Windows Analysis Report
LisectAVT_2403002A_151.exe

Overview

General Information

Sample name: LisectAVT_2403002A_151.exe
Analysis ID: 1482488
MD5: a528d71182717541346487642bb54dd2
SHA1: 7c9b47714dfce098237d5df9381fcbe1d856f41d
SHA256: f4880369ec64ebb35bbf6231f9275d82a878e6c3cdfb75468ea1d529b895892d
Tags: exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_151.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002A_151.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_151.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.62 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 193.233.132.62:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.62 193.233.132.62
Source: Joe Sandbox View IP Address: 193.233.132.62 193.233.132.62
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009DE0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket, 0_2_009DE0A0
Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: MPGPH131.exe, RageMP131.exe String found in binary or memory: https://ipinfo.io/
Source: LisectAVT_2403002A_151.exe, 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_151.exe, 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000D98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT2
Source: MPGPH131.exe, RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary
barindex
PE file contains section with special chars
Source: LisectAVT_2403002A_151.exe Static PE information: section name:
Source: LisectAVT_2403002A_151.exe Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009CB6A0 0_2_009CB6A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D5B90 0_2_009D5B90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D7DC0 0_2_009D7DC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009C91A0 0_2_009C91A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A4E140 0_2_00A4E140
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D9259 0_2_009D9259
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A563D0 0_2_00A563D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A4F360 0_2_00A4F360
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00AA84A0 0_2_00AA84A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A4E490 0_2_00A4E490
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009C24F0 0_2_009C24F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00AA646A 0_2_00AA646A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A46550 0_2_00A46550
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D6689 0_2_009D6689
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A4F600 0_2_00A4F600
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A49880 0_2_00A49880
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A568C0 0_2_00A568C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00AB9824 0_2_00AB9824
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A4F810 0_2_00A4F810
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A4E910 0_2_00A4E910
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A45B20 0_2_00A45B20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00AABB6D 0_2_00AABB6D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00AA2CE0 0_2_00AA2CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A46C00 0_2_00A46C00
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D8C58 0_2_009D8C58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A4BD50 0_2_00A4BD50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00AABEAF 0_2_00AABEAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A43F80 0_2_00A43F80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D9F50 0_2_009D9F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F7E3E 5_2_005F7E3E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005EB6A0 5_2_005EB6A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_006D9824 5_2_006D9824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0066F810 5_2_0066F810
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00669880 5_2_00669880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0066E140 5_2_0066E140
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0066E910 5_2_0066E910
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005E91A0 5_2_005E91A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F9259 5_2_005F9259
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_006CBB6D 5_2_006CBB6D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0066F360 5_2_0066F360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00665B20 5_2_00665B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F5B90 5_2_005F5B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_006C646A 5_2_006C646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F8C58 5_2_005F8C58
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00666C00 5_2_00666C00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_006C2CE0 5_2_006C2CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005E24F0 5_2_005E24F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_006C84A0 5_2_006C84A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0066E490 5_2_0066E490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00666550 5_2_00666550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0066BD50 5_2_0066BD50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0066F600 5_2_0066F600
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_006CBEAF 5_2_006CBEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F9F50 5_2_005F9F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00663F80 5_2_00663F80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005EB6A0 6_2_005EB6A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F5B90 6_2_005F5B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F7DC0 6_2_005F7DC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0066E140 6_2_0066E140
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005E91A0 6_2_005E91A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F9259 6_2_005F9259
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0066F360 6_2_0066F360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006763D0 6_2_006763D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006C646A 6_2_006C646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005E24F0 6_2_005E24F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006C84A0 6_2_006C84A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0066E490 6_2_0066E490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00666550 6_2_00666550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0066F600 6_2_0066F600
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F6689 6_2_005F6689
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006D9824 6_2_006D9824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0066F810 6_2_0066F810
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006768C0 6_2_006768C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00669880 6_2_00669880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0066E910 6_2_0066E910
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006CBB6D 6_2_006CBB6D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00665B20 6_2_00665B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F8C58 6_2_005F8C58
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00666C00 6_2_00666C00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006C2CE0 6_2_006C2CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0066BD50 6_2_0066BD50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006CBEAF 6_2_006CBEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F9F50 6_2_005F9F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00663F80 6_2_00663F80
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00E9B6A0 7_2_00E9B6A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA7E3E 7_2_00EA7E3E
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F19880 7_2_00F19880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F89824 7_2_00F89824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F1F810 7_2_00F1F810
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00E991A0 7_2_00E991A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F1E140 7_2_00F1E140
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F1E910 7_2_00F1E910
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA9259 7_2_00EA9259
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA5B90 7_2_00EA5B90
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F1F360 7_2_00F1F360
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F7BB6D 7_2_00F7BB6D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F15B20 7_2_00F15B20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F72CE0 7_2_00F72CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00E924F0 7_2_00E924F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F784A0 7_2_00F784A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F1E490 7_2_00F1E490
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F7646A 7_2_00F7646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA8C58 7_2_00EA8C58
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F16C00 7_2_00F16C00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F16550 7_2_00F16550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F1BD50 7_2_00F1BD50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F7BEAF 7_2_00F7BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F1F600 7_2_00F1F600
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F13F80 7_2_00F13F80
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA9F50 7_2_00EA9F50
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 00F6FED0 appears 31 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: String function: 00A9FED0 appears 31 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 006BFED0 appears 62 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 006BF4FC appears 46 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 006CFD51 appears 34 times
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2913002181.0000000004DCF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_151.exe
Source: LisectAVT_2403002A_151.exe, 00000000.00000000.1649743770.0000000000AF8000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_151.exe
Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_151.exe
Source: LisectAVT_2403002A_151.exe Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_151.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_151.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_151.exe Static PE information: Section: ZLIB complexity 0.9991561823593074
