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D39A9h], ecx 0x0000003a push eax 0x0000003b jmp 00007F33ECEDC495h 0x00000040 pop esi 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007F33ECEDC488h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 00000019h 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d mov edi, dword ptr [ebp+122D29A9h] 0x00000063 push eax 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 ja 00007F33ECEDC486h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 942A13 second address: 942A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECB900DFh 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F33ECB900E1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 942A3C second address: 942A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 944B8B second address: 944B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 944B91 second address: 944BA3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F33ECEDC486h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 944BA3 second address: 944BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 944BA7 second address: 944BC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F33ECEDC494h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 944BC8 second address: 944BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 947C9C second address: 947CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 947CA0 second address: 947CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 94B81B second address: 94B821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 94D47A second address: 94D47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 94F43A second address: 94F455 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 94F455 second address: 94F45B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 94E660 second address: 94E664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 94E664 second address: 94E671 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 94E671 second address: 94E675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 950538 second address: 95053C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 95053C second address: 950550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC490h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 950550 second address: 9505C5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F33ECB900DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F33ECB900D8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 jns 00007F33ECB900DCh 0x0000002b push 00000000h 0x0000002d sbb ebx, 61CEC8DBh 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F33ECB900D8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f add di, 2000h 0x00000054 push eax 0x00000055 push ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push esi 0x00000059 pop esi 0x0000005a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 95159E second address: 95161E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F33ECEDC490h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F33ECEDC493h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F33ECEDC488h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov edi, dword ptr [ebp+122D2AD1h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F33ECEDC488h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 95161E second address: 951622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 951622 second address: 951628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 952803 second address: 952807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9545DB second address: 954616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 sbb ebx, 2BF970A5h 0x0000000c push 00000000h 0x0000000e call 00007F33ECEDC494h 0x00000013 pop edi 0x00000014 sbb ebx, 7342D511h 0x0000001a push 00000000h 0x0000001c mov edi, dword ptr [ebp+122D2B45h] 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 je 00007F33ECEDC48Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 954616 second address: 954638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECB900E6h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 954638 second address: 95464F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC493h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9555D2 second address: 9555F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F33ECB900D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F33ECB900E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9555F5 second address: 955669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push edi 0x00000008 call 00007F33ECEDC493h 0x0000000d stc 0x0000000e pop edi 0x0000000f pop edi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F33ECEDC488h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c xor dword ptr [ebp+12478329h], edi 0x00000032 add edi, dword ptr [ebp+122D194Bh] 0x00000038 or dword ptr [ebp+124546ECh], edx 0x0000003e push 00000000h 0x00000040 mov edi, dword ptr [ebp+122D2B15h] 0x00000046 xchg eax, esi 0x00000047 jmp 00007F33ECEDC492h 0x0000004c push eax 0x0000004d push edi 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9557AE second address: 9557CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F33ECB900D6h 0x0000000a popad 0x0000000b pushad 0x0000000c js 00007F33ECB900D6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a ja 00007F33ECB900D6h 0x00000020 pop esi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9557CF second address: 9557E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC493h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 957661 second address: 957665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 957665 second address: 957669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 957669 second address: 9576FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F33ECB900DEh 0x00000012 pop eax 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F33ECB900D8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov ebx, dword ptr [ebp+122D1A70h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F33ECB900D8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 push 00000000h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 js 00007F33ECB900EEh 0x0000005b jmp 00007F33ECB900E8h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 95AB18 second address: 95AB25 instructions: 0x00000000 rdtsc 0x00000002 je 00007F33ECEDC486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 8FC859 second address: 8FC85D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 965D46 second address: 965D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 965D4A second address: 965D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECB900DBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 965D61 second address: 965D86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC491h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECEDC48Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 965D86 second address: 965D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 903341 second address: 903347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 965462 second address: 965471 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F33ECB900D8h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9655E3 second address: 9655F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F33ECEDC486h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9655F2 second address: 9655F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9655F8 second address: 9655FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9655FE second address: 96560E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007F33ECB900D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 96560E second address: 965612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 965758 second address: 96575C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 96575C second address: 96576E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F33ECEDC48Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 96821E second address: 968228 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 968228 second address: 968233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 968233 second address: 96823D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 96823D second address: 96825F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC490h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jo 00007F33ECEDC486h 0x00000011 popad 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 96825F second address: 96826C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007F33ECB900ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 8F9632 second address: 8F9638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 8F9638 second address: 8F9641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 8F9641 second address: 8F964C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F33ECEDC486h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 8F964C second address: 8F9652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 8F9652 second address: 8F966C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC496h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 96ED38 second address: 96ED3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 973BDB second address: 973C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F33ECEDC486h 