Windows Analysis Report
LisectAVT_2403002A_191.exe

Overview

General Information

Sample name: LisectAVT_2403002A_191.exe
Analysis ID: 1482443
MD5: 96a48d844ea7baae454fe84845e1e581
SHA1: 77f0819007790eef6ecd0ec1be0e49669132ad3d
SHA256: dd43fbaaa8a894e08aa200e56c01dea30c346356440c4373082f25f7be4c3154
Tags: exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_191.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: TR/AD.Nekark.cxjdy
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: TR/AD.Nekark.cxjdy
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: LisectAVT_2403002A_191.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.62 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 193.233.132.62:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.62 193.233.132.62
Source: Joe Sandbox View IP Address: 193.233.132.62 193.233.132.62
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0016E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket, 0_2_0016E0A0
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000003.2062288442.0000000004820000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3274575639.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000003.2182605884.0000000004820000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3274002949.0000000000571000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3274056165.0000000000571000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000003.2264006131.0000000004450000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: MPGPH131.exe, RageMP131.exe String found in binary or memory: https://ipinfo.io/
Source: LisectAVT_2403002A_191.exe, 00000000.00000002.3273994420.0000000000151000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_191.exe, 00000000.00000003.2033248421.0000000004720000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061020285.0000000004640000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3274459385.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2062288442.0000000004820000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3274575639.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2182605884.0000000004820000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3274002949.0000000000571000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3274056165.0000000000571000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000003.2264006131.0000000004450000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_191.exe, 00000000.00000002.3275956463.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3274032651.000000000076D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3274228386.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3275956134.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3275957814.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary
barindex
PE file contains section with special chars
Source: LisectAVT_2403002A_191.exe Static PE information: section name:
Source: LisectAVT_2403002A_191.exe Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0015B6A0 0_2_0015B6A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00165B90 0_2_00165B90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00167DC0 0_2_00167DC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001DE140 0_2_001DE140
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001591A0 0_2_001591A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00169259 0_2_00169259
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001DF360 0_2_001DF360
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001E63D0 0_2_001E63D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0023646A 0_2_0023646A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_002384A0 0_2_002384A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001DE490 0_2_001DE490
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001524F0 0_2_001524F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001D6550 0_2_001D6550
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001DF600 0_2_001DF600
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00166689 0_2_00166689
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00249824 0_2_00249824
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001DF810 0_2_001DF810
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001D9880 0_2_001D9880
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001E68C0 0_2_001E68C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001DE910 0_2_001DE910
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001D5B20 0_2_001D5B20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0023BB6D 0_2_0023BB6D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001D6C00 0_2_001D6C00
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00168C58 0_2_00168C58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00232CE0 0_2_00232CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001DBD50 0_2_001DBD50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0022CE10 0_2_0022CE10
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0023BEAF 0_2_0023BEAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00169F50 0_2_00169F50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001D3F80 0_2_001D3F80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C8B6A0 6_2_00C8B6A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C97E3E 6_2_00C97E3E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D09880 6_2_00D09880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D0F810 6_2_00D0F810
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D79824 6_2_00D79824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C891A0 6_2_00C891A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D0E140 6_2_00D0E140
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D0E910 6_2_00D0E910
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C99259 6_2_00C99259
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C95B90 6_2_00C95B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D0F360 6_2_00D0F360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D6BB6D 6_2_00D6BB6D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D05B20 6_2_00D05B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D62CE0 6_2_00D62CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C824F0 6_2_00C824F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D0E490 6_2_00D0E490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C98C58 6_2_00C98C58
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D06C00 6_2_00D06C00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D06550 6_2_00D06550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D0BD50 6_2_00D0BD50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D6BEAF 6_2_00D6BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D5CE10 6_2_00D5CE10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D0F600 6_2_00D0F600
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D03F80 6_2_00D03F80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C99F50 6_2_00C99F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C8B6A0 7_2_00C8B6A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C95B90 7_2_00C95B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C97DC0 7_2_00C97DC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C891A0 7_2_00C891A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D0E140 7_2_00D0E140
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C99259 7_2_00C99259
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D163D0 7_2_00D163D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D0F360 7_2_00D0F360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C824F0 7_2_00C824F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D0E490 7_2_00D0E490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D06550 7_2_00D06550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C96689 7_2_00C96689
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D0F600 7_2_00D0F600
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D168C0 7_2_00D168C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D09880 7_2_00D09880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D0F810 7_2_00D0F810
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D79824 7_2_00D79824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D0E910 7_2_00D0E910
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D6BB6D 7_2_00D6BB6D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D05B20 7_2_00D05B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D62CE0 7_2_00D62CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C98C58 7_2_00C98C58
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D06C00 7_2_00D06C00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D0BD50 7_2_00D0BD50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D6BEAF 7_2_00D6BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D5CE10 7_2_00D5CE10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D03F80 7_2_00D03F80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C99F50 7_2_00C99F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00587E3E 8_2_00587E3E
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0057B6A0 8_2_0057B6A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00669824 8_2_00669824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005FF810 8_2_005FF810
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005F9880 8_2_005F9880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005FE140 8_2_005FE140
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005FE910 8_2_005FE910
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005791A0 8_2_005791A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00589259 8_2_00589259
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0065BB6D 8_2_0065BB6D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005FF360 8_2_005FF360
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005F5B20 8_2_005F5B20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00585B90 8_2_00585B90
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00588C58 8_2_00588C58
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0065646A 8_2_0065646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005F6C00 8_2_005F6C00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00652CE0 8_2_00652CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005724F0 8_2_005724F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_006584A0 8_2_006584A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005FE490 8_2_005FE490
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005F6550 8_2_005F6550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005FBD50 8_2_005FBD50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005FF600 8_2_005FF600
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0064CE10 8_2_0064CE10
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0065BEAF 8_2_0065BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00589F50 8_2_00589F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005F3F80 8_2_005F3F80
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: String function: 0022FED0 appears 31 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00D5FED0 appears 62 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00D5F4FC appears 46 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00D6FD51 appears 34 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 0064FED0 appears 31 times
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_191.exe, 00000000.00000000.2027697816.0000000000288000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_191.exe
Source: LisectAVT_2403002A_191.exe, 00000000.00000002.3274236818.0000000000288000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_191.exe
Source: LisectAVT_2403002A_191.exe, 00000000.00000002.3278566813.000000000472D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_191.exe
Source: LisectAVT_2403002A_191.exe Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_191.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_191.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_191.exe Static PE information: Section: ZLIB complexity 0.9990733225108225
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9990733225108225
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9990733225108225
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Command line argument: nI% 0_2_002548C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Command line argument: nIg 8_2_006748C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000003.2062288442.0000000004820000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3274575639.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000003.2182605884.0000000004820000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3274002949.0000000000571000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3274056165.0000000000571000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000003.2264006131.0000000004450000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_191.exe, 00000000.00000002.3273994420.0000000000151000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_191.exe, 00000000.00000003.2033248421.0000000004720000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061020285.0000000004640000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3274459385.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2062288442.0000000004820000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3274575639.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2182605884.0000000004820000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3274002949.0000000000571000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3274056165.0000000000571000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000003.2264006131.0000000004450000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LisectAVT_2403002A_191.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: LisectAVT_2403002A_191.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe "C:\Users\user\Desktop\LisectAVT_2403002A_191.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_191.exe Static file information: File size 3159050 > 1048576