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9991561823593074
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9991561823593074
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Command line argument: nIn 5_2_006E48C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Command line argument: nIn 6_2_006E48C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_151.exe, 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_151.exe, 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LisectAVT_2403002A_151.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: LisectAVT_2403002A_151.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe "C:\Users\user\Desktop\LisectAVT_2403002A_151.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_151.exe Static file information: File size 3193864 > 1048576
Source: LisectAVT_2403002A_151.exe Static PE information: Raw size of qzmhftlj is bigger than: 0x100000 < 0x275400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Unpacked PE file: 0.2.LisectAVT_2403002A_151.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 5.2.MPGPH131.exe.5e0000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.5e0000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 7.2.RageMP131.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 9.2.RageMP131.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D9F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory, 0_2_009D9F50
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x315411 should be: 0x30f84d
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x315411 should be: 0x30f84d
Source: LisectAVT_2403002A_151.exe Static PE information: real checksum: 0x315411 should be: 0x30f84d
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_151.exe Static PE information: section name:
Source: LisectAVT_2403002A_151.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_151.exe Static PE information: section name: qzmhftlj
Source: LisectAVT_2403002A_151.exe Static PE information: section name: bkynihaq
Source: LisectAVT_2403002A_151.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name: qzmhftlj
Source: RageMP131.exe.0.dr Static PE information: section name: bkynihaq
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name: qzmhftlj
Source: MPGPH131.exe.0.dr Static PE information: section name: bkynihaq
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A9FA97 push ecx; ret 0_2_00A9FAAA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009E1B20 push esi; ret 0_2_009E1B22
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_006BFA97 push ecx; ret 5_2_006BFAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F7D53 push edi; retf 000Ch 5_2_005F7D56
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006BFA97 push ecx; ret 6_2_006BFAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00601B20 push esi; ret 6_2_00601B22
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00F6FA97 push ecx; ret 7_2_00F6FAAA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA7D53 push edi; retf 000Ch 7_2_00EA7D56
Source: LisectAVT_2403002A_151.exe Static PE information: section name: entropy: 7.983746449936841
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.983746449936841
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.983746449936841
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A43F80 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00A43F80

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: B00270 second address: AFFBA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F4860DEC972h 0x00000011 push dword ptr [ebp+122D0F11h] 0x00000017 cld 0x00000018 call dword ptr [ebp+122D1CB6h] 0x0000001e pushad 0x0000001f xor dword ptr [ebp+122D2535h], ebx 0x00000025 xor eax, eax 0x00000027 xor dword ptr [ebp+122D2535h], edx 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 jmp 00007F4860DEC96Ah 0x00000036 mov dword ptr [ebp+122D38ACh], eax 0x0000003c cmc 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 mov ebx, dword ptr [ebp+122D37ECh] 0x00000049 mov ch, dh 0x0000004b popad 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 sub dword ptr [ebp+122D2535h], edi 0x00000056 lodsw 0x00000058 jmp 00007F4860DEC977h 0x0000005d add eax, dword ptr [esp+24h] 0x00000061 jmp 00007F4860DEC974h 0x00000066 mov ebx, dword ptr [esp+24h] 0x0000006a mov dword ptr [ebp+122D299Dh], ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 jmp 00007F4860DEC96Dh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C85142 second address: C85151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DF3FC6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C85151 second address: C85157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C85157 second address: C85175 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DF3FD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F4860DF3FC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C85175 second address: C85179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C85179 second address: C8517D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C7809D second address: C780BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4860DEC978h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C780BF second address: C780DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FD7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C780DB second address: C780EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Bh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84737 second address: C8476D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F4860DF3FC6h 0x0000000d ja 00007F4860DF3FC6h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4860DF3FD7h 0x0000001c ja 00007F4860DF3FCCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C8476D second address: C84771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84771 second address: C84785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DF3FCEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84785 second address: C84789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84A07 second address: C84A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84A0B second address: C84A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F4860DEC966h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84A1C second address: C84A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84A24 second address: C84A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F4860DEC976h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84A46 second address: C84A4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84A4E second address: C84A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C84A54 second address: C84A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA763B second address: CA7661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DEC972h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F4860DEC96Eh 0x00000011 js 00007F4860DEC966h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA7661 second address: CA767E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DF3FD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA7838 second address: CA783E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA783E second address: CA7863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4860DF3FD1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA7863 second address: CA7869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA7869 second address: CA7873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4860DF3FC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA7873 second address: CA7877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA7877 second address: CA788F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4860DF3FCEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA7CD8 second address: CA7CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4860DEC966h 0x00000009 jne 00007F4860DEC966h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F4860DEC966h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA8162 second address: CA8166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA82DB second address: CA82FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007F4860DEC96Dh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F4860DEC966h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA82FB second address: CA8301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA846E second address: CA8473 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CA8EE1 second address: CA8EEB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DF3FC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CAE767 second address: CAE774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F4860DEC966h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB0BF2 second address: CB0BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB0BF6 second address: CB0BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB0BFC second address: CB0C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4860DF3FCCh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4860DF3FCEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB4D25 second address: CB4D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB4D2B second address: CB4D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4860DF3FD2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB4D37 second address: CB4D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB4D3D second address: CB4D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB4D45 second address: CB4D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC971h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB4D5A second address: CB4D7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD4h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB4D7B second address: CB4DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jp 00007F4860DEC966h 0x0000000e jmp 00007F4860DEC96Bh 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4860DEC979h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C7B670 second address: C7B676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C7B676 second address: C7B6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DEC96Eh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F4860DEC977h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C7B6BB second address: C7B6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB7167 