0x0000000a popad 0x0000000b pushad 0x0000000c js 00007F33ECEDC486h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F33ECEDC496h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jnc 00007F33ECEDC486h 0x00000024 jmp 00007F33ECEDC491h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 973C21 second address: 973C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9428D0 second address: 9428DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 972960 second address: 972966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 972966 second address: 972983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F33ECEDC486h 0x0000000a jmp 00007F33ECEDC492h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 972983 second address: 9729A8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F33ECB900E9h 0x00000008 pop ecx 0x00000009 ja 00007F33ECB900DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9729A8 second address: 9729B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9729B3 second address: 9729B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9738E5 second address: 9738EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9738EB second address: 973911 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33ECB900F0h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 973911 second address: 973917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 973917 second address: 97391B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97391B second address: 973921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 978000 second address: 97800B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93F323 second address: 9275BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D2B4Dh] 0x00000011 call dword ptr [ebp+122D1C0Ah] 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a jmp 00007F33ECEDC499h 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FA3B second address: 93FA4A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FA4A second address: 93FA54 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F33ECEDC486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FBA1 second address: 93FBA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FD55 second address: 93FD5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FD5C second address: 93FD61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FD61 second address: 93FD67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FD67 second address: 93FD97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push ecx 0x0000000b movzx edi, si 0x0000000e pop ecx 0x0000000f push 00000004h 0x00000011 xor dword ptr [ebp+122D1C05h], eax 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F33ECB900E6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FD97 second address: 93FDA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F33ECEDC486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9401AF second address: 9401C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F33ECB900D6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 94065C second address: 940677 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F33ECEDC491h 0x00000008 jmp 00007F33ECEDC48Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 940677 second address: 94067B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97786F second address: 97787D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F33ECEDC486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97787D second address: 977883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9779B0 second address: 9779BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F33ECEDC486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 977C4E second address: 977C5A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007F33ECB900D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 977C5A second address: 977C63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97A5C7 second address: 97A5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97F812 second address: 97F838 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F33ECEDC48Fh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97F838 second address: 97F842 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F33ECB900E8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97F842 second address: 97F85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC48Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F33ECEDC486h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97FDE1 second address: 97FDEB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F33ECB900D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97FDEB second address: 97FE01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC490h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97FE01 second address: 97FE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97F35D second address: 97F361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 97F361 second address: 97F393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F33ECB900D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jnc 00007F33ECB900D6h 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007F33ECB900D6h 0x0000001c jmp 00007F33ECB900E6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 980389 second address: 98039D instructions: 0x00000000 rdtsc 0x00000002 js 00007F33ECEDC496h 0x00000008 jmp 00007F33ECEDC48Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98039D second address: 9803B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F33ECB900DAh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98689F second address: 9868C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pushad 0x00000007 jg 00007F33ECEDC49Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9868C8 second address: 9868EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F33ECB900E7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98AEE6 second address: 98AEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98AEEA second address: 98AEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98B460 second address: 98B46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98B599 second address: 98B5A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jbe 00007F33ECB900DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98B5A6 second address: 98B5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F33ECEDC488h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F33ECEDC48Fh 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F33ECEDC486h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98B5CD second address: 98B5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98B5D1 second address: 98B5D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98B780 second address: 98B79B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98B940 second address: 98B94E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98BD4D second address: 98BD67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F33ECB900DEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98BD67 second address: 98BD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98AA31 second address: 98AA62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F33ECB900D6h 0x0000000f jmp 00007F33ECB900E3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98AA62 second address: 98AA66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98F6B5 second address: 98F6E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DDh 0x00000007 jmp 00007F33ECB900E7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98F6E3 second address: 98F6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 98F6E9 second address: 98F70B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DDh 0x00000007 jmp 00007F33ECB900E1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 991C79 second address: 991C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 998423 second address: 998429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FF7F second address: 93FF98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F33ECEDC490h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 93FF98 second address: 93FFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 997451 second address: 99746C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC491h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99746C second address: 997476 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F33ECB900D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 997476 second address: 9974C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F33ECEDC493h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f popad 0x00000010 push edx 0x00000011 jmp 00007F33ECEDC496h 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007F33ECEDC486h 0x0000001e jmp 00007F33ECEDC48Eh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9974C1 second address: 9974C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9975E1 second address: 997631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F33ECEDC4A1h 0x0000000c je 00007F33ECEDC486h 0x00000012 jmp 00007F33ECEDC495h 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F33ECEDC497h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F33ECEDC48Eh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99AD71 second address: 