Source: LisectAVT_2403002A_191.exe Static PE information: Raw size of wnjuhnsz is bigger than: 0x100000 < 0x26cc00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Unpacked PE file: 0.2.LisectAVT_2403002A_191.exe.150000.0.unpack :EW;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.c80000.0.unpack :EW;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.c80000.0.unpack :EW;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.570000.0.unpack :EW;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 10.2.RageMP131.exe.570000.0.unpack :EW;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wnjuhnsz:EW;unhxerdt:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00169F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory, 0_2_00169F50
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x308924 should be: 0x30821d
Source: LisectAVT_2403002A_191.exe Static PE information: real checksum: 0x308924 should be: 0x30821d
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x308924 should be: 0x30821d
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_191.exe Static PE information: section name:
Source: LisectAVT_2403002A_191.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_191.exe Static PE information: section name: wnjuhnsz
Source: LisectAVT_2403002A_191.exe Static PE information: section name: unhxerdt
Source: LisectAVT_2403002A_191.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name: wnjuhnsz
Source: RageMP131.exe.0.dr Static PE information: section name: unhxerdt
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name: wnjuhnsz
Source: MPGPH131.exe.0.dr Static PE information: section name: unhxerdt
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0022FA97 push ecx; ret 0_2_0022FAAA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00171B20 push esi; ret 0_2_00171B22
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D5FA97 push ecx; ret 6_2_00D5FAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C97D53 push edi; retf 000Ch 6_2_00C97D56
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D5FA97 push ecx; ret 7_2_00D5FAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00CA1B20 push esi; ret 7_2_00CA1B22
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0064FA97 push ecx; ret 8_2_0064FAAA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00587D53 push edi; retf 000Ch 8_2_00587D56
Source: LisectAVT_2403002A_191.exe Static PE information: section name: entropy: 7.984907273726197
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.984907273726197
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.984907273726197
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001D3F80 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_001D3F80

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F358 second address: 40F362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F362 second address: 40F366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F366 second address: 40F381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B8C3A83Fh 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F381 second address: 40F3B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F57B901D13Ch 0x0000000e pushad 0x0000000f je 00007F57B901D136h 0x00000015 jo 00007F57B901D136h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push edi 0x00000025 pop edi 0x00000026 pushad 0x00000027 popad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F3B7 second address: 40F3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F57B8C3A836h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F3C2 second address: 40F3CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F3CA second address: 40F3FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A848h 0x00000007 jmp 00007F57B8C3A841h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F3FB second address: 40F3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F3FF second address: 40F405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F56E second address: 40F58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F57B901D143h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F852 second address: 40F85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F85C second address: 40F860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F860 second address: 40F879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F57B8C3A83Ch 0x0000000e jnc 00007F57B8C3A836h 0x00000014 push edi 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40F9C2 second address: 40F9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F57B901D13Bh 0x0000000c jmp 00007F57B901D147h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40FB46 second address: 40FB80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F57B8C3A83Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F57B8C3A83Bh 0x00000012 jmp 00007F57B8C3A848h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 434D0B second address: 434D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 432D33 second address: 432D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 432D37 second address: 432D59 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F57B901D136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F57B901D13Fh 0x0000000f pop edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 432EFE second address: 432F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43307C second address: 433085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 433085 second address: 433089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 433089 second address: 43308F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4331CD second address: 4331D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4331D7 second address: 4331DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4331DD second address: 4331E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43334C second address: 433351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 433351 second address: 43336D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A842h 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F57B8C3A836h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43336D second address: 433373 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 433373 second address: 43339B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B8C3A83Eh 0x0000000f jmp 00007F57B8C3A840h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43339B second address: 4333A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F57B901D136h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 433638 second address: 433647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A83Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 433647 second address: 43366B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F57B901D149h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43366B second address: 433670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 433670 second address: 433686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F57B901D140h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 433686 second address: 4336C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F57B8C3A846h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 jmp 00007F57B8C3A849h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 428806 second address: 42881B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F57B901D13Bh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 42881B second address: 42881F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 3FF01E second address: 3FF023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 434704 second address: 434710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F57B8C3A836h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 434710 second address: 434716 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43487D second address: 434881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4374F4 second address: 4374F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4374F9 second address: 437507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 437507 second address: 437519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D13Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 437519 second address: 437528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B8C3A83Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4385D4 second address: 4385E9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F57B901D138h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4385E9 second address: 4385FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F57B8C3A838h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43D729 second address: 43D740 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F57B901D13Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43D740 second address: 43D744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43D744 second address: 43D758 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D140h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43D758 second address: 43D78F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007F57B8C3A836h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F57B8C3A840h 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F57B8C3A83Ch 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43D78F second address: 43D7A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F57B901D136h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43DDCA second address: 43DDD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43DDD0 second address: 43DDD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43E3F2 second address: 43E3F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43E3F9 second address: 43E421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a xor dword ptr [ebp+122D2490h], ebx 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F57B901D144h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43E421 second address: 43E42F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F57B8C3A836h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43E863 second address: 43E86D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F57B901D136h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43E92F second address: 43E942 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F57B8C3A836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007F57B8C3A836h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43E942 second address: 43E953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F57B901D138h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43E953 second address: 43E959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43E959 second address: 43E9B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F57B901D136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F57B901D138h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 xor esi, dword ptr [ebp+122D2B6Bh] 0x0000002d xchg eax, ebx 0x0000002e jc 00007F57B901D142h 0x00000034 jl 00007F57B901D13Ch 0x0000003a jnp 00007F57B901D136h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push esi 0x00000044 jmp 00007F57B901D13Eh 0x00000049 pop esi 0x0000004a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43E9B2 second address: 43E9C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B8C3A841h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43EEBA second address: 43EEC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43F86B second address: 43F86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43F767 second address: 43F771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F57B901D136h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43F86F second address: 43F8D7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F57B8C3A836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F57B8C3A838h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D377Ah], esi 0x0000002e push 00000000h 0x00000030 jl 00007F57B8C3A83Ch 0x00000036 mov dword ptr [ebp+122D37F6h], eax 0x0000003c push 00000000h 0x0000003e movsx edi, cx 0x00000041 xchg eax, ebx 0x00000042 jno 00007F57B8C3A83Ch 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F57B8C3A843h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43F771 second address: 43F775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 440316 second address: 4403A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F57B8C3A838h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F57B8C3A838h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov di, ax 0x00000042 mov dword ptr [ebp+122D259Bh], esi 0x00000048 push 00000000h 0x0000004a add esi, dword ptr [ebp+122D2D13h] 0x00000050 xchg eax, ebx 0x00000051 jmp 00007F57B8C3A83Dh 0x00000056 push eax 0x00000057 pushad 0x00000058 jng 00007F57B8C3A84Dh 0x0000005e jmp 00007F57B8C3A847h 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 441722 second address: 44173D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B901D147h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4421FD second address: 