Windows Analysis Report
LisectAVT_2403002A_185.exe

Overview

General Information

Sample name: LisectAVT_2403002A_185.exe
Analysis ID: 1482448
MD5: e4561ad384f825254ddf8335308bbbcf
SHA1: 0379bbd4b8684caa337908286b870f5e38a58693
SHA256: 8506917c0d92df1de8f1f7e6883669a0190d9997532a653d085d51a4e2123d13
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_185.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: TR/Redcap.xyhrk
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: TR/Redcap.xyhrk
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002A_185.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_185.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49706 -> 193.233.132.74:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.74 193.233.132.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_0083E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket, 0_2_0083E0A0
Source: LisectAVT_2403002A_185.exe, 00000000.00000003.1331208487.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_185.exe, 00000000.00000002.3788079300.0000000000821000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3788234643.0000000000211000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1392470110.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1393916127.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3788080872.0000000000211000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1468115557.0000000005100000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3788101303.0000000000841000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.3788139616.0000000000841000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.1548941705.00000000051A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_185.exe, 00000000.00000003.1331208487.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_185.exe, 00000000.00000002.3788079300.0000000000821000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3788234643.0000000000211000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1392470110.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1393916127.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3788080872.0000000000211000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1468115557.0000000005100000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3788101303.0000000000841000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.3788139616.0000000000841000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.1548941705.00000000051A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3789734640.000000000138E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3789661923.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3789574147.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3789735499.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3790015018.0000000001478000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 0000000A.00000002.3790015018.0000000001478000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTD
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3789734640.000000000138E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTN

System Summary
barindex
PE file contains section with special chars
Source: LisectAVT_2403002A_185.exe Static PE information: section name:
Source: LisectAVT_2403002A_185.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_185.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_008A9880 0_2_008A9880
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_008950B0 0_2_008950B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00919824 0_2_00919824
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_008291A0 0_2_008291A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE 0_2_00DBD1AE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_008973F0 0_2_008973F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_009084A0 0_2_009084A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00902CE0 0_2_00902CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_008224F0 0_2_008224F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_0090646A 0_2_0090646A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_008A55B0 0_2_008A55B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_008A6550 0_2_008A6550
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00828D70 0_2_00828D70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_0090BEAF 0_2_0090BEAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00839F50 0_2_00839F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00309824 6_2_00309824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002850B0 6_2_002850B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00299880 6_2_00299880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002191A0 6_2_002191A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_007AD1AE 6_2_007AD1AE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002873F0 6_2_002873F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002F646A 6_2_002F646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002F84A0 6_2_002F84A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002F2CE0 6_2_002F2CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002124F0 6_2_002124F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00218D70 6_2_00218D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00296550 6_2_00296550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002955B0 6_2_002955B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002FBEAF 6_2_002FBEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0030F771 6_2_0030F771
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00229F50 6_2_00229F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00309824 7_2_00309824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_002850B0 7_2_002850B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00299880 7_2_00299880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_002191A0 7_2_002191A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007AD1AE 7_2_007AD1AE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_002873F0 7_2_002873F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_002F646A 7_2_002F646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_002F84A0 7_2_002F84A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_002F2CE0 7_2_002F2CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_002124F0 7_2_002124F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00218D70 7_2_00218D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00296550 7_2_00296550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_002955B0 7_2_002955B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_002FBEAF 7_2_002FBEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0030F771 7_2_0030F771
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00229F50 7_2_00229F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008C9880 8_2_008C9880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008B50B0 8_2_008B50B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00939824 8_2_00939824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008491A0 8_2_008491A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DDD1AE 8_2_00DDD1AE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008B73F0 8_2_008B73F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_009284A0 8_2_009284A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00922CE0 8_2_00922CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008424F0 8_2_008424F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0092646A 8_2_0092646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008C55B0 8_2_008C55B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008C6550 8_2_008C6550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00848D70 8_2_00848D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00989680 8_2_00989680
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0092BEAF 8_2_0092BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00859F50 8_2_00859F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_008C9880 10_2_008C9880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_008B50B0 10_2_008B50B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00939824 10_2_00939824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_008491A0 10_2_008491A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00DDD1AE 10_2_00DDD1AE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_008B73F0 10_2_008B73F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_009284A0 10_2_009284A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00922CE0 10_2_00922CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_008424F0 10_2_008424F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_0092646A 10_2_0092646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_008C55B0 10_2_008C55B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_008C6550 10_2_008C6550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00848D70 10_2_00848D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00989680 10_2_00989680
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_0092BEAF 10_2_0092BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00859F50 10_2_00859F50
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 002EFED0 appears 52 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 0091FED0 appears 52 times
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3792420626.00000000050D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_185.exe
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3788426420.0000000000958000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_185.exe
Source: LisectAVT_2403002A_185.exe Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_185.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_185.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_185.exe Static PE information: Section: ZLIB complexity 0.9993641774891775
Source: LisectAVT_2403002A_185.exe Static PE information: Section: kcbbzddg ZLIB complexity 0.9894442103215768
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9993641774891775
Source: RageMP131.exe.0.dr Static PE information: Section: kcbbzddg ZLIB complexity 0.9894442103215768
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9993641774891775
Source: MPGPH131.exe.0.dr Static PE information: Section: kcbbzddg ZLIB complexity 0.9894442103215768
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Command line argument: nI1 6_2_003148C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Command line argument: nI1 7_2_003148C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_185.exe, 00000000.00000003.1331208487.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_185.exe, 00000000.00000002.3788079300.0000000000821000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3788234643.0000000000211000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1392470110.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1393916127.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3788080872.0000000000211000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1468115557.0000000005100000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3788101303.0000000000841000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.3788139616.0000000000841000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.1548941705.00000000051A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_185.exe, 00000000.00000003.1331208487.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_185.exe, 00000000.00000002.3788079300.0000000000821000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3788234643.0000000000211000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1392470110.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1393916127.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3788080872.0000000000211000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1468115557.0000000005100000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3788101303.0000000000841000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.3788139616.0000000000841000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.1548941705.00000000051A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LisectAVT_2403002A_185.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe "C:\Users\user\Desktop\LisectAVT_2403002A_185.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_185.exe Static file information: File size 2328582 > 1048576
Source: LisectAVT_2403002A_185.exe Static PE information: Raw size of kcbbzddg is bigger than: 0x100000 < 0x1a5c00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Unpacked PE file: 0.2.LisectAVT_2403002A_185.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.210000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.210000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.840000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 10.2.RageMP131.exe.840000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcbbzddg:EW;ixbabcmr:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: ixbabcmr