99AD99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F33ECB900E3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99AF65 second address: 99AF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A032E second address: 9A034F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007F33ECB900D6h 0x0000000c jmp 00007F33ECB900DBh 0x00000011 popad 0x00000012 pushad 0x00000013 js 00007F33ECB900D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A034F second address: 9A0358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A0358 second address: 9A035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99F62A second address: 99F64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F33ECEDC498h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99F64B second address: 99F66F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007F33ECB900D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F33ECB900E4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99F7BB second address: 99F7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99F90C second address: 99F91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F33ECB900D6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99FA96 second address: 99FAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F33ECEDC48Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99FAAB second address: 99FAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99FAAF second address: 99FABA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99FABA second address: 99FAC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 99FC2A second address: 99FC3B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F33ECEDC48Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A41F3 second address: 9A41F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A41F9 second address: 9A41FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A41FD second address: 9A4207 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A4207 second address: 9A4211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F33ECEDC486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3B69 second address: 9A3B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3CB2 second address: 9A3CD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC495h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3CD0 second address: 9A3CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F33ECB900D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3CDB second address: 9A3CEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F33ECEDC48Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3CEB second address: 9A3D0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F33ECB900D8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3E59 second address: 9A3E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3E5D second address: 9A3E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DAh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F33ECB900D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3E77 second address: 9A3E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3E7B second address: 9A3EB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F33ECB900E1h 0x0000000e jmp 00007F33ECB900E9h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3EB0 second address: 9A3EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3EBA second address: 9A3ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F33ECB900D6h 0x0000000d jp 00007F33ECB900D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A3ECD second address: 9A3EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F33ECEDC48Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A9A8E second address: 9A9AAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F33ECB900DFh 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A9AAC second address: 9A9AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A9D88 second address: 9A9D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F33ECB900D6h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9A9D93 second address: 9A9D9D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F33ECEDC48Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AAF13 second address: 9AAF3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E4h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F33ECB900DFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AAF3C second address: 9AAF42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AF66E second address: 9AF674 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AE8EB second address: 9AE8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AE8EF second address: 9AE92B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F33ECB900D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jno 00007F33ECB900D6h 0x00000013 jmp 00007F33ECB900E5h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F33ECB900DFh 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AED2C second address: 9AED30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AED30 second address: 9AED38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AF070 second address: 9AF074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AF074 second address: 9AF08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F33ECB900DEh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jl 00007F33ECB900D6h 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9AF332 second address: 9AF336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BC0D8 second address: 9BC0DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BC240 second address: 9BC249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BC249 second address: 9BC251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BC67B second address: 9BC67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BCC45 second address: 9BCC4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F33ECB900D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BCC4F second address: 9BCC55 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BCDF0 second address: 9BCE05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BCE05 second address: 9BCE3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b je 00007F33ECEDC486h 0x00000011 pop ecx 0x00000012 pushad 0x00000013 jmp 00007F33ECEDC491h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F33ECEDC492h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BCE3E second address: 9BCE44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BCE44 second address: 9BCE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BCFE6 second address: 9BCFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECB900E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BBCD8 second address: 9BBCF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F33ECEDC494h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BBCF4 second address: 9BBCFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9BBCFC second address: 9BBD2B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F33ECEDC495h 0x00000008 pop edx 0x00000009 pushad 0x0000000a jmp 00007F33ECEDC493h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9C4269 second address: 9C426F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9D2FA6 second address: 9D2FB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F33ECEDC486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9D5A9C second address: 9D5AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F33ECB900D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9D5AA7 second address: 9D5ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F33ECEDC490h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9D7705 second address: 9D7709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9EC3BC second address: 9EC3C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9EC3C2 second address: 9EC3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9F028B second address: 9F02A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC493h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9F26E4 second address: 9F26EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F33ECB900D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9F26EE second address: 9F270B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F33ECEDC499h 0x0000000e jmp 00007F33ECEDC48Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9FC250 second address: 9FC265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E0h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9FC265 second address: 9FC273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9FC273 second address: 9FC279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9FC279 second address: 9FC27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9FC27D second address: 9FC29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F33ECB900E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9FC29F second address: 9FC2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9FBDCB second address: 9FBDD1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9FBDD1 second address: 9FBDD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 9FBDD6 second address: 9FBDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F33ECB900D6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A0AEE5 second address: A0AEF3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A0AD1A