442201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 440AA0 second address: 440AA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 442201 second address: 442205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 442205 second address: 44220B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44220B second address: 442215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 442BED second address: 442BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 442CA9 second address: 442CAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 442CAF second address: 442CC8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F57B901D136h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 je 00007F57B901D136h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 442CC8 second address: 442CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 443707 second address: 44376E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D145h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jg 00007F57B901D138h 0x00000011 pop edi 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F57B901D138h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push ebx 0x0000002e mov si, bx 0x00000031 pop edi 0x00000032 mov edi, 70613D81h 0x00000037 push 00000000h 0x00000039 xor dword ptr [ebp+122D22C4h], ecx 0x0000003f push 00000000h 0x00000041 mov esi, eax 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44376E second address: 443772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 443772 second address: 443778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 443778 second address: 44377D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4485EC second address: 4485F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4485F0 second address: 4485FA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F57B8C3A836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4485FA second address: 448613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B901D145h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44A70C second address: 44A718 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44BC52 second address: 44BC5C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F57B901D13Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44BC5C second address: 44BC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jp 00007F57B8C3A836h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44BC6D second address: 44BCC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D140h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bx, si 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F57B901D138h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b xor dword ptr [ebp+122D36A9h], ecx 0x00000031 xchg eax, esi 0x00000032 jbe 00007F57B901D140h 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44CCCD second address: 44CCD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44BE13 second address: 44BE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44BE19 second address: 44BE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44DCCE second address: 44DCD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44DCD2 second address: 44DCDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44EBB1 second address: 44EBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44EBB7 second address: 44EBBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44DEF1 second address: 44DEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 44EE33 second address: 44EE43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B8C3A83Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 450CDE second address: 450CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 450CE2 second address: 450D28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A842h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bx, E19Eh 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D2FC9h], esi 0x00000016 push 00000000h 0x00000018 mov ebx, 7676ADC6h 0x0000001d xchg eax, esi 0x0000001e jnl 00007F57B8C3A83Eh 0x00000024 push eax 0x00000025 pushad 0x00000026 je 00007F57B8C3A838h 0x0000002c push edi 0x0000002d pop edi 0x0000002e push ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 451CD6 second address: 451CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 452C28 second address: 452C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 452C2D second address: 452C32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 453D26 second address: 453D2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 453D2C second address: 453D92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D149h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jbe 00007F57B901D13Ch 0x00000013 jbe 00007F57B901D14Dh 0x00000019 popad 0x0000001a nop 0x0000001b push ebx 0x0000001c mov edi, ebx 0x0000001e pop edi 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+122D20B0h], eax 0x00000027 push 00000000h 0x00000029 or bx, 0B62h 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push ebx 0x00000032 push ebx 0x00000033 pop ebx 0x00000034 pop ebx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 455F14 second address: 455F76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A845h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop eax 0x00000012 nop 0x00000013 sbb bx, 7AA5h 0x00000018 xor bh, FFFFFFF2h 0x0000001b push 00000000h 0x0000001d stc 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F57B8C3A838h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov di, AB3Bh 0x0000003e mov dword ptr [ebp+122D3838h], edx 0x00000044 xchg eax, esi 0x00000045 pushad 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 457FF3 second address: 458072 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F57B901D138h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F57B901D138h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov ebx, dword ptr [ebp+122D1CF8h] 0x0000002f push 00000000h 0x00000031 call 00007F57B901D144h 0x00000036 mov edi, dword ptr [ebp+122D303Bh] 0x0000003c pop ebx 0x0000003d push 00000000h 0x0000003f pushad 0x00000040 sub dword ptr [ebp+122D2079h], eax 0x00000046 mov edx, 2B6448AFh 0x0000004b popad 0x0000004c push eax 0x0000004d pushad 0x0000004e jmp 00007F57B901D142h 0x00000053 jbe 00007F57B901D13Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4560A0 second address: 4560A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 456175 second address: 456179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 45712E second address: 45713C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F57B8C3A836h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 45DF26 second address: 45DF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F57B901D145h 0x0000000b popad 0x0000000c push edx 0x0000000d jmp 00007F57B901D141h 0x00000012 pop edx 0x00000013 jmp 00007F57B901D13Fh 0x00000018 popad 0x00000019 jo 00007F57B901D15Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F57B901D13Ah 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 45DF79 second address: 45DF7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 43F75A second address: 43F767 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467D04 second address: 467D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 3F4E85 second address: 3F4EB0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F57B901D13Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F57B901D136h 0x00000014 jmp 00007F57B901D147h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 3F4EB0 second address: 3F4EF3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F57B8C3A844h 0x0000000e jmp 00007F57B8C3A83Bh 0x00000013 jmp 00007F57B8C3A83Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F57B8C3A83Fh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4669A7 second address: 4669B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4669B3 second address: 4669B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4669B7 second address: 4669CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F57B901D13Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 466FB9 second address: 466FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467121 second address: 467144 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F57B901D13Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F57B901D13Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467144 second address: 467148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 46729B second address: 4672A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F57B901D136h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4672A5 second address: 4672AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4672AE second address: 4672B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4672B4 second address: 4672BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4673F3 second address: 4673FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4673FA second address: 467402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467402 second address: 467418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jl 00007F57B901D136h 0x00000010 pop esi 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467418 second address: 46741E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 46741E second address: 467423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467423 second address: 46742A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4675EE second address: 467607 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F57B901D136h 0x00000008 jmp 00007F57B901D13Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467607 second address: 46760B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467B43 second address: 467B49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467B49 second address: 467B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467B4F second address: 467B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D13Bh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 467B5F second address: 467B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F57B8C3A83Eh 0x0000000f push edi 0x00000010 pop edi 0x00000011 je 00007F57B8C3A836h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4707C4 second address: 4707C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 407500 second address: 40750D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007F57B8C3A83Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 47791D second address: 477921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 477DAF second address: 477DB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 478218 second address: 47821E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 478EC9 second address: 478ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4795DA second address: 4795E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4795E2 second address: 4795E8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48082E second address: 480834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 480834 second address: 480838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 480838 second address: 480842 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F57B901D136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 480842 second address: 480848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 480848 second address: 48084E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48084E second address: 480863 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B8C3A83Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 480863 second address: 480869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 480869 second address: 48086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48086F second address: 48088F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F57B901D148h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48020A second address: 480210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 480210 second address: 48021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F57B901D136h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48021E second address: 480251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57B8C3A849h 0x00000009 jc 00007F57B8C3A836h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 jnc 00007F57B8C3A836h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4803EB second address: 4803FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 ja 00007F57B901D142h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 481EEF second address: 481EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 481EF5 second address: 481F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F57B901D145h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 481F17 second address: 481F1C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4009D9 second address: 4009E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4009E2 second address: 4009F5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F57B8C3A836h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4009F5 second address: 4009F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4009F9 second address: 400A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jns 00007F57B8C3A836h 0x0000000f je 00007F57B8C3A836h 0x00000015 pop edi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48D2EE second address: 48D2F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F57B901D136h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48CE6A second address: 48CE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48CE70 second address: 48CE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48CFF9 second