second address: CB7171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4860DEC966h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB7171 second address: CB7183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F4860DF3FC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB7183 second address: CB71A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4860DEC976h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB73CE second address: CB73D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB73D5 second address: CB73E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB73E3 second address: CB73E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB73E8 second address: CB73F2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB78B9 second address: CB78C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB7947 second address: CB7958 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB7958 second address: CB795C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB7E1A second address: CB7E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F4860DEC966h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB8383 second address: CB8389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB8BE8 second address: CB8BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB8A6D second address: CB8A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB951E second address: CB9532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB8A78 second address: CB8A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB976A second address: CB976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CB9532 second address: CB9538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CBADA7 second address: CBADC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c jnc 00007F4860DEC966h 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CBDA86 second address: CBDA8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC0A9B second address: CC0B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 325ACBEAh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DEC968h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d call 00007F4860DEC975h 0x00000032 push eax 0x00000033 mov dword ptr [ebp+122D2A49h], eax 0x00000039 pop edi 0x0000003a pop edi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ecx 0x00000040 call 00007F4860DEC968h 0x00000045 pop ecx 0x00000046 mov dword ptr [esp+04h], ecx 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc ecx 0x00000053 push ecx 0x00000054 ret 0x00000055 pop ecx 0x00000056 ret 0x00000057 jnl 00007F4860DEC96Ch 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC0B32 second address: CC0B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC1AE1 second address: CC1AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC1AE7 second address: CC1B6F instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4860DF3FD7h 0x00000012 nop 0x00000013 or dword ptr [ebp+1248708Eh], ebx 0x00000019 mov di, 32B0h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F4860DF3FC8h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F4860DF3FC8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 movzx ebx, si 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F4860DF3FCEh 0x00000061 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC0C94 second address: CC0C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC2ACE second address: CC2AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC1D2D second address: CC1D3F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F4860DEC96Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC1D3F second address: CC1DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 add bx, B8FAh 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F4860DF3FC8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007F4860DF3FC8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov eax, dword ptr [ebp+122D173Dh] 0x00000055 mov dword ptr [ebp+122D2A2Eh], ebx 0x0000005b push FFFFFFFFh 0x0000005d mov ebx, dword ptr [ebp+122D2A66h] 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC1DB5 second address: CC1DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC1DB9 second address: CC1DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC1DBD second address: CC1DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC5A29 second address: CC5A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC6B15 second address: CC6B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC9376 second address: CC937C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC937C second address: CC9383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCB171 second address: CCB18E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCB18E second address: CCB198 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCB198 second address: CCB1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 clc 0x0000000a push 00000000h 0x0000000c sub dword ptr [ebp+122D2BB7h], esi 0x00000012 mov edi, dword ptr [ebp+122D3A94h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F4860DF3FC8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D37C8h] 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jne 00007F4860DF3FC6h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC9427 second address: CC942B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCB1E6 second address: CCB1EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CC942B second address: CC943F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCB1EC second address: CCB1F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCC182 second address: CCC187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCC187 second address: CCC18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCB418 second address: CCB422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCD254 second address: CCD2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push esi 0x0000000b call 00007F4860DF3FCEh 0x00000010 mov edi, dword ptr [ebp+122D1CE9h] 0x00000016 pop ebx 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F4860DF3FC8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 cld 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007F4860DF3FC8h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 jmp 00007F4860DF3FCEh 0x00000056 push eax 0x00000057 pushad 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCD42D second address: CCD433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCD433 second address: CCD4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push ecx 0x00000008 jmp 00007F4860DF3FD5h 0x0000000d pop ecx 0x0000000e nop 0x0000000f and ebx, dword ptr [ebp+122D2A0Bh] 0x00000015 add di, F602h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 sub dword ptr [ebp+122D316Ch], ecx 0x0000002e mov eax, dword ptr [ebp+122D1255h] 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F4860DF3FC8h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e movsx ebx, di 0x00000051 mov dword ptr [ebp+122D2BBEh], ecx 0x00000057 push FFFFFFFFh 0x00000059 mov ebx, dword ptr [ebp+122D2C1Bh] 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F4860DF3FCCh 0x00000069 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCE4B3 second address: CCE4B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCD4B6 second address: CCD4CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCD4CD second address: CCD4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnl 00007F4860DEC966h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CCD4E0 second address: CCD4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CD04FD second address: CD0522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4860DEC978h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CD0522 second address: CD0528 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CD0528 second address: CD052E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CD13EF second address: CD13F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CD13F5 second address: CD13F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CD06D0 second address: CD06EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DF3FC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DF3FCCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CDC144 second address: CDC154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4860DEC96Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CDC154 second address: CDC163 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CDC163 second address: CDC16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C72D59 second address: C72D7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DF3FCCh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C72D7D second address: C72DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4860DEC979h 0x00000010 jmp 00007F4860DEC96Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CE234B second address: CE2351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CE2351 second address: CE2357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CE2357 second address: CE235D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEEB05 second address: CEEB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F4860DEC96Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4860DEC96Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEEB2B second address: CEEB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CECB85 second address: CECB89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CECB89 second address: CECB93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CECB93 second address: CECB97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CECCC4 second address: CECCE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DF3FD7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CECCE1 second address: CECCFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC978h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CECCFD second address: CECD01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED2DD second address: CED2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED2E3 second address: CED2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED2E7 second address: CED2F1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED716 second address: CED720 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DF3FD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED720 second address: CED726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED868 second address: CED86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED86C second address: CED870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED870 second address: CED87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED87C second address: CED880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CED880 second address: CED884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEDB79 second address: CEDB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEDB7D second address: CEDB8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEDB8B second address: CEDBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC973h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F4860DEC979h 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F4860DEC966h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEDBC4 second address: CEDBC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEE953 second address: CEE968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC96Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEE968 second address: CEE973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F4860DF3FC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEE973 second address: CEE981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEE981 second address: CEE993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F4860DF3FC6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CEE993 second address: CEE9B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC972h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F4860DEC966h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF6557 second address: CF656F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FCAh 0x00000009 je 00007F4860DF3FDFh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF5F78 second address: CF5F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF60BD second address: CF60CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4860DF3FC6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF60CC second address: CF60D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF60D2 second address: CF60DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F4860DF3FC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF60DF second address: CF60EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DEC966h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF60EE second address: CF60F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF6299 second address: CF629D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF629D second address: CF62AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4860DF3FC6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF62AB second address: CF62B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CF62B7 second address: CF62BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C748DF second address: C7490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007F4860DEC966h 0x0000000c jne 00007F4860DEC966h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F4860DEC966h 0x0000001b jmp 00007F4860DEC972h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C7490C second address: C74912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D115AC second address: D115CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DEC966h 0x0000000a jo 00007F4860DEC966h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F4860DEC966h 0x00000019 jns 00007F4860DEC966h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D115CB second address: D115CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D115CF second address: D115E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4860DEC966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jl 00007F4860DEC96Eh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D13700 second address: D13721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F4860DF3FD2h 0x0000000f jnc 00007F4860DF3FC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D13721 second address: D13735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F4860DEC96Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D13735 second address: D1374C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F4860DF3FCBh 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1D22E second address: D1D234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1D234 second address: D1D238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1D238 second address: D1D23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1D23C second address: D1D246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1D246 second address: D1D24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1CDB8 second address: D1CDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4860DF3FC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1CDC9 second address: D1CDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1CDCD second address: D1CDD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1CF24 second address: D1CF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1CF28 second address: D1CF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1CF2E second address: D1CF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1CF34 second address: D1CF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4860DF3FC6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1CF40 second address: D1CF46 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1CF46 second address: D1CF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4860DF3FCEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1F7A4 second address: D1F7CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4860DEC971h 0x00000008 jmp 00007F4860DEC96Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DEC974h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D1F7CD second address: D1F7D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C6DBB2 second address: C6DBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: C6DBB6 second address: C6DC0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F4860DF3FC6h 0x0000000f jmp 00007F4860DF3FD6h 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F4860DF3FC6h 0x0000001e jmp 00007F4860DF3FCAh 0x00000023 popad 0x00000024 popad 0x00000025 push edi 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b popad 0x0000002c pushad 0x0000002d jmp 00007F4860DF3FCDh 0x00000032 pushad 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D21076 second address: D2108A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4860DEC96Eh 0x00000008 jnp 00007F4860DEC966h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D2108A second address: D21090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D37862 second address: D37882 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4860DEC970h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4860DEC966h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D37882 second address: D3788E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4860DF3FC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D3770A second address: D3770E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D39028 second address: D3902E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D3BC03 second address: D3BC11 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4860DEC968h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D3BC11 second address: D3BC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5F24A second address: D5F24E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5F24E second address: D5F298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4860DF3FD3h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4860DF3FD5h 0x00000018 jmp 00007F4860DF3FD4h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5F298 second address: D5F2A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F4860DEC966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5FB07 second address: D5FB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5FB0D second address: D5FB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5FB11 second address: D5FB28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5FF70 second address: D5FF7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F4860DEC972h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5FF7E second address: D5FF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5FF84 second address: D5FF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D5FF88 second address: D5FF8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D60121 second address: D60168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F4860DEC96Ch 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F4860DEC96Eh 0x00000016 pop ecx 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnp 00007F4860DEC966h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007F4860DEC96Ah 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jp 00007F4860DEC966h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D60168 second address: D6016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D632FA second address: D632FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D632FE second address: D63366 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb dh, FFFFFFB1h 0x0000000d push dword ptr [ebp+122D3209h] 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DF3FC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d add dword ptr [ebp+122D2A16h], eax 0x00000033 push edx 0x00000034 pushad 0x00000035 cld 0x00000036 mov esi, dword ptr [ebp+122D1F80h] 0x0000003c popad 0x0000003d pop edx 0x0000003e jo 00007F4860DF3FC9h 0x00000044 mov dx, di 0x00000047 push 0B868C74h 0x0000004c pushad 0x0000004d jno 00007F4860DF3FCCh 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D63366 second address: D6336A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D66516 second address: D66535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jp 00007F4860DF3FD2h 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D66535 second address: D66539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D660F6 second address: D66130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCAh 0x00000007 jmp 00007F4860DF3FD3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F4860DF3FE3h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jmp 00007F4860DF3FCFh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D68166 second address: D6817F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F4860DEC966h 0x00000009 jc 00007F4860DEC966h 0x0000000f pop edi 0x00000010 pushad 0x00000011 jp 00007F4860DEC966h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: D6817F second address: D68185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe RDTSC instruction interceptor: First address: CBEDE6 second address: CBEDEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 720270 second address: 71FBA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F4860DF3FD2h 0x00000011 push dword ptr [ebp+122D0F11h] 0x00000017 cld 0x00000018 call dword ptr [ebp+122D1CB6h] 0x0000001e pushad 0x0000001f xor dword ptr [ebp+122D2535h], ebx 0x00000025 xor eax, eax 0x00000027 xor dword ptr [ebp+122D2535h], edx 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 jmp 00007F4860DF3FCAh 0x00000036 mov dword ptr [ebp+122D38ACh], eax 0x0000003c cmc 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 mov ebx, dword ptr [ebp+122D37ECh] 0x00000049 mov ch, dh 0x0000004b popad 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 sub dword ptr [ebp+122D2535h], edi 0x00000056 lodsw 0x00000058 jmp 00007F4860DF3FD7h 0x0000005d add eax, dword ptr [esp+24h] 0x00000061 jmp 00007F4860DF3FD4h 0x00000066 mov ebx, dword ptr [esp+24h] 0x0000006a mov dword ptr [ebp+122D299Dh], ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 jmp 00007F4860DF3FCDh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A5142 second address: 8A5151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DEC966h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A5151 second address: 8A5157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A5157 second address: 8A5175 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC972h 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F4860DEC966h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A5175 second address: 8A5179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A5179 second address: 8A517D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 89809D second address: 8980BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4860DF3FD8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8980BF second address: 8980DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC977h 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8980DB second address: 8980EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCBh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4737 second address: 8A476D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F4860DEC966h 0x0000000d ja 00007F4860DEC966h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4860DEC977h 0x0000001c ja 00007F4860DEC96Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A476D second address: 8A4771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4771 second address: 8A4785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC96Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4785 second address: 8A4789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4A07 second address: 8A4A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4A0B second address: 8A4A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F4860DF3FC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4A1C second address: 8A4A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4A24 second address: 8A4A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F4860DF3FD6h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4A46 second address: 8A4A4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4A4E second address: 8A4A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8A4A54 second address: 8A4A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C763B second address: 8C7661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DF3FD2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F4860DF3FCEh 0x00000011 js 00007F4860DF3FC6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C7661 second address: 8C767E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC979h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C7838 second address: 8C783E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C783E second address: 8C7863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4860DEC971h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C7863 second address: 8C7869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C7869 second address: 8C7873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4860DEC966h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C7873 second address: 8C7877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C7877 second address: 8C788F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4860DEC96Eh 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C7CD8 second address: 8C7CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4860DF3FC6h 0x00000009 jne 00007F4860DF3FC6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F4860DF3FC6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C8162 second address: 8C8166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C82DB second address: 8C82FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007F4860DF3FCDh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F4860DF3FC6h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C82FB second address: 8C8301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C846E second address: 8C8473 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C8EE1 second address: 8C8EEB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC966h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8CE767 second address: 8CE774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F4860DF3FC6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D0BF2 second address: 8D0BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D0BF6 second address: 8D0BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D0BFC second address: 8D0C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4860DEC96Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4860DEC96Eh 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D25 second address: 8D4D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D2B second address: 8D4D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4860DEC972h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D37 second address: 8D4D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D3D second address: 8D4D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D45 second address: 8D4D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FD1h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D5A second address: 8D4D7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC974h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D7B second address: 8D4DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jp 00007F4860DF3FC6h 0x0000000e jmp 00007F4860DF3FCBh 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4860DF3FD9h 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 89B670 second address: 89B676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 89B676 second address: 89B6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DF3FCEh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F4860DF3FD7h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 89B6BB second address: 89B6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D7167 second address: 8D7171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4860DF3FC6h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D7171 second address: 8D7183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F4860DEC966h 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D7183 second address: 8D71A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4860DF3FD6h 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D73CE second address: 8D73D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D73D5 second address: 8D73E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D73E3 second address: 8D73E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D73E8 second address: 8D73F2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DF3FCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D78B9 second address: 8D78C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D7947 second address: 8D7958 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C7CD8 second address: 8C7CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4860DEC966h 0x00000009 jne 00007F4860DEC966h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F4860DEC966h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C82DB second address: 8C82FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007F4860DEC96Dh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F4860DEC966h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8C8EE1 second address: 8C8EEB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DF3FC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8CE767 second address: 8CE774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F4860DEC966h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D0BFC second address: 8D0C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4860DF3FCCh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4860DF3FCEh 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D2B second address: 8D4D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4860DF3FD2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D45 second address: 8D4D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC971h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D5A second address: 8D4D7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD4h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D4D7B second address: 8D4DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jp 00007F4860DEC966h 0x0000000e jmp 00007F4860DEC96Bh 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4860DEC979h 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 89B676 second address: 89B6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DEC96Eh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F4860DEC977h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D7167 second address: 8D7171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4860DEC966h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D7171 second address: 8D7183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F4860DF3FC6h 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D7183 