second address: A0AD4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jg 00007F33ECB900D6h 0x00000012 jmp 00007F33ECB900E2h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A0AD4A second address: A0AD87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC492h 0x00000007 jmp 00007F33ECEDC48Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007F33ECEDC493h 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A0AD87 second address: A0AD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A0AD8F second address: A0ADB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC48Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F33ECEDC494h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A08BC9 second address: A08BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A1BE15 second address: A1BE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jbe 00007F33ECEDC486h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A1BC70 second address: A1BC74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A1E6F7 second address: A1E6FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A1E6FD second address: A1E73B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E8h 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F33ECB900E9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A1E73B second address: A1E754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F33ECEDC48Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A1E754 second address: A1E758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A41848 second address: A41851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A4097D second address: A409A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F33ECB900D6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F33ECB900D6h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 js 00007F33ECB900E8h 0x0000001f push ecx 0x00000020 jnl 00007F33ECB900D6h 0x00000026 pop ecx 0x00000027 push ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A40AC8 second address: A40ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A40C31 second address: A40C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A40C38 second address: A40C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A40D8F second address: A40D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A4740A second address: A47427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC499h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A4A8CA second address: A4A8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A4A8D0 second address: A4A8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A4A8D4 second address: A4A8F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F33ECB900DEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: A4A8F1 second address: A4A90B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F33ECEDC48Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jnc 00007F33ECEDC486h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50A06FC second address: 50A0700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50A0700 second address: 50A0706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50A0706 second address: 50A070C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50A070C second address: 50A072D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC491h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dh, 58h 0x00000011 movzx esi, dx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50A072D second address: 50A074D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, bx 0x00000011 mov edx, 624A1B5Ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50A074D second address: 50A079D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC492h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, bx 0x00000010 pushfd 0x00000011 jmp 00007F33ECEDC499h 0x00000016 add eax, 319B4516h 0x0000001c jmp 00007F33ECEDC491h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060DDF second address: 5060DE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060DE5 second address: 5060E60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 4262EA9Dh 0x00000010 call 00007F33ECEDC48Ah 0x00000015 pushfd 0x00000016 jmp 00007F33ECEDC492h 0x0000001b sbb si, 3728h 0x00000020 jmp 00007F33ECEDC48Bh 0x00000025 popfd 0x00000026 pop esi 0x00000027 popad 0x00000028 push eax 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F33ECEDC494h 0x00000030 and cx, 6988h 0x00000035 jmp 00007F33ECEDC48Bh 0x0000003a popfd 0x0000003b mov ebx, eax 0x0000003d popad 0x0000003e xchg eax, ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060E60 second address: 5060E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060E64 second address: 5060E7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC493h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E07A7 second address: 50E07AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E07AD second address: 50E07CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33ECEDC497h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060ACE second address: 5060AEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, 8Ah 0x0000000f mov edi, 604786EAh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060AEF second address: 5060B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC48Eh 0x00000009 add ch, FFFFFFA8h 0x0000000c jmp 00007F33ECEDC48Bh 0x00000011 popfd 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 jmp 00007F33ECEDC48Bh 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov bx, 93C6h 0x00000027 mov ax, dx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060B2F second address: 5060B36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, B8h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060B36 second address: 5060B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push dword ptr [ebp+04h] 0x0000000a jmp 00007F33ECEDC497h 0x0000000f push dword ptr [ebp+0Ch] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060B60 second address: 5060B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060B64 second address: 5060B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060B68 second address: 5060B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060B6E second address: 5060BE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC498h 0x00000009 xor esi, 786FB9F8h 0x0000000f jmp 00007F33ECEDC48Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F33ECEDC498h 0x0000001b xor ch, 00000058h 0x0000001e jmp 00007F33ECEDC48Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 push dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F33ECEDC495h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060C18 second address: 5060C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060C1C second address: 5060C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060C22 second address: 5060C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060C28 second address: 5060C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5060C2C second address: 5060C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33ECB900DBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0C03 second address: 50B0C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0C09 second address: 50B0C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B693h 0x00000007 mov ax, 28EFh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push edi 0x00000011 push esi 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0C21 second address: 50B0C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0C25 second address: 50B0C35 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0C35 second address: 50B0CCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC495h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov esi, 3EC0AE53h 0x00000011 pushfd 0x00000012 jmp 00007F33ECEDC498h 0x00000017 and cx, 47D8h 0x0000001c jmp 00007F33ECEDC48Bh 0x00000021 popfd 0x00000022 popad 0x00000023 pop ebp 0x00000024 pushad 0x00000025 push eax 0x00000026 pushfd 0x00000027 jmp 00007F33ECEDC48Bh 0x0000002c adc eax, 01C8FA9Eh 0x00000032 jmp 00007F33ECEDC499h 0x00000037 popfd 0x00000038 pop eax 0x00000039 push eax 0x0000003a push edx 0x0000003b call 00007F33ECEDC497h 0x00000040 pop eax 0x00000041 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 510041A second address: 5100420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5100420 second address: 510043E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33ECEDC493h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 510043E second address: 5100444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5100444 second address: 5100448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5100448 second address: 510045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECB900DAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0E6B second address: 50E0E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0E6F second address: 50E0E8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0E8C second address: 50E0EFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC497h 0x00000009 or al, 0000001Eh 0x0000000c jmp 00007F33ECEDC499h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F33ECEDC490h 0x00000018 adc cl, 00000018h 0x0000001b jmp 00007F33ECEDC48Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F33ECEDC495h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5070484 