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x2397e9 should be: 0x2397ef
Source: LisectAVT_2403002A_185.exe Static PE information: real checksum: 0x2397e9 should be: 0x2397ef
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x2397e9 should be: 0x2397ef
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_185.exe Static PE information: section name:
Source: LisectAVT_2403002A_185.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_185.exe Static PE information: section name:
Source: LisectAVT_2403002A_185.exe Static PE information: section name: kcbbzddg
Source: LisectAVT_2403002A_185.exe Static PE information: section name: ixbabcmr
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: kcbbzddg
Source: RageMP131.exe.0.dr Static PE information: section name: ixbabcmr
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: kcbbzddg
Source: MPGPH131.exe.0.dr Static PE information: section name: ixbabcmr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD000 push ebx; mov dword ptr [esp], 284FAD0Eh 0_2_00DBD001
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD000 push edx; mov dword ptr [esp], eax 0_2_00DBD04F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD000 push 0BE3668Ah; mov dword ptr [esp], ecx 0_2_00DBD08E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD000 push ebp; mov dword ptr [esp], ecx 0_2_00DBD0B5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD000 push eax; mov dword ptr [esp], 7FEFE69Fh 0_2_00DBD0F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD000 push esi; mov dword ptr [esp], ecx 0_2_00DBD114
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD000 push 4252E962h; mov dword ptr [esp], ecx 0_2_00DBD16A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD03C push edx; mov dword ptr [esp], eax 0_2_00DBD04F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD03C push 0BE3668Ah; mov dword ptr [esp], ecx 0_2_00DBD08E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD03C push ebp; mov dword ptr [esp], ecx 0_2_00DBD0B5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD03C push eax; mov dword ptr [esp], 7FEFE69Fh 0_2_00DBD0F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD03C push esi; mov dword ptr [esp], ecx 0_2_00DBD114
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD03C push 4252E962h; mov dword ptr [esp], ecx 0_2_00DBD16A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE push ecx; mov dword ptr [esp], 4FCF23DBh 0_2_00DBD1AF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE push edx; mov dword ptr [esp], esp 0_2_00DBD1DA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE push ecx; mov dword ptr [esp], 7DBF004Bh 0_2_00DBD1EB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE push edx; mov dword ptr [esp], 6FD36C89h 0_2_00DBD214
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE push 2588B968h; mov dword ptr [esp], edi 0_2_00DBD24A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE push eax; mov dword ptr [esp], ecx 0_2_00DBD260
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE push ecx; mov dword ptr [esp], ebx 0_2_00DBD26E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE push 0A2373CAh; mov dword ptr [esp], ebx 0_2_00DBD2AF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00DBD1AE push 5E93CC81h; mov dword ptr [esp], eax 0_2_00DBD36C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_008FFA97 push ecx; ret 0_2_008FFAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_007AD03C push edx; mov dword ptr [esp], eax 6_2_007AD04F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_007AD03C push 0BE3668Ah; mov dword ptr [esp], ecx 6_2_007AD08E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_007AD03C push ebp; mov dword ptr [esp], ecx 6_2_007AD0B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_007AD03C push eax; mov dword ptr [esp], 7FEFE69Fh 6_2_007AD0F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_007AD03C push esi; mov dword ptr [esp], ecx 6_2_007AD114
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_007AD03C push 4252E962h; mov dword ptr [esp], ecx 6_2_007AD16A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_007AD000 push ebx; mov dword ptr [esp], 284FAD0Eh 6_2_007AD001
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_007AD000 push edx; mov dword ptr [esp], eax 6_2_007AD04F
Source: LisectAVT_2403002A_185.exe Static PE information: section name: entropy: 7.985397454316368
Source: LisectAVT_2403002A_185.exe Static PE information: section name: kcbbzddg entropy: 7.949002544785609
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.985397454316368
Source: RageMP131.exe.0.dr Static PE information: section name: kcbbzddg entropy: 7.949002544785609
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.985397454316368
Source: MPGPH131.exe.0.dr Static PE information: section name: kcbbzddg entropy: 7.949002544785609
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 95FFFB second address: 960008 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE27B4 second address: AE27D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74ACBF05E9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE27D3 second address: AE27D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE27D7 second address: AE2823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E3h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F74ACBF05E6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F74ACBF05E9h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE1771 second address: AE1776 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE1776 second address: AE1780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE1780 second address: AE178D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F74AD0D7CD2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE1D4D second address: AE1D68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E1h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE1D68 second address: AE1D70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE1D70 second address: AE1D7A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F74ACBF05E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE1D7A second address: AE1D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE1D80 second address: AE1DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F74ACBF05E2h 0x0000000a jmp 00007F74ACBF05DCh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F74ACBF05D6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE1DA3 second address: AE1DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: ADB935 second address: ADB956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F74ACBF05E6h 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE5F17 second address: AE5F21 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F74AD0D7CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE5FA3 second address: AE5FA9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE5FA9 second address: AE5FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE605D second address: AE6084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d jnp 00007F74ACBF05D6h 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE6084 second address: AE6088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE6088 second address: AE608C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE61ED second address: AE61FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F74AD0D7CC8h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE61FE second address: AE620F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE620F second address: AE623F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pop eax 0x0000000b mov dword ptr [ebp+122D1EECh], edi 0x00000011 lea ebx, dword ptr [ebp+12459E77h] 0x00000017 sub di, D10Eh 0x0000001c push eax 0x0000001d push esi 0x0000001e jnp 00007F74AD0D7CCCh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE62C1 second address: AE633B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007F74ACBF05E4h 0x00000010 pushad 0x00000011 jc 00007F74ACBF05D6h 0x00000017 ja 00007F74ACBF05D6h 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 jmp 00007F74ACBF05E9h 0x00000027 mov eax, dword ptr [eax] 0x00000029 pushad 0x0000002a jp 00007F74ACBF05E6h 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F74ACBF05E0h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE633B second address: AE63A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c jnl 00007F74AD0D7CC8h 0x00000012 pop edi 0x00000013 pop eax 0x00000014 jng 00007F74AD0D7CD2h 0x0000001a push 00000003h 0x0000001c jne 00007F74AD0D7CCCh 0x00000022 adc esi, 7CC70656h 0x00000028 adc di, FFE3h 0x0000002d push 00000000h 0x0000002f mov esi, 1E38E814h 0x00000034 push 00000003h 0x00000036 call 00007F74AD0D7CD9h 0x0000003b pop esi 0x0000003c push 4842F373h 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AE63A3 second address: AE63AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F74ACBF05D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AF6D8A second address: AF6D91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AF6D91 second address: AF6DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F74ACBF05E5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B04683 second address: B04689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B04689 second address: B0468F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B04BB1 second address: B04BB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B04D0C second address: B04D30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F74ACBF05E7h 0x0000000e popad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B0512D second address: B0514D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F74AD0D7CD6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B0514D second address: B0515D instructions: 0x00000000 rdtsc 0x00000002 js 00007F74ACBF05D6h 0x00000008 jnp 00007F74ACBF05D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B0515D second address: B05162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05162 second address: B05184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F74ACBF05D6h 0x0000000a jmp 00007F74ACBF05E3h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05616 second address: B0561A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B0561A second address: B0561E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05758 second address: B0575E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B0575E second address: B05762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05762 second address: B05766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05766 second address: B05772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F74ACBF05D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05772 second address: B05777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05777 second address: B057A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F74ACBF05DCh 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F74ACBF05DCh 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05D34 second address: B05D3A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05D3A second address: B05D56 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F74ACBF05D6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007F74ACBF05D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05D56 second address: B05D5E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B05D5E second address: B05D63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B06087 second address: B06091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B06091 second address: B060A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F74ACBF05DDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B060A9 second address: B060CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD3h 0x00000007 jmp 00007F74AD0D7CCFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B06238 second address: B0623C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B0623C second address: B06242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B06242 second address: B06248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B06248 second address: B0625D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CD1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AFAEA3 second address: AFAEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jo 00007F74ACBF05D6h 0x0000000b jmp 00007F74ACBF05DAh 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AC9283 second address: AC9287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AC9287 second address: AC9299 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007F74ACBF05D6h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AC9299 