second address: 8D71A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4860DEC976h 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D73E8 second address: 8D73F2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D78B9 second address: 8D78C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D7958 second address: 8D795C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D7E1A second address: 8D7E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F4860DEC966h 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D8383 second address: 8D8389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D8BE8 second address: 8D8BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D8A6D second address: 8D8A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D8A78 second address: 8D8A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D976A second address: 8D976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D951E second address: 8D9532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8D9532 second address: 8D9538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8DADA7 second address: 8DADC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c jnc 00007F4860DEC966h 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8DDA86 second address: 8DDA8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E0A9B second address: 8E0B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 325ACBEAh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DF3FC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d call 00007F4860DF3FD5h 0x00000032 push eax 0x00000033 mov dword ptr [ebp+122D2A49h], eax 0x00000039 pop edi 0x0000003a pop edi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ecx 0x00000040 call 00007F4860DF3FC8h 0x00000045 pop ecx 0x00000046 mov dword ptr [esp+04h], ecx 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc ecx 0x00000053 push ecx 0x00000054 ret 0x00000055 pop ecx 0x00000056 ret 0x00000057 jnl 00007F4860DF3FCCh 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E0B32 second address: 8E0B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E1AE1 second address: 8E1AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E1AE7 second address: 8E1B6F instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4860DEC977h 0x00000012 nop 0x00000013 or dword ptr [ebp+1248708Eh], ebx 0x00000019 mov di, 32B0h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F4860DEC968h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F4860DEC968h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 movzx ebx, si 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F4860DEC96Eh 0x00000061 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E2ACE second address: 8E2AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E5A29 second address: 8E5A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E6B15 second address: 8E6B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EB171 second address: 8EB18E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC979h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EB18E second address: 8EB198 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4860DF3FCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EB198 second address: 8EB1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 clc 0x0000000a push 00000000h 0x0000000c sub dword ptr [ebp+122D2BB7h], esi 0x00000012 mov edi, dword ptr [ebp+122D3A94h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F4860DEC968h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D37C8h] 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jne 00007F4860DEC966h 0x00000045 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EB1E6 second address: 8EB1EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EB1EC second address: 8EB1F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EC182 second address: 8EC187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EC187 second address: 8EC18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8ED254 second address: 8ED2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push esi 0x0000000b call 00007F4860DF3FCEh 0x00000010 mov edi, dword ptr [ebp+122D1CE9h] 0x00000016 pop ebx 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F4860DF3FC8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 cld 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007F4860DF3FC8h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 jmp 00007F4860DF3FCEh 0x00000056 push eax 0x00000057 pushad 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8F04FD second address: 8F0522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4860DEC978h 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8F0522 second address: 8F0528 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8F0528 second address: 8F052E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8F13EF second address: 8F13F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8F13F5 second address: 8F13F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8FC144 second address: 8FC154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4860DF3FCAh 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8FC154 second address: 8FC163 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8FC163 second address: 8FC16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 892D59 second address: 892D7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DEC96Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 892D7D second address: 892DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4860DF3FD9h 0x00000010 jmp 00007F4860DF3FCFh 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90234B second address: 902351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 902351 second address: 902357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 902357 second address: 90235D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8DEDE6 second address: 8DEDEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E0C94 second address: 8E0C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E0D7B second address: 8E0D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E1D2D second address: 8E1D3F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F4860DEC96Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E1D3F second address: 8E1DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 add bx, B8FAh 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F4860DF3FC8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007F4860DF3FC8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov eax, dword ptr [ebp+122D173Dh] 0x00000055 mov dword ptr [ebp+122D2A2Eh], ebx 0x0000005b push FFFFFFFFh 0x0000005d mov ebx, dword ptr [ebp+122D2A66h] 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E1DB5 second address: 8E1DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E1DB9 second address: 8E1DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E1DBD second address: 8E1DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90EB05 second address: 90EB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F4860DF3FCEh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4860DF3FCFh 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90EB2B second address: 90EB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90CB85 second address: 90CB89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90CB89 second address: 90CB93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90CB93 second address: 90CB97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90CCC4 second address: 90CCE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DEC977h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90CCE1 second address: 90CCFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DF3FD8h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90CCFD second address: 90CD01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D2DD second address: 90D2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D2E3 second address: 90D2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D2E7 second address: 90D2F1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4860DF3FCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D716 second address: 90D720 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DEC972h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D720 second address: 90D726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D868 second address: 90D86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D86C second address: 90D870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D870 second address: 90D87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D87C second address: 90D880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D880 second address: 90D884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90DB79 second address: 90DB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90DB7D second address: 90DB8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90DB8B second address: 90DBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F4860DF3FD9h 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F4860DF3FC6h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90DBC4 second address: 90DBC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90E953 second address: 90E968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FCEh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90E968 second address: 90E973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F4860DEC966h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90E973 second address: 90E981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90E981 second address: 90E993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F4860DEC966h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90E993 second address: 90E9B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F4860DF3FC6h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 916557 second address: 91656F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC96Ah 0x00000009 je 00007F4860DEC97Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 915F78 second address: 915F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9160BD second address: 9160CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4860DEC966h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9160CC second address: 9160D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9160D2 second address: 