second address: 5070488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5070488 second address: 507048E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 507048E second address: 50704D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F33ECB900E3h 0x00000012 call 00007F33ECB900E8h 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50704D4 second address: 50704E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50704E5 second address: 50704E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50704E9 second address: 50704ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50704ED second address: 50704F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E05D8 second address: 50E0620 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECEDC498h 0x00000008 or ax, 24F8h 0x0000000d jmp 00007F33ECEDC48Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007F33ECEDC491h 0x0000001f pop eax 0x00000020 mov eax, ebx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0620 second address: 50E0635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0635 second address: 50E0639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0639 second address: 50E063F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E063F second address: 50E0653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, 184EA6F7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0653 second address: 50E0658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0C5A second address: 50E0C69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0C69 second address: 50E0C6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0C6E second address: 50E0C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F33ECEDC493h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0C8D second address: 50E0CD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov bx, 653Eh 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 jmp 00007F33ECB900E5h 0x00000019 mov eax, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d mov bl, ch 0x0000001f push eax 0x00000020 push edx 0x00000021 movsx edi, si 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0CD5 second address: 50E0CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0CD9 second address: 50E0CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and dword ptr [eax], 00000000h 0x0000000a jmp 00007F33ECB900DCh 0x0000000f and dword ptr [eax+04h], 00000000h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ecx, edi 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0CFB second address: 50E0D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F33ECEDC48Eh 0x0000000b sub cx, ABC8h 0x00000010 jmp 00007F33ECEDC48Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebp 0x0000001a pushad 0x0000001b pushad 0x0000001c mov si, 07D1h 0x00000020 pushfd 0x00000021 jmp 00007F33ECEDC48Eh 0x00000026 add ecx, 5CC2AE28h 0x0000002c jmp 00007F33ECEDC48Bh 0x00000031 popfd 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F33ECEDC496h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E0D64 second address: 50E0D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0130 second address: 50F015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F33ECEDC490h 0x0000000a sbb cx, 4678h 0x0000000f jmp 00007F33ECEDC48Bh 0x00000014 popfd 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F015E second address: 50F0167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 8C54h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0167 second address: 50F01AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 5C9Fh 0x00000007 pushfd 0x00000008 jmp 00007F33ECEDC494h 0x0000000d jmp 00007F33ECEDC495h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F33ECEDC48Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F01AB second address: 50F01D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 jmp 00007F33ECB900DDh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F33ECB900DDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F01D1 second address: 50F01E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC48Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F01E1 second address: 50F0209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F33ECB900E7h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0209 second address: 50F020D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F020D second address: 50F0228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50908A2 second address: 50908C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F33ECEDC48Ah 0x0000000a xor ax, 1098h 0x0000000f jmp 00007F33ECEDC48Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0E44 second address: 50F0E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0E4A second address: 50F0E72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F33ECEDC494h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0E72 second address: 50F0F13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECB900E1h 0x00000009 sub al, FFFFFFC6h 0x0000000c jmp 00007F33ECB900E1h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F33ECB900DCh 0x0000001d mov ebp, esp 0x0000001f jmp 00007F33ECB900E0h 0x00000024 xchg eax, ecx 0x00000025 jmp 00007F33ECB900E0h 0x0000002a push eax 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F33ECB900E1h 0x00000032 jmp 00007F33ECB900DBh 0x00000037 popfd 0x00000038 push ecx 0x00000039 mov edx, 03527B1Ah 0x0000003e pop edi 0x0000003f popad 0x00000040 xchg eax, ecx 0x00000041 jmp 00007F33ECB900DEh 0x00000046 mov eax, dword ptr [76FB65FCh] 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0F13 second address: 50F0F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0F17 second address: 50F0F1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F02D4 second address: 50F02E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F02E3 second address: 50F0303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECB900E3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0303 second address: 50F0390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC48Fh 0x00000009 xor eax, 77E1FE0Eh 0x0000000f jmp 00007F33ECEDC499h 0x00000014 popfd 0x00000015 mov ecx, 69DC2717h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 mov ah, E2h 0x00000023 pushfd 0x00000024 jmp 00007F33ECEDC495h 0x00000029 adc cx, 30F6h 0x0000002e jmp 00007F33ECEDC491h 0x00000033 popfd 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a movsx ebx, si 0x0000003d call 00007F33ECEDC494h 0x00000042 pop esi 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0390 second address: 50F03AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900E7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B000B second address: 50B0023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC494h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0023 second address: 50B0039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0039 second address: 50B003F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B003F second address: 50B004A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 mov cx, F853h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B004A second address: 50B0094 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECEDC498h 0x00000008 sub eax, 134E89D8h 0x0000000e jmp 00007F33ECEDC48Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007F33ECEDC492h 0x00000020 pop eax 0x00000021 push ebx 0x00000022 pop ecx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0094 second address: 50B0099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0099 second address: 50B00AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, al 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov si, 49B9h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B00AD second address: 50B00D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECB900E5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B00D9 second address: 50B00DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B00DF second address: 50B00FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECB900E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B00FE second address: 50B0110 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC48Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0110 second address: 50B012E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F33ECB900DCh 0x0000000e mov dword ptr [esp], ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B012E second address: 50B0132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0132 second address: 50B014F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B014F second address: 50B01AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC497h 0x00000009 and ch, FFFFFFDEh 0x0000000c jmp 00007F33ECEDC499h 0x00000011 popfd 0x00000012 mov esi, 6A3E0BA7h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F33ECEDC499h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B01AB second address: 50B01D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F33ECB900DDh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov ax, 0F13h 0x00000014 movzx ecx, di 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B01D2 second address: 50B01D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B01D8 second address: 50B01E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 6198h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B01E1 