address: 48CFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48CFFF second address: 48D005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48D005 second address: 48D017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F57B8C3A836h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48D017 second address: 48D04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F57B901D136h 0x0000000a jnc 00007F57B901D136h 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F57B901D13Bh 0x0000001a jmp 00007F57B901D146h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 48D04D second address: 48D053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 495D62 second address: 495D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 495D66 second address: 495D6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 402547 second address: 40254B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40254B second address: 40256D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F57B8C3A84Ch 0x0000000c jmp 00007F57B8C3A846h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 40256D second address: 402573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 402573 second address: 402577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4A140A second address: 4A1421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D140h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4B995C second address: 4B9962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4B9962 second address: 4B9966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4B9966 second address: 4B9977 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007F57B8C3A836h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4C2353 second address: 4C2361 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4C1EAF second address: 4C1ED4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A83Dh 0x00000007 jnc 00007F57B8C3A836h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F57B8C3A836h 0x00000017 jnl 00007F57B8C3A836h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4C3E2E second address: 4C3E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D146h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4C3C60 second address: 4C3CA7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F57B8C3A84Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F57B8C3A85Bh 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 jnp 00007F57B8C3A836h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jne 00007F57B8C3A836h 0x00000024 jmp 00007F57B8C3A83Bh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E7016 second address: 4E7020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E7020 second address: 4E7026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E7176 second address: 4E717A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E717A second address: 4E717E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E717E second address: 4E7199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57B901D140h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E7199 second address: 4E719E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E719E second address: 4E71A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E74A4 second address: 4E74A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E74A8 second address: 4E74E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D146h 0x00000007 jmp 00007F57B901D145h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jl 00007F57B901D136h 0x00000015 js 00007F57B901D136h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E74E5 second address: 4E74EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E77D9 second address: 4E77E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jbe 00007F57B901D13Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E77E6 second address: 4E7809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F57B8C3A83Eh 0x0000000b jmp 00007F57B8C3A83Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E7963 second address: 4E796E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4E796E second address: 4E7973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4EA9DF second address: 4EA9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B901D146h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4EAB25 second address: 4EAB55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F57B8C3A836h 0x00000009 jmp 00007F57B8C3A844h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F57B8C3A83Ah 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe RDTSC instruction interceptor: First address: 4EAB55 second address: 4EAB5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F57B901D136h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F358 second address: F3F362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F362 second address: F3F366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F366 second address: F3F381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B8C3A83Fh 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F381 second address: F3F3B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F57B901D13Ch 0x0000000e pushad 0x0000000f je 00007F57B901D136h 0x00000015 jo 00007F57B901D136h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push edi 0x00000025 pop edi 0x00000026 pushad 0x00000027 popad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F3B7 second address: F3F3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F57B8C3A836h 0x0000000a popad 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F3C2 second address: F3F3CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F3CA second address: F3F3FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A848h 0x00000007 jmp 00007F57B8C3A841h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F3FB second address: F3F3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F3FF second address: F3F405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F56E second address: F3F58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F57B901D143h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F852 second address: F3F85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F85C second address: F3F860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F860 second address: F3F879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F57B8C3A83Ch 0x0000000e jnc 00007F57B8C3A836h 0x00000014 push edi 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F9C2 second address: F3F9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F57B901D13Bh 0x0000000c jmp 00007F57B901D147h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3FB46 second address: F3FB80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F57B8C3A83Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F57B8C3A83Bh 0x00000012 jmp 00007F57B8C3A848h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F358 second address: F3F362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F57B901D136h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F366 second address: F3F381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B901D13Fh 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F381 second address: F3F3B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F57B8C3A83Ch 0x0000000e pushad 0x0000000f je 00007F57B8C3A836h 0x00000015 jo 00007F57B8C3A836h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push edi 0x00000025 pop edi 0x00000026 pushad 0x00000027 popad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F3B7 second address: F3F3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F57B901D136h 0x0000000a popad 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F3CA second address: F3F3FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D148h 0x00000007 jmp 00007F57B901D141h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F56E second address: F3F58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F57B8C3A843h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F852 second address: F3F85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F57B901D136h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F860 second address: F3F879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F57B901D13Ch 0x0000000e jnc 00007F57B901D136h 0x00000014 push edi 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3F9C2 second address: F3F9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F57B8C3A83Bh 0x0000000c jmp 00007F57B8C3A847h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3FB46 second address: F3FB80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F57B901D13Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F57B901D13Bh 0x00000012 jmp 00007F57B901D148h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F64D0B second address: F64D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F62D33 second address: F62D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F62D37 second address: F62D59 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F57B8C3A836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F57B8C3A83Fh 0x0000000f pop edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F62EFE second address: F62F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6307C second address: F63085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63085 second address: F63089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63089 second address: F6308F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F631CD second address: F631D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F631D7 second address: F631DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F631DD second address: F631E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6334C second address: F63351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63351 second address: F6336D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D142h 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F57B901D136h 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6336D second address: F63373 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63373 second address: F6339B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B901D13Eh 0x0000000f jmp 00007F57B901D140h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6339B second address: F633A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F57B8C3A836h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63638 second address: F63647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D13Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63647 second address: F6366B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F57B8C3A849h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6366B second address: F63670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63670 second address: F63686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F57B8C3A840h 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63686 second address: F636C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F57B901D146h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 jmp 00007F57B901D149h 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F58806 second address: F5881B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F57B8C3A83Bh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F5881B second address: F5881F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F2F01E second address: F2F023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F64704 second address: F64710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F57B901D136h 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F64710 second address: F64716 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6487D second address: F64881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F674F4 second address: F674F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F674F9 second address: F67507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F67507 second address: F67519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A83Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F67519 second address: F67528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B901D13Bh 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F685D4 second address: F685E9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F57B8C3A838h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F685E9 second address: F685FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F57B901D138h 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6D729 second address: F6D740 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F57B8C3A83Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6D740 second address: F6D744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6D744 second address: F6D758 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A840h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6D758 second address: F6D78F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007F57B901D136h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F57B901D140h 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F57B901D13Ch 0x00000025 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6D78F second address: F6D7A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F57B8C3A836h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6DDCA second address: F6DDD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6DDD0 second address: F6DDD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E3F2 second address: F6E3F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E3F9 second address: F6E421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a xor dword