second address: AC92AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCEh 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AC92AC second address: AC92CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F74ACBF05DEh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AC92CA second address: AC92D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AC92D3 second address: AC92D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AC92D7 second address: AC92DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AC92DD second address: AC92E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AC92E3 second address: AC92E8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B0B89E second address: B0B8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05E9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B116B6 second address: B116CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F74AD0D7CD1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B11857 second address: B1185C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B11D10 second address: B11D2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B12989 second address: B1298E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1298E second address: B12998 instructions: 0x00000000 rdtsc 0x00000002 je 00007F74AD0D7CCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B12998 second address: B129C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F74ACBF05DCh 0x0000000e pop edx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jns 00007F74ACBF05DCh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B12C53 second address: B12C5D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F74AD0D7CCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B13044 second address: B1305E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74ACBF05E6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B134DB second address: B1350E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F74AD0D7CC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebx 0x00000011 mov edi, dword ptr [ebp+122D1EABh] 0x00000017 mov dword ptr [ebp+122D3349h], esi 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F74AD0D7CD3h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1377D second address: B13788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B13788 second address: B1378E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1378E second address: B13793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B13793 second address: B13799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B13799 second address: B1379D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B139C7 second address: B139CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B139CB second address: B139D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B139D1 second address: B139DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F74AD0D7CC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B139DB second address: B139DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B139DF second address: B139FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F74AD0D7CD3h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B14014 second address: B14034 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F74ACBF05E4h 0x00000010 pushad 0x00000011 jc 00007F74ACBF05D6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B16B64 second address: B16B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007F74AD0D7CCEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B16B73 second address: B16B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B16B77 second address: B16BB1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F74AD0D7CD0h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F74AD0D7CC6h 0x00000016 jmp 00007F74AD0D7CD9h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: ACE3F7 second address: ACE3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B171B1 second address: B171B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B171B7 second address: B171BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B17CF6 second address: B17D25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push edx 0x0000000c or dword ptr [ebp+12452F22h], esi 0x00000012 pop esi 0x00000013 push 00000000h 0x00000015 mov esi, 5471F417h 0x0000001a push 00000000h 0x0000001c sub dword ptr [ebp+122D1986h], esi 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 ja 00007F74AD0D7CC8h 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B17A77 second address: B17A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B17D25 second address: B17D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F74AD0D7CC6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B17A7B second address: B17A8C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F74ACBF05D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B17A8C second address: B17A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1855D second address: B18580 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F74ACBF05F1h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B193B3 second address: B193BD instructions: 0x00000000 rdtsc 0x00000002 js 00007F74AD0D7CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1A969 second address: B1A96E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1A96E second address: B1A9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F74AD0D7CC8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov edi, 34F9BDA5h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F74AD0D7CC8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 push 00000000h 0x00000049 xchg eax, ebx 0x0000004a push edi 0x0000004b jmp 00007F74AD0D7CD0h 0x00000050 pop edi 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1A9DA second address: B1A9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1FA3D second address: B1FA41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1FA41 second address: B1FA47 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1FA47 second address: B1FA81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+12469855h] 0x00000012 mov ebx, 027B41ACh 0x00000017 push 00000000h 0x00000019 mov ebx, dword ptr [ebp+122D3708h] 0x0000001f push 00000000h 0x00000021 mov bx, D6AAh 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 push eax 0x0000002a pop eax 0x0000002b pop ebx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1FA81 second address: B1FA8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F74ACBF05D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1FA8B second address: B1FA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B219EA second address: B219EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B20CDC second address: B20CE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B20DA4 second address: B20DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B20DA8 second address: B20DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B22B52 second address: B22B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B22B5F second address: B22B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B22B63 second address: B22B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B23AED second address: B23AF2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B22D19 second address: B22D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B23AF2 second address: B23B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 adc bx, 7E63h 0x0000000d push 00000000h 0x0000000f jo 00007F74AD0D7CCCh 0x00000015 xor dword ptr [ebp+122D2006h], eax 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F74AD0D7CC8h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 mov dword ptr [ebp+122D297Ah], edx 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 je 00007F74AD0D7CC8h 0x00000046 push ecx 0x00000047 pop ecx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B22D22 second address: B22D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B23B3F second address: B23B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74AD0D7CCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B25BD2 second address: B25BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F74ACBF05D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B25BDD second address: B25BFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007F74AD0D7CD0h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B24D6B second address: B24D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B24D6F second address: B24D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B24D78 second address: B24D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B24D7E second address: B24D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F74AD0D7CD1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B27AA6 second address: B27AD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F74ACBF05DCh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 jmp 00007F74ACBF05DDh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B28A08 second address: B28A23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B28A23 second address: B28ACA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F74ACBF05D8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D355Ch] 0x0000002c jmp 00007F74ACBF05E0h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007F74ACBF05D8h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d sub dword ptr [ebp+122D1EB9h], esi 0x00000053 push 00000000h 0x00000055 push ecx 0x00000056 jno 00007F74ACBF05DCh 0x0000005c pop edi 0x0000005d xchg eax, esi 0x0000005e jmp 00007F74ACBF05E1h 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 pushad 0x00000067 popad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B299BC second address: B299C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B28C07 second address: B28C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F74ACBF05DCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B28C17 second address: B28C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B29B76 second address: B29B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B29B7A second address: B29B80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B29B80 second address: B29B92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B29B92 second address: B29B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B29B97 second address: B29BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F74ACBF05D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B2BA1D second address: B2BA21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B2BC50 second address: B2BC5D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F74ACBF05D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B2CE39 second address: B2CE3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B2DB80 second address: B2DBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D568Eh], edi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F74ACBF05D8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b xor dword ptr [ebp+122D1F88h], ecx 0x00000031 push 00000000h 0x00000033 movzx ebx, di 0x00000036 xchg eax, esi 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B2CE3D second address: B2CE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jng 00007F74AD0D7CC6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B2DBBE second address: B2DBCC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F74ACBF05DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B2CE4F second address: B2CE54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B34C76 second address: B34CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007F74ACBF05F0h 0x0000000b jnl 00007F74ACBF05D6h 0x00000011 jmp 00007F74ACBF05E4h 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3474F second address: B34774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F74AD0D7CC6h 0x0000000a jl 00007F74AD0D7CC6h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F74AD0D7CD1h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B34774 second address: B3477A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3477A second address: B34786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B34786 second address: B3478C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B348CC second address: B348DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 jo 00007F74AD0D7CF7h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B348DD second address: B348E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B348E1 second address: B34905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F74AD0D7CC6h 0x0000000d jmp 00007F74AD0D7CD5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3B45F second address: B3B463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3B463 second address: B3B469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3B469 second address: B3B46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: ACC7FC second address: ACC804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3BFF8 second address: B3BFFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3BFFD second address: B3C003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C003 second address: B3C055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F74ACBF05E2h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jne 00007F74ACBF05EBh 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c jmp 00007F74ACBF05E3h 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C055 second address: B3C05A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C05A second address: B3C08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jmp 00007F74ACBF05E7h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F74ACBF05DFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C212 second address: B3C229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C229 second address: B3C25C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F74ACBF05E5h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F74ACBF05E5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C25C second address: B3C26C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C26C second address: B3C287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F74ACBF05DFh 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C384 second address: B3C3E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F74AD0D7CD9h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F74AD0D7CD8h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F74AD0D7CCAh 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jns 00007F74AD0D7CD2h 0x00000026 jmp 00007F74AD0D7CCCh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C3E2 second address: B3C3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74ACBF05DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C3F2 second address: B3C40B instructions: 0x00000000 rdtsc 0x00000002 js 00007F74AD0D7CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F74AD0D7CC6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B3C40B second address: B3C414 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B40083 second address: B4008B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B401D3 second address: B401DD instructions: 0x00000000 rdtsc 0x00000002 je 00007F74ACBF05D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B401DD second address: B401F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74AD0D7CCFh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B405D7 second address: B405DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B405DB second address: B405E5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F74AD0D7CC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B407A5 second address: B407B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F74ACBF05D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B407B5 second address: B407C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CCBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B408EF second address: B4092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05E3h 0x00000009 jmp 00007F74ACBF05E5h 0x0000000e popad 0x0000000f jmp 00007F74ACBF05E0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B40C6D second address: B40C7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B40C7F second address: B40C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F74ACBF05E0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B4720E second address: B47214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B47214 second address: B47218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B47218 second address: B47226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F74AD0D7CCCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B463F4 second address: B4640E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05E6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B4640E second address: B46437 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F74AD0D7CDEh 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B46C5C second address: B46C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007F74ACBF05D6h 0x0000000e jp 00007F74ACBF05D6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AFBA7C second address: AFBA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: AFBA80 second address: AFBA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F74ACBF05D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B47091 second address: B470B2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F74AD0D7CD8h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B470B2 second address: B470BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B4A2F7 second address: B4A2FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B4E762 second address: B4E766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B4E766 second address: B4E76A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1BCDC second address: B1BCE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1BF43 second address: B1BF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1BFD6 second address: B1C005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F74ACBF05E3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1C245 second address: B1C2A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F74AD0D7CC8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 call 00007F74AD0D7CCDh 0x0000002b jmp 00007F74AD0D7CCFh 0x00000030 pop edx 0x00000031 push eax 0x00000032 push ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 push ecx 0x00000036 pop ecx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1C33D second address: B1C341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1CB19 second address: B1CBC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movsx ecx, di 0x0000000f add edx, 255C73AFh 0x00000015 lea eax, dword ptr [ebp+1248F90Fh] 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F74AD0D7CC8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 nop 0x00000036 jmp 00007F74AD0D7CCAh 0x0000003b push eax 0x0000003c jno 00007F74AD0D7CCCh 0x00000042 nop 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F74AD0D7CC8h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 00000017h 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d or dword ptr [ebp+122D5725h], esi 0x00000063 lea eax, dword ptr [ebp+1248F8CBh] 0x00000069 mov dword ptr [ebp+12452FDEh], ebx 0x0000006f nop 0x00000070 jmp 00007F74AD0D7CCCh 0x00000075 push eax 0x00000076 jbe 00007F74AD0D7CD2h 0x0000007c jp 00007F74AD0D7CCCh 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1CBC7 second address: AFBA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 push 00000000h 0x00000007 push ebp 0x00000008 call 00007F74ACBF05D8h 0x0000000d pop ebp 0x0000000e mov dword ptr [esp+04h], ebp 0x00000012 add dword ptr [esp+04h], 0000001Bh 0x0000001a inc ebp 0x0000001b push ebp 0x0000001c ret 0x0000001d pop ebp 0x0000001e ret 0x0000001f jnl 00007F74ACBF05D7h 0x00000025 mov ecx, dword ptr [ebp+122D1E16h] 0x0000002b call dword ptr [ebp+122D2D82h] 0x00000031 pushad 0x00000032 jmp 00007F74ACBF05DCh 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F74ACBF05DEh 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B4D989 second address: B4D999 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F74AD0D7CC6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B4D999 second address: B4D9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F74ACBF05D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1BBA2 second address: AFAEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F74AD0D7CD1h 0x0000000e popad 0x0000000f pop eax 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D187Ah], esi 0x00000017 call dword ptr [ebp+12453144h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jnp 00007F74AD0D7CD7h 0x00000025 jmp 00007F74AD0D7CCBh 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B4DB28 second address: B4DB43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53777 second address: B53791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CD5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53791 second address: B537AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DFh 0x00000007 pushad 0x00000008 jne 00007F74ACBF05D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B537AB second address: B537B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53A9E second address: B53AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F74ACBF05D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53D7B second address: B53D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CCFh 0x00000009 pop edi 0x0000000a jo 00007F74AD0D7CCCh 0x00000010 jp 00007F74AD0D7CC6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53D9B second address: B53DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F74ACBF05D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53DA5 second address: B53DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53F31 second address: B53F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53F35 second address: B53F3F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F74AD0D7CC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53F3F second address: B53F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F74ACBF05D8h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jg 00007F74ACBF05D8h 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53F59 second address: B53F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53465 second address: B53469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B53469 second address: B53473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B54211 second address: B5421E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F74ACBF05D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5421E second address: B54224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B54224 second address: B54231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F74ACBF05D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B54231 second address: B5423A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5423A second address: B5423E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B544E0 second address: B544E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B54843 second address: B5485F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5485F second address: B54864 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5C0AD second address: B5C0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05E3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5C0C6 second address: B5C0CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5C0CE second address: B5C0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F74ACBF05D6h 0x0000000a jns 00007F74ACBF05D6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5C0DF second address: B5C0E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5C0E7 second address: B5C0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5BDDD second address: B5BDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B5E0A8 second address: B5E0B2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F74ACBF05D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6324F second address: B63265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CD0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B63524 second address: B63539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F74ACBF05DFh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B63539 second address: B6353D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6353D second address: B63555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F74ACBF05D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F74ACBF05D8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B63555 second address: B6355A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6355A second address: B63562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B63817 second address: B6381B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6381B second address: B6382D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F74ACBF05D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6382D second address: B63831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B63B16 second address: B63B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6472A second address: B64747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B64747 second address: B64776 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F74ACBF05EAh 0x0000000c pushad 0x0000000d jns 00007F74ACBF05D6h 0x00000013 jbe 00007F74ACBF05D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B69387 second address: B6939A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 jnp 00007F74AD0D7CD0h 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6868D second address: B68695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B68695 second address: B68699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B68699 second address: B686A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B686A5 second address: B686B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CCBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B68AA2 second address: B68AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6C26F second address: B6C275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6C275 second address: B6C28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jno 00007F74ACBF05DCh 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6C28D second address: B6C2C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F74AD0D7CD4h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6BA16 second address: B6BA1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6BA1A second address: B6BA38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F74AD0D7CD3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push esi 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6BA38 second address: B6BA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6FA52 second address: B6FA65 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007F74AD0D7CC6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6FA65 second address: B6FA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F74ACBF05D6h 0x0000000a jmp 00007F74ACBF05DEh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B6FFE8 second address: B6FFEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B77481 second address: B7749A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F74ACBF05D6h 0x0000000a jmp 00007F74ACBF05DDh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B75450 second address: B75456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B75456 second address: B7545A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7545A second address: B7546F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B759E5 second address: B759EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B759EF second address: B75A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F74AD0D7CC8h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B76231 second address: B76236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B76B4F second address: B76B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B76B53 second address: B76B59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B76B59 second address: B76B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F74AD0D7CCEh 0x00000010 push eax 0x00000011 pop eax 0x00000012 jc 00007F74AD0D7CC6h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B76B75 second address: B76B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05DAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B76B83 second address: B76BD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCCh 0x00000007 jmp 00007F74AD0D7CD6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F74AD0D7CD7h 0x00000016 push ebx 0x00000017 jmp 00007F74AD0D7CCBh 0x0000001c push edx 0x0000001d pop edx 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7B168 second address: B7B16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7B16E second address: B7B172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A47F second address: B7A483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A483 second address: B7A489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A489 second address: B7A493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A493 second address: B7A497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A497 second address: B7A49B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A49B second address: B7A4A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F74AD0D7CC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A5EB second address: B7A5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A5EF second address: B7A5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A5F3 second address: B7A602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F74ACBF05D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A602 second address: B7A60F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A60F second address: B7A615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7A615 second address: B7A633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F74AD0D7CD9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7ABC1 second address: B7ABF4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F74ACBF05D6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F74ACBF05E1h 0x00000013 jmp 00007F74ACBF05DAh 0x00000018 push eax 0x00000019 push edx 0x0000001a jp 00007F74ACBF05D6h 0x00000020 push esi 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7AEBC second address: B7AEC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7AEC0 second address: B7AECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F74ACBF05D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B7AECE second address: B7AED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B88BCB second address: B88BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B86EB4 second address: B86EB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B86EB8 second address: B86EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B86EC0 second address: B86EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B871B0 second address: B871B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B87329 second address: B8732D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8732D second address: B87333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B87333 second address: B87343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F74AD0D7CC6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8775C second address: B87767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F74ACBF05D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B87A79 second address: B87A80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B87BC8 second address: B87C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05DDh 0x00000009 jmp 00007F74ACBF05DFh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F74ACBF05DEh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F74ACBF05E7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B87C12 second address: B87C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B88A4F second address: B88A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8696C second address: B86976 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F74AD0D7CCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8E3E5 second address: B8E3FB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F74ACBF05DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: ACFE26 second address: ACFE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: ACFE2C second address: ACFE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: ACFE30 second address: ACFE3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8DD89 second address: B8DDA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007F74ACBF05E1h 0x0000000b jmp 00007F74ACBF05DBh 0x00000010 jo 00007F74ACBF05DCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8DECD second address: B8DED7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F74AD0D7CCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8DED7 second address: B8DEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007F74ACBF05D6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8DEE8 second address: B8DF05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F74AD0D7CCDh 0x0000000f jg 00007F74AD0D7CC6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8DF05 second address: B8DF09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8E077 second address: B8E099 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F74AD0D7CD9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B8E099 second address: B8E0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05E2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B9BBA5 second address: B9BBB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F74AD0D7CC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B9BBB1 second address: B9BBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B9BBB6 second address: B9BBCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F74AD0D7CC6h 0x0000000a jmp 00007F74AD0D7CCCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BA40CC second address: BA4103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F74ACBF05E9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F74ACBF05D6h 0x00000013 jmp 00007F74ACBF05E0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BA4103 second address: BA410D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F74AD0D7CC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BA410D second address: BA4118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BA4118 second address: BA411E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BA411E second address: BA4129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BA4129 second address: BA4130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BA4130 second address: BA414B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F74ACBF05E3h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BACC07 second address: BACC1E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F74AD0D7CC6h 0x00000008 jmp 00007F74AD0D7CCAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BACC1E second address: BACC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB74D2 second address: BB74E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CCAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB74E5 second address: BB74F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB74F5 second address: BB7514 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD4h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB5FDB second address: BB5FDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB6670 second address: BB667A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F74AD0D7CC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB667A second address: BB667E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB7189 second address: BB719B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F74AD0D7CC6h 0x0000000a jp 00007F74AD0D7CC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB719B second address: BB71CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jmp 00007F74ACBF05E1h 0x0000000e pop ebx 0x0000000f jmp 00007F74ACBF05E4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB8DDA second address: BB8DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BB8DDE second address: BB8DFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F74ACBF05E1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BBD47D second address: BBD486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BBD486 second address: BBD490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F74ACBF05D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BBD490 second address: BBD49A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F74AD0D7CC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BBD04E second address: BBD052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BBED96 second address: BBEDE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F74AD0D7CC6h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F74AD0D7CD0h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edi 0x00000014 jl 00007F74AD0D7CD3h 0x0000001a jmp 00007F74AD0D7CCDh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F74AD0D7CD9h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BBEBFA second address: BBEC01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BCAFB2 second address: BCAFB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BCAFB7 second address: BCAFD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F74ACBF05D6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F74ACBF05DEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BD1A0B second address: BD1A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BD5313 second address: BD5326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BD5326 second address: BD5335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F74AD0D7CC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BCD2C1 second address: BCD2CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F74ACBF05D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BCD2CD second address: BCD300 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F74AD0D7CD0h 0x00000008 pushad 0x00000009 popad 0x0000000a jo 