second address: 50B021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a pushad 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007F33ECEDC496h 0x00000012 adc si, 8BF8h 0x00000017 jmp 00007F33ECEDC48Bh 0x0000001c popfd 0x0000001d pop esi 0x0000001e popad 0x0000001f push esp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov eax, edi 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B021E second address: 50B02AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECB900DBh 0x00000009 xor eax, 42A08C6Eh 0x0000000f jmp 00007F33ECB900E9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F33ECB900E0h 0x0000001b jmp 00007F33ECB900E5h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov dword ptr [esp], esi 0x00000027 pushad 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F33ECB900E6h 0x0000002f xor eax, 12621578h 0x00000035 jmp 00007F33ECB900DBh 0x0000003a popfd 0x0000003b popad 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B02AA second address: 50B02AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B02AE second address: 50B031C instructions: 0x00000000 rdtsc 0x00000002 mov al, 9Ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov esi, dword ptr [ebp+08h] 0x0000000a jmp 00007F33ECB900E7h 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 call 00007F33ECB900E4h 0x00000016 movzx eax, bx 0x00000019 pop edi 0x0000001a pushfd 0x0000001b jmp 00007F33ECB900DCh 0x00000020 jmp 00007F33ECB900E5h 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F33ECB900DCh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B031C second address: 50B0322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0322 second address: 50B0326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0326 second address: 50B037E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007F33ECEDC495h 0x00000010 pop esi 0x00000011 pushfd 0x00000012 jmp 00007F33ECEDC491h 0x00000017 or eax, 3AF34B96h 0x0000001d jmp 00007F33ECEDC491h 0x00000022 popfd 0x00000023 popad 0x00000024 mov eax, 5398F007h 0x00000029 popad 0x0000002a test esi, esi 0x0000002c pushad 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B037E second address: 50B03E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 4Ch 0x00000006 popad 0x00000007 popad 0x00000008 je 00007F345EA0E365h 0x0000000e jmp 00007F33ECB900DAh 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a jmp 00007F33ECB900E0h 0x0000001f je 00007F345EA0E354h 0x00000025 jmp 00007F33ECB900E0h 0x0000002a mov edx, dword ptr [esi+44h] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 call 00007F33ECB900E8h 0x00000035 pop esi 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B03E3 second address: 50B0401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 mov esi, 70C9A0F9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e or edx, dword ptr [ebp+0Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F33ECEDC48Bh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0401 second address: 50B0407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B0407 second address: 50B040B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B040B second address: 50B044E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movzx ecx, di 0x00000014 pushfd 0x00000015 jmp 00007F33ECB900E5h 0x0000001a sub esi, 47162526h 0x00000020 jmp 00007F33ECB900E1h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50B044E second address: 50B04A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC491h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F345ED5A6ABh 0x0000000f pushad 0x00000010 mov bh, 88h 0x00000012 popad 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 jmp 00007F33ECEDC492h 0x0000001c jne 00007F345ED5A6A4h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F33ECEDC497h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0008 second address: 50C000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C000C second address: 50C0012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0012 second address: 50C0027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0027 second address: 50C002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C002B second address: 50C003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C003B second address: 50C0040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0040 second address: 50C0046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0046 second address: 50C004A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C004A second address: 50C00B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F33ECB900E0h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F33ECB900DEh 0x0000001c add eax, 3D7CCC68h 0x00000022 jmp 00007F33ECB900DBh 0x00000027 popfd 0x00000028 mov ebx, esi 0x0000002a popad 0x0000002b and esp, FFFFFFF8h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F33ECB900E1h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C00B8 second address: 50C00BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C00BE second address: 50C00C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C00C2 second address: 50C0199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F33ECEDC494h 0x0000000e mov dword ptr [esp], ebx 0x00000011 pushad 0x00000012 call 00007F33ECEDC48Eh 0x00000017 movzx ecx, dx 0x0000001a pop ebx 0x0000001b mov si, A0B3h 0x0000001f popad 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 pushad 0x00000023 call 00007F33ECEDC492h 0x00000028 pop esi 0x00000029 mov dx, 6FF6h 0x0000002d popad 0x0000002e pushfd 0x0000002f jmp 00007F33ECEDC497h 0x00000034 add si, 807Eh 0x00000039 jmp 00007F33ECEDC499h 0x0000003e popfd 0x0000003f popad 0x00000040 push eax 0x00000041 jmp 00007F33ECEDC491h 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 mov bx, si 0x0000004b call 00007F33ECEDC498h 0x00000050 mov eax, 044BC531h 0x00000055 pop esi 0x00000056 popad 0x00000057 mov esi, dword ptr [ebp+08h] 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F33ECEDC48Fh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0199 second address: 50C01B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C01B6 second address: 50C01C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC48Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C01C6 second address: 50C022D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d pushad 0x0000000e mov edi, 41DDF1C8h 0x00000013 pushad 0x00000014 mov cx, bx 0x00000017 mov bh, 4Bh 0x00000019 popad 0x0000001a popad 0x0000001b test esi, esi 0x0000001d jmp 00007F33ECB900E2h 0x00000022 je 00007F345E9F6269h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F33ECB900DDh 0x00000031 sbb ax, 3996h 0x00000036 jmp 00007F33ECB900E1h 0x0000003b popfd 0x0000003c mov bx, cx 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C022D second address: 50C0258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F33ECEDC497h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0258 second address: 50C025E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C025E second address: 50C0262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0262 second address: 50C0266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0266 second address: 50C0278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, 37h 0x0000000f mov esi, edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0278 second address: 50C02A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F345E9F61EFh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F33ECB900E7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C02A9 second address: 50C02E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC499h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 pushad 0x00000011 mov eax, 04118B23h 0x00000016 mov edi, ecx 0x00000018 popad 0x00000019 jne 00007F345ED42566h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C02E2 second address: 50C02E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C02E6 second address: 50C02FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC493h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C03F5 second address: 50C03FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C03FB second address: 50C0401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0401 second address: 50C0405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5121972 second address: 5121979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5121979 second address: 51219DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F33ECB900DDh 0x00000013 sub ecx, 002C1926h 0x00000019 jmp 00007F33ECB900E1h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F33ECB900E0h 0x00000025 or al, FFFFFFC8h 0x00000028 jmp 00007F33ECB900DBh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 51219DE second address: 5121A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC499h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, 01BEh 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F33ECEDC48Eh 0x00000019 pop ecx 0x0000001a push edx 0x0000001b pop eax 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5121A18 second address: 5121A5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov si, 44CDh 0x00000010 pushfd 0x00000011 jmp 00007F33ECB900DAh 0x00000016 sub ecx, 205171E8h 0x0000001c jmp 00007F33ECB900DBh 0x00000021 popfd 0x00000022 popad 0x00000023 push 0000007Fh 0x00000025 pushad 0x00000026 push