9160DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F4860DEC966h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9160DF second address: 9160EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DF3FC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9160EE second address: 9160F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 916299 second address: 91629D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 91629D second address: 9162AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4860DEC966h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9162AB second address: 9162B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9162B7 second address: 9162BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E9376 second address: 8E937C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E937C second address: 8E9383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E9427 second address: 8E942B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E942B second address: 8E943F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EB418 second address: 8EB422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8ED42D second address: 8ED433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8ED433 second address: 8ED4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push ecx 0x00000008 jmp 00007F4860DF3FD5h 0x0000000d pop ecx 0x0000000e nop 0x0000000f and ebx, dword ptr [ebp+122D2A0Bh] 0x00000015 add di, F602h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 sub dword ptr [ebp+122D316Ch], ecx 0x0000002e mov eax, dword ptr [ebp+122D1255h] 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F4860DF3FC8h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e movsx ebx, di 0x00000051 mov dword ptr [ebp+122D2BBEh], ecx 0x00000057 push FFFFFFFFh 0x00000059 mov ebx, dword ptr [ebp+122D2C1Bh] 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F4860DF3FCCh 0x00000069 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8ED4B6 second address: 8ED4CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC973h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8ED4CD second address: 8ED4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnl 00007F4860DF3FC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8ED4E0 second address: 8ED4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EE4B3 second address: 8EE4B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8F06D0 second address: 8F06EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DEC966h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DEC96Ch 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8948DF second address: 89490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007F4860DF3FC6h 0x0000000c jne 00007F4860DF3FC6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F4860DF3FC6h 0x0000001b jmp 00007F4860DF3FD2h 0x00000020 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 89490C second address: 894912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9315AC second address: 9315CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DF3FC6h 0x0000000a jo 00007F4860DF3FC6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F4860DF3FC6h 0x00000019 jns 00007F4860DF3FC6h 0x0000001f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9315CB second address: 9315CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9315CF second address: 9315E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4860DF3FC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jl 00007F4860DF3FCEh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 933700 second address: 933721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F4860DEC972h 0x0000000f jnc 00007F4860DEC966h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 933721 second address: 933735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F4860DF3FCDh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 933735 second address: 93374C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F4860DEC96Bh 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93D22E second address: 93D234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93D234 second address: 93D238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93D238 second address: 93D23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93D23C second address: 93D246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93D246 second address: 93D24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CDB8 second address: 93CDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4860DEC966h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CDC9 second address: 93CDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CDCD second address: 93CDD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CF24 second address: 93CF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CF28 second address: 93CF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CF2E second address: 93CF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CF34 second address: 93CF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4860DEC966h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CF40 second address: 93CF46 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CF46 second address: 93CF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4860DEC96Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93F7A4 second address: 93F7CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4860DF3FD1h 0x00000008 jmp 00007F4860DF3FCBh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DF3FD4h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93F7CD second address: 93F7D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 88DBB2 second address: 88DBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 88DBB6 second address: 88DC0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F4860DEC966h 0x0000000f jmp 00007F4860DEC976h 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F4860DEC966h 0x0000001e jmp 00007F4860DEC96Ah 0x00000023 popad 0x00000024 popad 0x00000025 push edi 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b popad 0x0000002c pushad 0x0000002d jmp 00007F4860DEC96Dh 0x00000032 pushad 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 941076 second address: 94108A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4860DF3FCEh 0x00000008 jnp 00007F4860DF3FC6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 94108A second address: 941090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8E1AE7 second address: 8E1B6F instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4860DF3FD7h 0x00000012 nop 0x00000013 or dword ptr [ebp+1248708Eh], ebx 0x00000019 mov di, 32B0h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F4860DF3FC8h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F4860DF3FC8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 movzx ebx, si 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F4860DF3FCEh 0x00000061 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EB171 second address: 8EB18E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EB18E second address: 8EB198 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8EB198 second address: 8EB1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 clc 0x0000000a push 00000000h 0x0000000c sub dword ptr [ebp+122D2BB7h], esi 0x00000012 mov edi, dword ptr [ebp+122D3A94h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F4860DF3FC8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D37C8h] 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jne 00007F4860DF3FC6h 0x00000045 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8F06D0 second address: 8F06EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DF3FC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DF3FCCh 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8FC144 second address: 8FC154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4860DEC96Ah 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8FC154 second address: 8FC163 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 892D59 second address: 892D7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DF3FCCh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 892D7D second address: 892DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4860DEC979h 0x00000010 jmp 00007F4860DEC96Fh 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90EB05 second address: 90EB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F4860DEC96Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4860DEC96Fh 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90CCC4 second address: 90CCE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DF3FD7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90CCE1 second address: 90CCFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC978h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D2E7 second address: 90D2F1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90D716 second address: 90D720 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DF3FD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90DB7D second address: 90DB8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90DB8B second address: 90DBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC973h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F4860DEC979h 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F4860DEC966h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90E953 second address: 90E968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC96Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90E968 second address: 90E973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F4860DF3FC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90E981 second address: 90E993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F4860DF3FC6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 90E993 second address: 90E9B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC972h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F4860DEC966h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 916557 second address: 91656F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FCAh 0x00000009 je 00007F4860DF3FDFh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9160BD second address: 9160CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4860DF3FC6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9160D2 second address: 