00007F74AD0D7CC6h 0x00000010 popad 0x00000011 jp 00007F74AD0D7CCCh 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push ecx 0x0000001a jl 00007F74AD0D7CCCh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BE2B2D second address: BE2B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F74ACBF05E6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: BE2B4C second address: BE2B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F74AD0D7CC6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C05B7D second address: C05B81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C04901 second address: C04920 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F74AD0D7CC6h 0x00000008 jmp 00007F74AD0D7CD5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C04920 second address: C04937 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jc 00007F74ACBF05D6h 0x0000000b popad 0x0000000c pushad 0x0000000d jng 00007F74ACBF05D6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C04937 second address: C04954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CCDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C04954 second address: C0495E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F74ACBF05D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C04AB6 second address: C04ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C04ABB second address: C04AEE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop ecx 0x00000008 push ecx 0x00000009 jmp 00007F74ACBF05E3h 0x0000000e jno 00007F74ACBF05D6h 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jc 00007F74ACBF05DCh 0x0000001f jc 00007F74ACBF05D6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C04AEE second address: C04B07 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F74AD0D7CCEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jnc 00007F74AD0D7CC6h 0x00000010 pushad 0x00000011 jnc 00007F74AD0D7CC6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C04C6F second address: C04C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05DCh 0x00000009 popad 0x0000000a jbe 00007F74ACBF05DEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C04F19 second address: C04F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74AD0D7CD1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F74AD0D7CD7h 0x00000011 jmp 00007F74AD0D7CCAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C05515 second address: C05538 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F74ACBF05D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F74ACBF05E3h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C05538 second address: C05552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F74AD0D7CD3h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C056F8 second address: C056FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C0585D second address: C05861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C05861 second address: C05885 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E0h 0x00000007 ja 00007F74ACBF05D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F74ACBF05D6h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C05885 second address: C058B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F74AD0D7CD9h 0x0000000c je 00007F74AD0D7CC6h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C08725 second address: C0873B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C0873B second address: C0873F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C08A71 second address: C08A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F74ACBF05D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C08A7B second address: C08A7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C08A7F second address: C08AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F74ACBF05E2h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F74ACBF05D8h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C0B4F2 second address: C0B515 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F74AD0D7CCEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F74AD0D7CCBh 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C0B515 second address: C0B51E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C0B51E second address: C0B524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C0B524 second address: C0B53B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74ACBF05E1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C0D37B second address: C0D39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F74AD0D7CCCh 0x00000010 jl 00007F74AD0D7CC6h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jne 00007F74AD0D7CC6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: C0D39C second address: C0D3A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 532065E second address: 532068B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F74AD0D7CD3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 532068B second address: 5320691 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320691 second address: 53206A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74AD0D7CCBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53206A0 second address: 53206C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53206C6 second address: 53206CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53206CA second address: 53206DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53206DD second address: 53206E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53206E3 second address: 53206E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52A0D4A second address: 52A0D59 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, esi 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ah, dl 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52A0D59 second address: 52A0D80 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 5BD18B85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov bh, ch 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F74ACBF05E8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52A0D80 second address: 52A0DC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F74AD0D7CD1h 0x00000009 and cx, BDB6h 0x0000000e jmp 00007F74AD0D7CD1h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F74AD0D7CD3h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52A0DC8 second address: 52A0E14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F74ACBF05DFh 0x00000009 jmp 00007F74ACBF05E3h 0x0000000e popfd 0x0000000f call 00007F74ACBF05E8h 0x00000014 pop ecx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push dword ptr [ebp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52A0E14 second address: 52A0E1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52A0E1A second address: 52A0E20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320312 second address: 5320328 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320328 second address: 532032C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 532032C second address: 5320330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320330 second address: 5320336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320336 second address: 532039B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c mov di, A142h 0x00000010 pushfd 0x00000011 jmp 00007F74AD0D7CD3h 0x00000016 xor esi, 51A2F83Eh 0x0000001c jmp 00007F74AD0D7CD9h 0x00000021 popfd 0x00000022 popad 0x00000023 jmp 00007F74AD0D7CD0h 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f mov si, di 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 532039B second address: 53203DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 7F911081h 0x00000008 mov ax, 33BDh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 jmp 00007F74ACBF05E8h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F74ACBF05E7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53203DE second address: 53203F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74AD0D7CD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53203F6 second address: 53203FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0B46 second address: 52F0B5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0B5E second address: 52F0B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, 5Dh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0B65 second address: 52F0B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0B6B second address: 52F0B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0B6F second address: 52F0BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F74AD0D7CCAh 0x0000000e mov ebp, esp 0x00000010 jmp 00007F74AD0D7CD0h 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F74AD0D7CD7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53403CC second address: 534040E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F74ACBF05DAh 0x00000013 jmp 00007F74ACBF05E5h 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320DE1 second address: 5320DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320DE5 second address: 5320DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320DEB second address: 5320DFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, si 0x00000006 mov cx, A53Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320DFF second address: 5320E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320E03 second address: 5320E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52B0701 second address: 52B0750 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushfd 0x00000007 jmp 00007F74ACBF05DAh 0x0000000c sbb si, A768h 0x00000011 jmp 00007F74ACBF05DBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F74ACBF05E9h 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F74ACBF05DDh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52B0750 second address: 52B0756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52B0756 second address: 52B075A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320439 second address: 532043E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 532043E second address: 5320493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F74ACBF05E5h 0x00000008 pushfd 0x00000009 jmp 00007F74ACBF05E0h 0x0000000e and cx, 9048h 0x00000013 jmp 00007F74ACBF05DBh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F74ACBF05E5h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320493 second address: 53204EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F74AD0D7CD7h 0x00000008 pushfd 0x00000009 jmp 00007F74AD0D7CD8h 0x0000000e sub cx, 8038h 0x00000013 jmp 00007F74AD0D7CCBh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F74AD0D7CCBh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53204EA second address: 5320507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320507 second address: 532050D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 532050D second address: 5320511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320511 second address: 5320568 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F74AD0D7CCFh 0x0000000e mov ebp, esp 0x00000010 jmp 00007F74AD0D7CD6h 0x00000015 pop ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F74AD0D7CCEh 0x0000001d and ah, FFFFFF88h 0x00000020 jmp 00007F74AD0D7CCBh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 mov ecx, 1633AB15h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320C28 second address: 5320C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320C2E second address: 5320C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320C32 second address: 5320C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320C36 second address: 5320C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F74AD0D7CCEh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F74AD0D7CD0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320C68 second address: 5320C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320C6C second address: 5320C72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320C72 second address: 5320C78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320C78 second address: 5320C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320C7C second address: 5320CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c mov ah, ADh 0x0000000e push edi 0x0000000f mov ah, 05h 0x00000011 pop edx 0x00000012 popad 0x00000013 and dword ptr [eax], 00000000h 0x00000016 jmp 00007F74ACBF05E8h 0x0000001b and dword ptr [eax+04h], 00000000h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320CB4 second address: 5320CBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320CBA second address: 5320CC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74ACBF05DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320CC9 second address: 5320CF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320CF0 second address: 5320CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320CF5 