eax 0x00000027 mov edi, 634CBD56h 0x0000002c pop edx 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5121AD0 second address: 5121972 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECEDC490h 0x00000008 xor eax, 6004EE98h 0x0000000e jmp 00007F33ECEDC48Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 retn 0004h 0x0000001a lea eax, dword ptr [ebp-10h] 0x0000001d push eax 0x0000001e call ebx 0x00000020 mov edi, edi 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E09C8 second address: 50E09CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50E09CE second address: 50E09F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, E7h 0x00000005 movsx ebx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F33ECEDC48Eh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 pushad 0x00000015 mov cx, 0C83h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C0639 second address: 50C063D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C063D second address: 50C064E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C064E second address: 50C065E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C065E second address: 50C069E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a mov bx, si 0x0000000d pushfd 0x0000000e jmp 00007F33ECEDC496h 0x00000013 adc eax, 42C7B9D8h 0x00000019 jmp 00007F33ECEDC48Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [esp], ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C069E second address: 50C06A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C06A2 second address: 50C06A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50C06A8 second address: 50C06AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 51401EC second address: 51401F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 51401F0 second address: 51401F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 51401F6 second address: 514022A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC492h 0x00000009 sub eax, 3A6B92D8h 0x0000000f jmp 00007F33ECEDC48Bh 0x00000014 popfd 0x00000015 movzx ecx, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 514022A second address: 514029A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECB900DAh 0x00000008 adc ecx, 66A95D38h 0x0000000e jmp 00007F33ECB900DBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx esi, dx 0x00000019 popad 0x0000001a mov dword ptr [esp], ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F33ECB900E1h 0x00000024 xor ax, F3D6h 0x00000029 jmp 00007F33ECB900E1h 0x0000002e popfd 0x0000002f movzx esi, bx 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F33ECB900E6h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 514029A second address: 51402CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d pushad 0x0000000e call 00007F33ECEDC492h 0x00000013 pop eax 0x00000014 mov dx, A146h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov dl, C3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 51402CA second address: 51402CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 51402CE second address: 514032B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push dword ptr [ebp+08h] 0x0000000a jmp 00007F33ECEDC492h 0x0000000f push 03AB7B09h 0x00000014 pushad 0x00000015 movsx edx, ax 0x00000018 pushfd 0x00000019 jmp 00007F33ECEDC498h 0x0000001e and cx, 8048h 0x00000023 jmp 00007F33ECEDC48Bh 0x00000028 popfd 0x00000029 popad 0x0000002a xor dword ptr [esp], 03AA7B0Bh 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 514032B second address: 514032F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 514032F second address: 514034A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC497h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 514034A second address: 5140350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5140350 second address: 5140354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5140382 second address: 5140386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 5140386 second address: 514038C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F075F second address: 50F0765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0765 second address: 50F0769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0769 second address: 50F076D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F076D second address: 50F079C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F33ECEDC48Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F33ECEDC490h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov edi, eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F079C second address: 50F07E7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECB900E8h 0x00000008 and cl, FFFFFFC8h 0x0000000b jmp 00007F33ECB900DBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 and esp, FFFFFFF0h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F33ECB900E7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F07E7 second address: 50F07ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F07ED second address: 50F0812 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a sub esp, 44h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F33ECB900E4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0812 second address: 50F0821 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0821 second address: 50F0845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0845 second address: 50F0849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0849 second address: 50F085C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F085C second address: 50F0874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC494h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0874 second address: 50F0891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov al, dl 0x0000000f popad 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0891 second address: 50F0895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F0895 second address: 50F089B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F089B second address: 50F08F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F33ECEDC48Dh 0x00000013 sub si, 3526h 0x00000018 jmp 00007F33ECEDC491h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F33ECEDC490h 0x00000024 or ah, FFFFFFC8h 0x00000027 jmp 00007F33ECEDC48Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F08F7 second address: 50F090F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe RDTSC instruction interceptor: First address: 50F090F second address: 50F0937 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F33ECEDC494h 0x00000013 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Special instruction interceptor: First address: 79FBE1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Special instruction interceptor: First address: 93F41F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Special instruction interceptor: First address: 79FAB9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Special instruction interceptor: First address: 9C5DAD instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 1CFBE1 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 36F41F instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 1CFAB9 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 3F5DAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 2DFBE1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 47F41F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 2DFAB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 505DAD instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_05130A73 rdtsc 0_2_05130A73
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window / User API: threadDelayed 848 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window / User API: threadDelayed 1273 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window / User API: threadDelayed 920 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Window / User API: threadDelayed 352 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1304 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1173 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 764 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1220 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1121 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 766 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1171 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2589 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2603 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2609 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6860 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6788 Thread sleep count: 848 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6788 Thread sleep time: -1696848s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6736 Thread sleep count: 234 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 5004 Thread sleep count: 238 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6816 Thread sleep count: 1273 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6816 Thread sleep time: -2547273s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6840 Thread sleep count: 920 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6840 Thread sleep time: -1840920s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6792 Thread sleep count: 352 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6792 