ptr [ebp+122D2490h], ebx 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F57B8C3A844h 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E421 second address: F6E42F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F57B901D136h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E863 second address: F6E86D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E92F second address: F6E942 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F57B901D136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007F57B901D136h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E942 second address: F6E953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F57B8C3A838h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E953 second address: F6E959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E959 second address: F6E9B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F57B8C3A836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F57B8C3A838h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 xor esi, dword ptr [ebp+122D2B6Bh] 0x0000002d xchg eax, ebx 0x0000002e jc 00007F57B8C3A842h 0x00000034 jl 00007F57B8C3A83Ch 0x0000003a jnp 00007F57B8C3A836h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push esi 0x00000044 jmp 00007F57B8C3A83Eh 0x00000049 pop esi 0x0000004a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E9B2 second address: F6E9C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B901D141h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6EEBA second address: F6EEC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6F86B second address: F6F86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6F86F second address: F6F8D7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F57B8C3A836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F57B8C3A838h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D377Ah], esi 0x0000002e push 00000000h 0x00000030 jl 00007F57B8C3A83Ch 0x00000036 mov dword ptr [ebp+122D37F6h], eax 0x0000003c push 00000000h 0x0000003e movsx edi, cx 0x00000041 xchg eax, ebx 0x00000042 jno 00007F57B8C3A83Ch 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F57B8C3A843h 0x00000050 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6F767 second address: F6F771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F57B901D136h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6F771 second address: F6F775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F70316 second address: F703A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F57B901D138h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F57B901D138h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov di, ax 0x00000042 mov dword ptr [ebp+122D259Bh], esi 0x00000048 push 00000000h 0x0000004a add esi, dword ptr [ebp+122D2D13h] 0x00000050 xchg eax, ebx 0x00000051 jmp 00007F57B901D13Dh 0x00000056 push eax 0x00000057 pushad 0x00000058 jng 00007F57B901D14Dh 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F70AA0 second address: F70AA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F71722 second address: F7173D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B901D147h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F721FD second address: F72201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F72201 second address: F72205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F72205 second address: F7220B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7220B second address: F72215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F57B901D136h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F72BED second address: F72BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F72CA9 second address: F72CAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F72CAF second address: F72CC8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F57B8C3A836h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 je 00007F57B8C3A836h 0x00000018 popad 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F72CC8 second address: F72CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F73707 second address: F7376E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A845h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jg 00007F57B8C3A838h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edi 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F57B8C3A838h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f push ebx 0x00000030 mov si, bx 0x00000033 pop edi 0x00000034 mov edi, 70613D81h 0x00000039 push 00000000h 0x0000003b xor dword ptr [ebp+122D22C4h], ecx 0x00000041 push 00000000h 0x00000043 mov esi, eax 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7376E second address: F73772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F73772 second address: F73778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F73778 second address: F7377D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F785EC second address: F785F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F785F0 second address: F785FA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F57B901D136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F785FA second address: F78613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B8C3A845h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7A70C second address: F7A718 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7BC52 second address: F7BC5C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F57B8C3A83Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7BC5C second address: F7BC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jp 00007F57B901D136h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7BC6D second address: F7BCC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A840h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bx, si 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F57B8C3A838h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b xor dword ptr [ebp+122D36A9h], ecx 0x00000031 xchg eax, esi 0x00000032 jbe 00007F57B8C3A840h 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7CCCD second address: F7CCD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7BE13 second address: F7BE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7BE19 second address: F7BE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7DCCE second address: F7DCD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7DCD2 second address: F7DCDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7EBB1 second address: F7EBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7EBB7 second address: F7EBBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7DEF1 second address: F7DEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F7EE33 second address: F7EE43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B901D13Ch 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F80CDE second address: F80CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F80CE2 second address: F80D28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D142h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bx, E19Eh 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D2FC9h], esi 0x00000016 push 00000000h 0x00000018 mov ebx, 7676ADC6h 0x0000001d xchg eax, esi 0x0000001e jnl 00007F57B901D13Eh 0x00000024 push eax 0x00000025 pushad 0x00000026 je 00007F57B901D138h 0x0000002c push edi 0x0000002d pop edi 0x0000002e push ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F81CD6 second address: F81CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F82C28 second address: F82C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F82C2D second address: F82C32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F83D26 second address: F83D2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F83D2C second address: F83D92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A849h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jbe 00007F57B8C3A83Ch 0x00000013 jbe 00007F57B8C3A84Dh 0x00000019 popad 0x0000001a nop 0x0000001b push ebx 0x0000001c mov edi, ebx 0x0000001e pop edi 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+122D20B0h], eax 0x00000027 push 00000000h 0x00000029 or bx, 0B62h 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push ebx 0x00000032 push ebx 0x00000033 pop ebx 0x00000034 pop ebx 0x00000035 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F85F14 second address: F85F76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D145h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop eax 0x00000012 nop 0x00000013 sbb bx, 7AA5h 0x00000018 xor bh, FFFFFFF2h 0x0000001b push 00000000h 0x0000001d stc 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F57B901D138h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov di, AB3Bh 0x0000003e mov dword ptr [ebp+122D3838h], edx 0x00000044 xchg eax, esi 0x00000045 pushad 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F860A0 second address: F860A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F86175 second address: F86179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F87FF3 second address: F88072 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F57B8C3A838h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F57B8C3A838h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov ebx, dword ptr [ebp+122D1CF8h] 0x0000002f push 00000000h 0x00000031 call 00007F57B8C3A844h 0x00000036 mov edi, dword ptr [ebp+122D303Bh] 0x0000003c pop ebx 0x0000003d push 00000000h 0x0000003f pushad 0x00000040 sub dword ptr [ebp+122D2079h], eax 0x00000046 mov edx, 2B6448AFh 0x0000004b popad 0x0000004c push eax 0x0000004d pushad 0x0000004e jmp 00007F57B8C3A842h 0x00000053 jbe 00007F57B8C3A83Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F8712E second address: F8713C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F57B901D136h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F8DF26 second address: F8DF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F57B8C3A845h 0x0000000b popad 0x0000000c push edx 0x0000000d jmp 00007F57B8C3A841h 0x00000012 pop edx 0x00000013 jmp 00007F57B8C3A83Fh 0x00000018 popad 0x00000019 jo 00007F57B8C3A85Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F57B8C3A83Ah 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F8DF79 second address: F8DF7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97D04 second address: F97D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F24E85 second address: F24EB0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F57B901D13Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F57B901D136h 0x00000014 jmp 00007F57B901D147h 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F24EB0 second address: F24EF3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F57B8C3A844h 0x0000000e jmp 00007F57B8C3A83Bh 0x00000013 jmp 00007F57B8C3A83Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F57B8C3A83Fh 0x0000001f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F969A7 second address: F969B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F969B3 second address: F969B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F969B7 second address: F969CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F57B901D13Fh 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F96FB9 second address: F96FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97121 second address: F97144 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F57B901D13Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F57B901D13Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97144 second address: F97148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F9729B second address: F972A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F57B901D136h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F972A5 second address: F972AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F972AE second address: F972B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F972B4 second address: F972BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F973F3 second address: F973FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F973FA second address: F97402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97402 second address: F97418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jl 00007F57B901D136h 0x00000010 pop esi 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97418 second address: F9741E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F9741E second address: F97423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97423 second address: F9742A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F975EE second address: F97607 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F57B901D136h 0x00000008 jmp 00007F57B901D13Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97607 second address: F9760B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97B43 second address: F97B49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97B49 second address: F97B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97B4F second address: F97B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D13Bh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97B5F second address: F97B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F57B8C3A83Eh 0x0000000f push edi 0x00000010 pop edi 0x00000011 je 00007F57B8C3A836h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FA07C4 second address: FA07C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F37500 second address: F3750D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007F57B8C3A83Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FA791D second address: FA7921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FA7DAF second address: FA7DB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FA8218 second address: FA821E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FA8EC9 second address: FA8ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FA95DA second address: FA95E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FA95E2 second address: FA95E8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB082E second address: FB0834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB0834 second address: FB0838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB0838 second address: FB0842 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F57B901D136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB0842 second address: FB0848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB0848 second address: FB084E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB084E second address: FB0863 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B8C3A83Bh 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB0863 second address: FB0869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB0869 second address: FB086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB086F second address: FB088F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F57B901D148h 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB020A second address: FB0210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB0210 second address: FB021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F57B901D136h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB021E second address: FB0251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57B8C3A849h 0x00000009 jc 00007F57B8C3A836h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 jnc 00007F57B8C3A836h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB03EB second address: FB03FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 ja 00007F57B901D142h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB1EEF second address: FB1EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB1EF5 second address: FB1F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F57B901D145h 0x00000011 popad 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FB1F17 second address: FB1F1C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F309D9 second address: F309E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F309E2 second address: F309F5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F57B8C3A836h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F309F5 second address: F309F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F309F9 second address: F30A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jns 00007F57B8C3A836h 0x0000000f je 00007F57B8C3A836h 0x00000015 pop edi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6F75A second address: F6F767 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBD2EE second address: FBD2F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F57B8C3A836h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBCE6A second address: FBCE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBCE70 second address: FBCE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBCFF9 second address: FBCFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBCFFF second address: FBD005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBD005 second address: FBD017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F57B901D136h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBD017 second address: FBD04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F57B8C3A836h 0x0000000a jnc 00007F57B8C3A836h 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F57B8C3A83Bh 0x0000001a jmp 00007F57B8C3A846h 0x0000001f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBD04D second address: FBD053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FC5D62 second address: FC5D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FC5D66 second address: FC5D6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F32547 second address: F3254B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3254B second address: F3256D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F57B901D14Ch 0x0000000c jmp 00007F57B901D146h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3256D second address: F32573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F32573 second address: F32577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FD140A second address: FD1421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A840h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63351 second address: F6336D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A842h 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F57B8C3A836h 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63373 second address: F6339B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B8C3A83Eh 0x0000000f jmp 00007F57B8C3A840h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6339B second address: F633A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F57B901D136h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63638 second address: F63647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A83Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63647 second address: F6366B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F57B901D149h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63670 second address: F63686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F57B901D140h 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F63686 second address: F636C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F57B8C3A846h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 jmp 00007F57B8C3A849h 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F58806 second address: F5881B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F57B901D13Bh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F64704 second address: F64710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F57B8C3A836h 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F67507 second address: F67519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D13Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F67519 second address: F67528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B8C3A83Bh 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F685D4 second address: F685E9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F57B901D138h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F685E9 second address: F685FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F57B8C3A838h 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6D729 second address: F6D740 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F57B901D13Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6D744 second address: F6D758 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D140h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6D758 second address: F6D78F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007F57B8C3A836h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F57B8C3A840h 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F57B8C3A83Ch 0x00000025 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6D78F second address: F6D7A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F57B901D136h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E3F9 second address: F6E421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a xor dword ptr [ebp+122D2490h], ebx 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F57B901D144h 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E421 second address: F6E42F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F57B8C3A836h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E863 second address: F6E86D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F57B901D136h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E92F second address: F6E942 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F57B8C3A836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007F57B8C3A836h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E942 second address: F6E953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F57B901D138h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E959 second address: F6E9B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F57B901D136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F57B901D138h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 xor esi, dword ptr [ebp+122D2B6Bh] 0x0000002d xchg eax, ebx 0x0000002e jc 00007F57B901D142h 0x00000034 jl 00007F57B901D13Ch 0x0000003a jnp 00007F57B901D136h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push esi 0x00000044 jmp 00007F57B901D13Eh 0x00000049 pop esi 0x0000004a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6E9B2 second address: F6E9C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57B8C3A841h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6F86F second address: F6F8D7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F57B901D136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F57B901D138h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D377Ah], esi 0x0000002e push 00000000h 0x00000030 jl 00007F57B901D13Ch 0x00000036 mov dword ptr [ebp+122D37F6h], eax 0x0000003c push 00000000h 0x0000003e movsx edi, cx 0x00000041 xchg eax, ebx 0x00000042 jno 00007F57B901D13Ch 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F57B901D143h 0x00000050 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F6F767 second address: F6F771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F70316 second address: F703A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F57B8C3A838h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F57B8C3A838h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov di, ax 0x00000042 mov dword ptr [ebp+122D259Bh], esi 0x00000048 push 00000000h 0x0000004a add esi, dword ptr [ebp+122D2D13h] 0x00000050 xchg eax, ebx 0x00000051 jmp 00007F57B8C3A83Dh 0x00000056 push eax 0x00000057 pushad 0x00000058 jng 00007F57B8C3A84Dh 0x0000005e jmp 00007F57B8C3A847h 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FE995C second address: FE9962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FE9962 second address: FE9966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FE9966 second address: FE9977 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007F57B901D136h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F87FF3 second address: F88072 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F57B901D138h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F57B901D138h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov ebx, dword ptr [ebp+122D1CF8h] 0x0000002f push 00000000h 0x00000031 call 00007F57B901D144h 0x00000036 mov edi, dword ptr [ebp+122D303Bh] 0x0000003c pop ebx 0x0000003d push 00000000h 0x0000003f pushad 0x00000040 sub dword ptr [ebp+122D2079h], eax 0x00000046 mov edx, 2B6448AFh 0x0000004b popad 0x0000004c push eax 0x0000004d pushad 0x0000004e jmp 00007F57B901D142h 0x00000053 jbe 00007F57B901D13Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F8712E second address: F8713C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F57B8C3A836h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F8DF26 second address: F8DF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F57B901D145h 0x0000000b popad 0x0000000c push edx 0x0000000d jmp 00007F57B901D141h 0x00000012 pop edx 0x00000013 jmp 00007F57B901D13Fh 0x00000018 popad 0x00000019 jo 00007F57B901D15Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F57B901D13Ah 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F24E85 second address: F24EB0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F57B8C3A83Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F57B8C3A836h 0x00000014 jmp 00007F57B8C3A847h 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F24EB0 second address: F24EF3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F57B901D144h 0x0000000e jmp 00007F57B901D13Bh 0x00000013 jmp 00007F57B901D13Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F57B901D13Fh 0x0000001f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F969B7 second address: F969CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F57B8C3A83Fh 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97121 second address: F97144 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F57B8C3A83Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F57B8C3A83Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F9729B second address: F972A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97402 second address: F97418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jl 00007F57B8C3A836h 0x00000010 pop esi 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F975EE second address: F97607 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F57B8C3A836h 0x00000008 jmp 00007F57B8C3A83Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97B4F second address: F97B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A83Bh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F97B5F second address: F97B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F57B901D13Eh 0x0000000f push edi 0x00000010 pop edi 0x00000011 je 00007F57B901D136h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F37500 second address: F3750D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007F57B901D13Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FF2353 second address: FF2361 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FF1EAF second address: FF1ED4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D13Dh 0x00000007 jnc 00007F57B901D136h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F57B901D136h 0x00000017 jnl 00007F57B901D136h 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FF3E2E second address: FF3E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A846h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FF3C60 second address: FF3CA7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F57B901D14Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F57B901D15Bh 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 jnp 00007F57B901D136h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jne 00007F57B901D136h 0x00000024 jmp 00007F57B901D13Bh 0x00000029 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 1017016 second address: 1017020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 1017020 second address: 1017026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 1017176 second address: 101717A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101717A second address: 101717E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101717E second address: 1017199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57B8C3A840h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 1017199 second address: 101719E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101719E second address: 10171A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 10174A4 second address: 10174A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 10174A8 second address: 10174E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A846h 0x00000007 jmp 00007F57B8C3A845h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jl 00007F57B8C3A836h 0x00000015 js 00007F57B8C3A836h 0x0000001b popad 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 10174E5 second address: 10174EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 10177D9 second address: 10177E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jbe 00007F57B8C3A83Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 10177E6 second address: 1017809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F57B901D13Eh 0x0000000b jmp 00007F57B901D13Fh 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 1017963 second address: 101796E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101796E second address: 1017973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101A9DF second address: 101A9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B8C3A846h 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101AB25 second address: 101AB55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F57B901D136h 0x00000009 jmp 00007F57B901D144h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F57B901D13Ah 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101AB55 second address: 101AB5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBD2EE second address: FBD2F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F57B901D136h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBD005 second address: FBD017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F57B8C3A836h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FBD017 second address: FBD04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F57B901D136h 0x0000000a jnc 00007F57B901D136h 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F57B901D13Bh 0x0000001a jmp 00007F57B901D146h 0x0000001f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: F3254B second address: F3256D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F57B8C3A84Ch 0x0000000c jmp 00007F57B8C3A846h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FD140A second address: FD1421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D140h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FE9966 second address: FE9977 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007F57B8C3A836h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FF1EAF second address: FF1ED4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A83Dh 0x00000007 jnc 00007F57B8C3A836h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F57B8C3A836h 0x00000017 jnl 00007F57B8C3A836h 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FF3E2E second address: FF3E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D146h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: FF3C60 second address: FF3CA7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F57B8C3A84Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F57B8C3A85Bh 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 jnp 00007F57B8C3A836h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jne 00007F57B8C3A836h 0x00000024 jmp 00007F57B8C3A83Bh 0x00000029 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101717E second address: 1017199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57B901D140h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 10174A8 second address: 10174E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B901D146h 0x00000007 jmp 00007F57B901D145h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jl 00007F57B901D136h 0x00000015 js 00007F57B901D136h 0x0000001b popad 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 10177D9 second address: 10177E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jbe 00007F57B901D13Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 10177E6 second address: 1017809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F57B8C3A83Eh 0x0000000b jmp 00007F57B8C3A83Fh 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101A9DF second address: 101A9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B901D146h 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101AB25 second address: 101AB55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F57B8C3A836h 0x00000009 jmp 00007F57B8C3A844h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F57B8C3A83Ah 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 101AB55 second address: 101AB5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F57B901D136h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F358 second address: 82F362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F362 second address: 82F366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F366 second address: 82F381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57B8C3A83Fh 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F381 second address: 82F3B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F57B901D13Ch 0x0000000e pushad 0x0000000f je 00007F57B901D136h 0x00000015 jo 00007F57B901D136h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push edi 0x00000025 pop edi 0x00000026 pushad 0x00000027 popad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F3B7 second address: 82F3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F57B8C3A836h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F3C2 second address: 82F3CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F3CA second address: 82F3FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57B8C3A848h 0x00000007 jmp 00007F57B8C3A841h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F3FB second address: 82F3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F3FF second address: 82F405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F56E second address: 82F58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F57B901D143h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F852 second address: 82F85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F57B8C3A836h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F85C second address: 82F860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F860 second address: 82F879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F57B8C3A83Ch 0x0000000e jnc 00007F57B8C3A836h 0x00000014 push edi 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82F9C2 second address: 82F9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F57B901D13Bh 0x0000000c jmp 00007F57B901D147h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 82FB46 second address: 82FB80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F57B8C3A83Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F57B8C3A83Bh 0x00000012 jmp 00007F57B8C3A848h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 854D0B second address: 854D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 852D33 second address: 852D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 852D37 second address: 852D59 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F57B901D136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F57B901D13Fh 0x0000000f pop edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 852EFE second address: 852F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 85307C second address: 853085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 853085 second address: 853089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 853089 second address: 85308F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Special instruction interceptor: First address: 48AB62 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: FBAB62 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 8AAB62 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Window / User API: threadDelayed 1401 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1088 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 423 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1017 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 416 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1217 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1079 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1109 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1182 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1234 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe TID: 5044 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe TID: 5044 Thread sleep time: -68034s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe TID: 4616 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe TID: 4616 Thread sleep time: -76038s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe TID: 5820 Thread sleep count: 294 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe TID: 6252 Thread sleep count: 247 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe TID: 2792 Thread sleep count: 1401 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe TID: 2792 Thread sleep time: -2803401s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1172 Thread sleep count: 115 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1172 Thread sleep time: -230115s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5280 Thread sleep count: 126 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5280 Thread sleep time: -252126s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4748 Thread sleep count: 1088 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4748 Thread sleep time: -109888s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3692 Thread sleep count: 423 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3692 Thread sleep count: 115 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5524 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5524 Thread sleep time: -244122s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6156 Thread sleep count: 95 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6156 Thread sleep time: -190095s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5324 Thread sleep count: 96 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5324 Thread sleep time: -192096s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5676 Thread sleep count: 115 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5676 Thread sleep time: -230115s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3992 Thread sleep count: 110 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3992 Thread sleep time: -220110s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5756 Thread sleep count: 1017 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5756 Thread sleep time: -102717s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 320 Thread sleep count: 416 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 320 Thread sleep count: 149 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3500 Thread sleep count: 135 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3500 Thread sleep time: -270135s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6148 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5248 Thread sleep count: 1217 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5248 Thread sleep time: -2435217s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5636 Thread sleep count: 93 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5636 Thread sleep count: 265 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2320 Thread sleep count: 222 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4320 Thread sleep count: 1079 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4320 Thread sleep time: -2159079s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4220 Thread sleep count: 1109 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4220 Thread sleep time: -2219109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5252 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6096 Thread sleep count: 1182 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6096 Thread sleep time: -2365182s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2260 Thread sleep count: 289 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6384 Thread sleep count: 248 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5296 Thread sleep count: 1234 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5296 Thread sleep time: -2469234s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001B9610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 001B962Ah 0_2_001B9610