second address: 5320CFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320CFB second address: 5320CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0A54 second address: 52F0A93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F74AD0D7CCFh 0x00000008 pop ecx 0x00000009 mov ebx, 3CD988ECh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007F74AD0D7CCBh 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F74AD0D7CD0h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0A93 second address: 52F0A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0A97 second address: 52F0A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320FA5 second address: 5320FCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F74ACBF05DBh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52D0856 second address: 52D0876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 movsx edi, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F74AD0D7CCDh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52D0876 second address: 52D087C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52D087C second address: 52D08AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F74AD0D7CD7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52D08AD second address: 52D08D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52D08D1 second address: 52D08D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52D08D7 second address: 52D08DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330C19 second address: 5330C5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F74AD0D7CD6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F74AD0D7CD7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330C5A second address: 5330CCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F74ACBF05DFh 0x00000008 call 00007F74ACBF05E8h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esp 0x00000012 pushad 0x00000013 call 00007F74ACBF05DCh 0x00000018 mov edi, esi 0x0000001a pop ecx 0x0000001b mov si, di 0x0000001e popad 0x0000001f mov dword ptr [esp], ecx 0x00000022 jmp 00007F74ACBF05E9h 0x00000027 mov eax, dword ptr [775F65FCh] 0x0000002c pushad 0x0000002d mov edi, eax 0x0000002f movzx ecx, dx 0x00000032 popad 0x00000033 test eax, eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330CCD second address: 5330CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330CD1 second address: 5330CED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330CED second address: 5330CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330CF3 second address: 5330CF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330CF7 second address: 5330D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F751F31A92Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330D0B second address: 5330D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330D0F second address: 5330D15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330D15 second address: 5330D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5330D1B second address: 5330D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53300A7 second address: 53300AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53300AD second address: 53300B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53300B1 second address: 53300B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F00C5 second address: 52F00EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F74AD0D7CD8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F00EF second address: 52F00FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F00FE second address: 52F0196 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F74AD0D7CCEh 0x0000000f push eax 0x00000010 jmp 00007F74AD0D7CCBh 0x00000015 xchg eax, ecx 0x00000016 pushad 0x00000017 mov ax, dx 0x0000001a popad 0x0000001b push edx 0x0000001c jmp 00007F74AD0D7CCAh 0x00000021 mov dword ptr [esp], ebx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F74AD0D7CCEh 0x0000002b adc eax, 71B69EF8h 0x00000031 jmp 00007F74AD0D7CCBh 0x00000036 popfd 0x00000037 jmp 00007F74AD0D7CD8h 0x0000003c popad 0x0000003d mov ebx, dword ptr [ebp+10h] 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F74AD0D7CCAh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0196 second address: 52F019C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F019C second address: 52F0204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 pushfd 0x00000007 jmp 00007F74AD0D7CD9h 0x0000000c adc ax, DFA6h 0x00000011 jmp 00007F74AD0D7CD1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F74AD0D7CCCh 0x00000022 add esi, 5212DD48h 0x00000028 jmp 00007F74AD0D7CCBh 0x0000002d popfd 0x0000002e push ecx 0x0000002f pop esi 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov eax, ebx 0x00000037 movsx edx, si 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0204 second address: 52F021F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 493A7116h 0x00000012 mov dl, 88h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F021F second address: 52F0247 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ah, bh 0x00000011 mov al, CBh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F0247 second address: 52F02B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F74ACBF05DCh 0x00000009 sbb ch, FFFFFF98h 0x0000000c jmp 00007F74ACBF05DBh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebp 0x00000016 jmp 00007F74ACBF05E2h 0x0000001b mov dword ptr [esp], edi 0x0000001e jmp 00007F74ACBF05E0h 0x00000023 test esi, esi 0x00000025 pushad 0x00000026 mov cx, 857Dh 0x0000002a popad 0x0000002b je 00007F751EE6E954h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F74ACBF05E1h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F02B2 second address: 52F02B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F02B8 second address: 52F034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F74ACBF05DAh 0x00000009 sub ch, FFFFFFB8h 0x0000000c jmp 00007F74ACBF05DBh 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001e jmp 00007F74ACBF05E4h 0x00000023 je 00007F751EE6E90Ch 0x00000029 pushad 0x0000002a movzx eax, bx 0x0000002d mov bh, ADh 0x0000002f popad 0x00000030 mov edx, dword ptr [esi+44h] 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F74ACBF05E0h 0x0000003a xor ecx, 4E083B78h 0x00000040 jmp 00007F74ACBF05DBh 0x00000045 popfd 0x00000046 pushad 0x00000047 push ecx 0x00000048 pop ebx 0x00000049 mov eax, 788931C1h 0x0000004e popad 0x0000004f popad 0x00000050 or edx, dword ptr [ebp+0Ch] 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F74ACBF05E3h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F034B second address: 52F039C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f jmp 00007F74AD0D7CCEh 0x00000014 jne 00007F751F355FD2h 0x0000001a jmp 00007F74AD0D7CD0h 0x0000001f test byte ptr [esi+48h], 00000001h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F039C second address: 52F03A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F03A0 second address: 52F03BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F03BD second address: 52F03CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74ACBF05DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F03CD second address: 52F03E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F751F355F92h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F74AD0D7CCAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 52F03E7 second address: 52F03FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test bl, 00000007h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53000A4 second address: 53000BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74AD0D7CD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53000BC second address: 53000C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53000C0 second address: 53000D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F74AD0D7CCAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53000D7 second address: 53000DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53000DD second address: 5300117 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F74AD0D7CCCh 0x00000013 or ax, B298h 0x00000018 jmp 00007F74AD0D7CCBh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 mov eax, 45EB8CE5h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 530024D second address: 5300253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5300253 second address: 5300257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5300371 second address: 5300382 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53003B8 second address: 53003C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74AD0D7CCCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53003C8 second address: 53003CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53003CC second address: 53003DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53003DB second address: 53003DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53003DF second address: 53003F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74AD0D7CD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53003F7 second address: 5300409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74ACBF05DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5300409 second address: 530040D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 530040D second address: 5300423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F74ACBF05DAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5300423 second address: 5300452 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F74AD0D7CD1h 0x00000009 adc esi, 29652666h 0x0000000f jmp 00007F74AD0D7CD1h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5300452 second address: 5300462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b mov eax, 3D64698Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 536180E second address: 5361812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 53618DF second address: 536180E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74ACBF05E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 call ebx 0x00000012 mov edi, edi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B15581 second address: B15586 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B15726 second address: B1572A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1572A second address: B1574A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a jmp 00007F74AD0D7CD1h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: B1574A second address: B1574E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320899 second address: 5320906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov ah, E6h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dx, F144h 0x00000011 pushfd 0x00000012 jmp 00007F74AD0D7CCDh 0x00000017 sbb cl, FFFFFF86h 0x0000001a jmp 00007F74AD0D7CD1h 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov eax, edi 0x00000028 pushfd 0x00000029 jmp 00007F74AD0D7CCFh 0x0000002e sbb eax, 05CD99BEh 0x00000034 jmp 00007F74AD0D7CD9h 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe RDTSC instruction interceptor: First address: 5320906 second address: 532090C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Special instruction interceptor: First address: 95F88D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Special instruction interceptor: First address: B93D1F instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 34F88D instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 583D1F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 97F88D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: BB3D1F instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_05370822 rdtsc 0_2_05370822