Thread sleep time: -704352s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6404 Thread sleep count: 87 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6404 Thread sleep time: -174087s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720 Thread sleep count: 132 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720 Thread sleep time: -264132s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7104 Thread sleep count: 110 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7104 Thread sleep time: -220110s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1744 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1744 Thread sleep count: 1304 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1744 Thread sleep time: -131704s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232 Thread sleep count: 1173 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232 Thread sleep count: 764 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232 Thread sleep time: -76400s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2504 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2504 Thread sleep time: -222111s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5480 Thread sleep count: 119 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5480 Thread sleep time: -238119s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6568 Thread sleep count: 118 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6568 Thread sleep time: -236118s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 792 Thread sleep count: 123 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 792 Thread sleep time: -246123s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6500 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6500 Thread sleep time: -156078s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7220 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 732 Thread sleep count: 67 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5600 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5600 Thread sleep time: -222111s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 732 Thread sleep count: 1220 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 732 Thread sleep time: -123220s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7228 Thread sleep count: 1121 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7228 Thread sleep count: 766 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7228 Thread sleep time: -76600s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4928 Thread sleep count: 101 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4928 Thread sleep time: -202101s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7136 Thread sleep count: 138 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7136 Thread sleep time: -276138s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7300 Thread sleep time: -54027s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7288 Thread sleep count: 1171 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7288 Thread sleep time: -2343171s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7256 Thread sleep count: 249 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7468 Thread sleep count: 240 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7636 Thread sleep count: 72 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7636 Thread sleep time: -144072s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7644 Thread sleep count: 73 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7644 Thread sleep time: -146073s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7640 Thread sleep count: 71 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7640 Thread sleep time: -142071s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7560 Thread sleep count: 104 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7560 Thread sleep count: 237 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620 Thread sleep count: 2589 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620 Thread sleep time: -5180589s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7752 Thread sleep count: 233 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7628 Thread sleep count: 2603 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7628 Thread sleep time: -5208603s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7624 Thread sleep count: 2609 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7624 Thread sleep time: -5220609s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4130383700.0000000000F3C000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&00
Source: MPGPH131.exe, 00000006.00000002.4130999077.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}f
Source: MPGPH131.exe, 00000005.00000002.4130834437.000000000133D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}D
Source: RageMP131.exe, 00000009.00000003.1952162624.0000000000E53000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.4130999077.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: MPGPH131.exe, 00000005.00000002.4131028142.000000000144D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}`}9
Source: RageMP131.exe, 00000007.00000002.4130773514.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RageMP131.exe, 00000007.00000002.4130773514.0000000000D43000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}EX
Source: RageMP131.exe, 00000009.00000003.1952162624.0000000000E51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000005.00000002.4131028142.0000000001494000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_78B2A93F
Source: RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}bl
Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4130424315.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4131028142.0000000001482000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4130999077.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4130773514.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_05130BA4 Start: 05130DBD End: 05130C04 0_2_05130BA4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0557024B Start: 05570281 End: 0557025F 5_2_0557024B
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_05130A73 rdtsc 0_2_05130A73
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_006C3A40 mov eax, dword ptr fs:[00000030h] 0_2_006C3A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_006C3A40 mov eax, dword ptr fs:[00000030h] 0_2_006C3A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_00674100 mov eax, dword ptr fs:[00000030h] 0_2_00674100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_000F3A40 mov eax, dword ptr fs:[00000030h] 5_2_000F3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_000F3A40 mov eax, dword ptr fs:[00000030h] 5_2_000F3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_000A4100 mov eax, dword ptr fs:[00000030h] 5_2_000A4100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_000F3A40 mov eax, dword ptr fs:[00000030h] 6_2_000F3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_000F3A40 mov eax, dword ptr fs:[00000030h] 6_2_000F3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_000A4100 mov eax, dword ptr fs:[00000030h] 6_2_000A4100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00203A40 mov eax, dword ptr fs:[00000030h] 7_2_00203A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00203A40 mov eax, dword ptr fs:[00000030h] 7_2_00203A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_001B4100 mov eax, dword ptr fs:[00000030h] 7_2_001B4100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00203A40 mov eax, dword ptr fs:[00000030h] 9_2_00203A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00203A40 mov eax, dword ptr fs:[00000030h] 9_2_00203A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_001B4100 mov eax, dword ptr fs:[00000030h] 9_2_001B4100
Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, RageMP131.exe, 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: JProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Code function: 0_2_0073F26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_0073F26A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_228.exe PID: 6740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7556, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_228.exe PID: 6740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7556, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482398 Sample: LisectAVT_2403002A_228.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002A_228.exe 1 9 2->7         started        12 MPGPH131.exe 2 2->12         started        14 RageMP131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.74, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 64 2 other signatures 7->64 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        50 Antivirus detection for dropped file 12->50 52 Machine Learning detection for dropped file 12->52 54 Tries to evade debugger and weak emulator (self modifying code) 12->54 56 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->56 58 Hides threads from debuggers 14->58 60 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->60 62 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->62 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.74
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true