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001B7750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 001B7760h country: Hungarian (hu) 0_2_001B7750
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001B7780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 001B7790h country: Indonesian (id) 0_2_001B7780
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001B7D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 001B7D50h country: Upper Sorbian (hsb) 0_2_001B7D40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00CE7D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00CE7D50h country: Upper Sorbian (hsb) 6_2_00CE7D40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00CE9610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 00CE962Ah 6_2_00CE9610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00CE7780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00CE7790h country: Indonesian (id) 6_2_00CE7780
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00CE7750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00CE7760h country: Hungarian (hu) 6_2_00CE7750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00CE9610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 00CE962Ah 7_2_00CE9610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00CE7780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00CE7790h country: Indonesian (id) 7_2_00CE7780
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00CE7750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00CE7760h country: Hungarian (hu) 7_2_00CE7750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00CE7D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00CE7D50h country: Upper Sorbian (hsb) 7_2_00CE7D40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005D7D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 005D7D50h country: Upper Sorbian (hsb) 8_2_005D7D40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005D9610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 005D962Ah 8_2_005D9610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005D7750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 005D7760h country: Hungarian (hu) 8_2_005D7750
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005D7780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 005D7790h country: Indonesian (id) 8_2_005D7780
Source: LisectAVT_2403002A_191.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 00000008.00000002.3275956134.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\
Source: LisectAVT_2403002A_191.exe, 00000000.00000002.3275956463.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_78BF175D`
Source: MPGPH131.exe, 00000007.00000002.3274228386.0000000000A42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_78BF175D
Source: RageMP131.exe, 0000000A.00000002.3274007853.000000000055D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000007.00000002.3274228386.0000000000A08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}tP
Source: MPGPH131.exe, 00000007.00000003.2073921795.0000000000A42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x
Source: MPGPH131.exe, 00000006.00000002.3274032651.000000000076D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: RageMP131.exe, 00000008.00000002.3275956134.0000000000E90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000VISION=8f08ProgramData=C:\PrL
Source: MPGPH131.exe, 00000006.00000002.3273997793.000000000073C000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v
Source: MPGPH131.exe, 00000007.00000003.2073921795.0000000000A40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.3274032651.000000000076D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: y\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000s\user\AppData\Local\Temp\h
Source: RageMP131.exe, 0000000A.00000002.3275957814.0000000000B32000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/
Source: LisectAVT_2403002A_191.exe, 00000000.00000002.3275956463.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: RageMP131.exe, 00000008.00000002.3275956134.0000000000E90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=Q
Source: RageMP131.exe, 0000000A.00000002.3275957814.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
Source: RageMP131.exe, 0000000A.00000002.3275957814.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 0000000A.00000002.3275957814.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000006.00000002.3274032651.00000000007AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (w#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000007.00000002.3274228386.0000000000A08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_191.exe, 00000000.00000002.3275714719.00000000009AC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: MPGPH131.exe, 00000006.00000002.3274032651.00000000007AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000A.00000002.3275957814.0000000000B32000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&proQ
Source: RageMP131.exe, 0000000A.00000003.2275959248.0000000000B32000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
Source: LisectAVT_2403002A_191.exe, 00000000.00000002.3275956463.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_78BF175D
Source: RageMP131.exe, 00000008.00000002.3275956134.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_78BF175D
Source: MPGPH131.exe, 00000007.00000002.3274228386.0000000000A08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: LisectAVT_2403002A_191.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000007.00000002.3274228386.0000000000A08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}&Ph7
Source: MPGPH131.exe, 00000006.00000002.3274032651.000000000076D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: RageMP131.exe, 00000008.00000002.3275956134.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00169F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory, 0_2_00169F50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00165B90 mov ecx, dword ptr fs:[00000030h] 0_2_00165B90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0016C0A0 mov eax, dword ptr fs:[00000030h] 0_2_0016C0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0016C0A0 mov eax, dword ptr fs:[00000030h] 0_2_0016C0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00164100 mov eax, dword ptr fs:[00000030h] 0_2_00164100
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0016C0A0 mov eax, dword ptr fs:[00000030h] 0_2_0016C0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00165498 mov eax, dword ptr fs:[00000030h] 0_2_00165498
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0016C0A0 mov eax, dword ptr fs:[00000030h] 0_2_0016C0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001657B8 mov eax, dword ptr fs:[00000030h] 0_2_001657B8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_001648E0 mov eax, dword ptr fs:[00000030h] 0_2_001648E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0016C0A0 mov eax, dword ptr fs:[00000030h] 0_2_0016C0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00164DC9 mov eax, dword ptr fs:[00000030h] 0_2_00164DC9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C948E0 mov eax, dword ptr fs:[00000030h] 6_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 6_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C94100 mov eax, dword ptr fs:[00000030h] 6_2_00C94100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 6_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 6_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 6_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C95498 mov eax, dword ptr fs:[00000030h] 6_2_00C95498
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C94DC9 mov eax, dword ptr fs:[00000030h] 6_2_00C94DC9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 6_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00C957B8 mov eax, dword ptr fs:[00000030h] 6_2_00C957B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C95B90 mov ecx, dword ptr fs:[00000030h] 7_2_00C95B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 7_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C94100 mov eax, dword ptr fs:[00000030h] 7_2_00C94100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 7_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 7_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C95498 mov eax, dword ptr fs:[00000030h] 7_2_00C95498
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 7_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C957B8 mov eax, dword ptr fs:[00000030h] 7_2_00C957B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C948E0 mov eax, dword ptr fs:[00000030h] 7_2_00C948E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C9C0A0 mov eax, dword ptr fs:[00000030h] 7_2_00C9C0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00C94DC9 mov eax, dword ptr fs:[00000030h] 7_2_00C94DC9
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005848E0 mov eax, dword ptr fs:[00000030h] 8_2_005848E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0058C0A0 mov eax, dword ptr fs:[00000030h] 8_2_0058C0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0058C0A0 mov eax, dword ptr fs:[00000030h] 8_2_0058C0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00584100 mov eax, dword ptr fs:[00000030h] 8_2_00584100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0058C0A0 mov eax, dword ptr fs:[00000030h] 8_2_0058C0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0058C0A0 mov eax, dword ptr fs:[00000030h] 8_2_0058C0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00585498 mov eax, dword ptr fs:[00000030h] 8_2_00585498
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00584DC9 mov eax, dword ptr fs:[00000030h] 8_2_00584DC9
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0058C0A0 mov eax, dword ptr fs:[00000030h] 8_2_0058C0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_005857B8 mov eax, dword ptr fs:[00000030h] 8_2_005857B8
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00164400 cpuid 0_2_00164400
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_0022F26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_0022F26A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Code function: 0_2_00167DC0 GetUserNameA,GetFileAttributesA,__Mtx_unlock,__Mtx_unlock,CopyFileA,RegOpenKeyExA,RegSetValueExA,GetFileAttributesA,__Mtx_unlock,__Mtx_unlock,CopyFileA, 0_2_00167DC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_191.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.3273994420.0000000000151000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2062288442.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2182605884.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3274056165.0000000000571000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2061020285.0000000004640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3274575639.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2264006131.0000000004450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3274002949.0000000000571000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2033248421.0000000004720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3274459385.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_191.exe PID: 2696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1876, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2408, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.3273994420.0000000000151000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2062288442.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2182605884.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3274056165.0000000000571000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2061020285.0000000004640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3274575639.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2264006131.0000000004450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3274002949.0000000000571000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2033248421.0000000004720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3274459385.0000000000C81000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_191.exe PID: 2696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1876, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2408, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482443 Sample: LisectAVT_2403002A_191.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Connects to many ports of the same IP (likely port scanning) 2->40 42 2 other signatures 2->42 7 LisectAVT_2403002A_191.exe 1 9 2->7         started        12 MPGPH131.exe 2 2->12         started        14 RageMP131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.62, 49704, 49705, 49706 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 7->46 48 Tries to evade debugger and weak emulator (self modifying code) 7->48 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        50 Antivirus detection for dropped file 12->50 52 Tries to detect virtualization through RDTSC time measurements 12->52 54 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->54 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.62
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true