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window / User API: threadDelayed 972 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window / User API: threadDelayed 983 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Window / User API: threadDelayed 1107 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1222 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1137 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 746 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1128 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1135 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 762 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1121 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 951 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1088 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1171 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1129 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7364 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7364 Thread sleep time: -68034s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7340 Thread sleep count: 972 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7340 Thread sleep time: -1944972s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7356 Thread sleep count: 983 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7356 Thread sleep time: -1966983s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7288 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7288 Thread sleep count: 243 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7568 Thread sleep count: 245 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7348 Thread sleep count: 1107 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe TID: 7348 Thread sleep time: -2215107s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7640 Thread sleep count: 85 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7640 Thread sleep time: -170085s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7632 Thread sleep count: 107 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7632 Thread sleep time: -214107s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7576 Thread sleep count: 100 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7576 Thread sleep count: 1222 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7576 Thread sleep time: -123422s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7860 Thread sleep count: 1137 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7860 Thread sleep count: 746 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7860 Thread sleep time: -74600s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612 Thread sleep count: 106 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612 Thread sleep time: -212106s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7624 Thread sleep count: 116 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7624 Thread sleep time: -232116s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7732 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7732 Thread sleep time: -156078s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724 Thread sleep count: 120 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724 Thread sleep time: -240120s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588 Thread sleep count: 91 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7720 Thread sleep count: 114 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7720 Thread sleep time: -228114s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7712 Thread sleep count: 117 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7712 Thread sleep time: -234117s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588 Thread sleep count: 1128 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588 Thread sleep time: -113928s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7864 Thread sleep count: 1135 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7864 Thread sleep count: 762 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7864 Thread sleep time: -76200s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7736 Thread sleep count: 69 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7736 Thread sleep time: -138069s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7932 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7912 Thread sleep count: 1121 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7912 Thread sleep time: -2243121s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7888 Thread sleep count: 262 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012 Thread sleep count: 223 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920 Thread sleep count: 951 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920 Thread sleep time: -1902951s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7908 Thread sleep count: 1088 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7908 Thread sleep time: -2177088s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3104 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3104 Thread sleep time: -66033s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8172 Thread sleep count: 1171 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8172 Thread sleep time: -2343171s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8152 Thread sleep count: 250 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7180 Thread sleep count: 255 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3168 Thread sleep count: 1129 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3168 Thread sleep time: -2259129s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.3788527005.0000000000B0A000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000007.00000002.3789574147.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 00000008.00000002.3789735499.00000000012A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000F
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3789734640.000000000138E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000g
Source: RageMP131.exe, 0000000A.00000002.3790015018.00000000014A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3789734640.0000000001380000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000008.00000002.3789533093.000000000116D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: RageMP131.exe, 0000000A.00000002.3789536237.00000000010FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000A.00000002.3790015018.00000000014A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: RageMP131.exe, 00000008.00000002.3789735499.00000000012EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_3BBBC0DC
Source: MPGPH131.exe, 00000007.00000002.3789574147.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8
Source: RageMP131.exe, 0000000A.00000002.3790015018.00000000014A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}X
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3789734640.00000000013C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000na\AppData\Local\Temp\heidiAo
Source: RageMP131.exe, 0000000A.00000003.1561636088.00000000014BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000A.00000002.3790015018.00000000014A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&?
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3788479543.0000000000AEA000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3788634361.00000000004DA000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3788481819.00000000004DA000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3788503404.0000000000B0A000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.3788527005.0000000000B0A000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 0000000A.00000002.3790015018.00000000014BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&pro
Source: MPGPH131.exe, 00000007.00000002.3789574147.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3789734640.0000000001380000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3789734640.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3789661923.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3789574147.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3789735499.00000000012E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPGPH131.exe, 00000007.00000002.3789574147.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_3BBBC0DC
Source: LisectAVT_2403002A_185.exe, 00000000.00000002.3789734640.000000000138E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l
Source: MPGPH131.exe, 00000007.00000002.3789534947.0000000000B3D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Hn
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_0537005C Start: 05370108 End: 05370073 0_2_0537005C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_053708AC Start: 05370B37 End: 053708C0 0_2_053708AC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_04D509DC Start: 04D50B05 End: 04D509AD 7_2_04D509DC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_04D605BD Start: 04D60667 End: 04D605D9 7_2_04D605BD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_053A008B Start: 053A017F End: 053A005D 8_2_053A008B
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_05420338 Start: 05420352 End: 0542034C 10_2_05420338
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_05370822 rdtsc 0_2_05370822
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00883A40 mov eax, dword ptr fs:[00000030h] 0_2_00883A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00883A40 mov eax, dword ptr fs:[00000030h] 0_2_00883A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_00834100 mov eax, dword ptr fs:[00000030h] 0_2_00834100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00273A40 mov eax, dword ptr fs:[00000030h] 6_2_00273A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00273A40 mov eax, dword ptr fs:[00000030h] 6_2_00273A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00224100 mov eax, dword ptr fs:[00000030h] 6_2_00224100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00273A40 mov eax, dword ptr fs:[00000030h] 7_2_00273A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00273A40 mov eax, dword ptr fs:[00000030h] 7_2_00273A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00224100 mov eax, dword ptr fs:[00000030h] 7_2_00224100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008A3A40 mov eax, dword ptr fs:[00000030h] 8_2_008A3A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008A3A40 mov eax, dword ptr fs:[00000030h] 8_2_008A3A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00854100 mov eax, dword ptr fs:[00000030h] 8_2_00854100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_008A3A40 mov eax, dword ptr fs:[00000030h] 10_2_008A3A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_008A3A40 mov eax, dword ptr fs:[00000030h] 10_2_008A3A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00854100 mov eax, dword ptr fs:[00000030h] 10_2_00854100
Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.3788527005.0000000000B0A000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Code function: 0_2_008FF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_008FF26A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_185.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000007.00000003.1393916127.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3788234643.0000000000211000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1468115557.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1392470110.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3788080872.0000000000211000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1331208487.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1548941705.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3788139616.0000000000841000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3788101303.0000000000841000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3788079300.0000000000821000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_185.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8148, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000007.00000003.1393916127.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3788234643.0000000000211000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1468115557.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1392470110.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3788080872.0000000000211000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1331208487.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1548941705.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3788139616.0000000000841000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3788101303.0000000000841000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3788079300.0000000000821000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_185.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8148, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482448 Sample: LisectAVT_2403002A_185.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002A_185.exe 1 9 2->7         started        12 RageMP131.exe 2 2->12         started        14 MPGPH131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.74, 49706, 49707, 49708 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Tries to detect virtualization through RDTSC time measurements 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Antivirus detection for dropped file 12->52 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->54 56 Machine Learning detection for dropped file 12->56 58 Tries to evade debugger and weak emulator (self modifying code) 14->58 60 Hides threads from debuggers 14->60 62 Potentially malicious time measurement code found 14->62 64 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->64 66 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->66 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.74
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true