9160DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F4860DF3FC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9160DF second address: 9160EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DEC966h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 91629D second address: 9162AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4860DF3FC6h 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 8948DF second address: 89490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007F4860DEC966h 0x0000000c jne 00007F4860DEC966h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F4860DEC966h 0x0000001b jmp 00007F4860DEC972h 0x00000020 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9315AC second address: 9315CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DEC966h 0x0000000a jo 00007F4860DEC966h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F4860DEC966h 0x00000019 jns 00007F4860DEC966h 0x0000001f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9315CF second address: 9315E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4860DEC966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jl 00007F4860DEC96Eh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 933700 second address: 933721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F4860DF3FD2h 0x0000000f jnc 00007F4860DF3FC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 933721 second address: 933735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F4860DEC96Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 933735 second address: 93374C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F4860DF3FCBh 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CDB8 second address: 93CDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4860DF3FC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CF34 second address: 93CF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4860DF3FC6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93CF46 second address: 93CF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4860DF3FCEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 93F7A4 second address: 93F7CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4860DEC971h 0x00000008 jmp 00007F4860DEC96Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DEC974h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 88DBB6 second address: 88DC0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F4860DF3FC6h 0x0000000f jmp 00007F4860DF3FD6h 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F4860DF3FC6h 0x0000001e jmp 00007F4860DF3FCAh 0x00000023 popad 0x00000024 popad 0x00000025 push edi 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b popad 0x0000002c pushad 0x0000002d jmp 00007F4860DF3FCDh 0x00000032 pushad 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 941076 second address: 94108A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4860DEC96Eh 0x00000008 jnp 00007F4860DEC966h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 957862 second address: 957882 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4860DEC970h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4860DEC966h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 957882 second address: 95788E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4860DF3FC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 95770A second address: 95770E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 959028 second address: 95902E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 95BC03 second address: 95BC11 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4860DEC968h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 95BC11 second address: 95BC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97F24A second address: 97F24E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97F24E second address: 97F298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4860DF3FD3h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4860DF3FD5h 0x00000018 jmp 00007F4860DF3FD4h 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97F298 second address: 97F2A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F4860DEC966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97FB07 second address: 97FB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97FB0D second address: 97FB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97FB11 second address: 97FB28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97FF70 second address: 97FF7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F4860DEC972h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97FF7E second address: 97FF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97FF84 second address: 97FF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97FF88 second address: 97FF8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 980121 second address: 980168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F4860DEC96Ch 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F4860DEC96Eh 0x00000016 pop ecx 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnp 00007F4860DEC966h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007F4860DEC96Ah 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jp 00007F4860DEC966h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 980168 second address: 98016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9832FA second address: 9832FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9832FE second address: 983366 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb dh, FFFFFFB1h 0x0000000d push dword ptr [ebp+122D3209h] 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DF3FC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d add dword ptr [ebp+122D2A16h], eax 0x00000033 push edx 0x00000034 pushad 0x00000035 cld 0x00000036 mov esi, dword ptr [ebp+122D1F80h] 0x0000003c popad 0x0000003d pop edx 0x0000003e jo 00007F4860DF3FC9h 0x00000044 mov dx, di 0x00000047 push 0B868C74h 0x0000004c pushad 0x0000004d jno 00007F4860DF3FCCh 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 983366 second address: 98336A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 986516 second address: 986525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jp 00007F4860DF3FD2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 986525 second address: 986535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4860DEC966h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 986535 second address: 986539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9860F6 second address: 986130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Ah 0x00000007 jmp 00007F4860DEC973h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F4860DEC983h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jmp 00007F4860DEC96Fh 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 988166 second address: 98817F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F4860DF3FC6h 0x00000009 jc 00007F4860DF3FC6h 0x0000000f pop edi 0x00000010 pushad 0x00000011 jp 00007F4860DF3FC6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 98817F second address: 988185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 957862 second address: 957882 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4860DF3FD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4860DF3FC6h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 957882 second address: 95788E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4860DEC966h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 95BC03 second address: 95BC11 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4860DF3FC8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97F24E second address: 97F298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4860DEC973h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4860DEC975h 0x00000018 jmp 00007F4860DEC974h 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97F298 second address: 97F2A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F4860DF3FC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97FB11 second address: 97FB28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC973h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 97FF70 second address: 97FF7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F4860DF3FD2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 980121 second address: 980168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F4860DF3FCCh 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F4860DF3FCEh 0x00000016 pop ecx 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnp 00007F4860DF3FC6h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007F4860DF3FCAh 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jp 00007F4860DF3FC6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 9832FE second address: 983366 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb dh, FFFFFFB1h 0x0000000d push dword ptr [ebp+122D3209h] 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DEC968h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d add dword ptr [ebp+122D2A16h], eax 0x00000033 push edx 0x00000034 pushad 0x00000035 cld 0x00000036 mov esi, dword ptr [ebp+122D1F80h] 0x0000003c popad 0x0000003d pop edx 0x0000003e jo 00007F4860DEC969h 0x00000044 mov dx, di 0x00000047 push 0B868C74h 0x0000004c pushad 0x0000004d jno 00007F4860DEC96Ch 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe RDTSC instruction interceptor: First address: 986516 second address: 986535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jp 00007F4860DEC972h 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: FD0270 second address: FCFBA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F4860DF3FD2h 0x00000011 push dword ptr [ebp+122D0F11h] 0x00000017 cld 0x00000018 call dword ptr [ebp+122D1CB6h] 0x0000001e pushad 0x0000001f xor dword ptr [ebp+122D2535h], ebx 0x00000025 xor eax, eax 0x00000027 xor dword ptr [ebp+122D2535h], edx 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 jmp 00007F4860DF3FCAh 0x00000036 mov dword ptr [ebp+122D38ACh], eax 0x0000003c cmc 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 mov ebx, dword ptr [ebp+122D37ECh] 0x00000049 mov ch, dh 0x0000004b popad 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 sub dword ptr [ebp+122D2535h], edi 0x00000056 lodsw 0x00000058 jmp 00007F4860DF3FD7h 0x0000005d add eax, dword ptr [esp+24h] 0x00000061 jmp 00007F4860DF3FD4h 0x00000066 mov ebx, dword ptr [esp+24h] 0x0000006a mov dword ptr [ebp+122D299Dh], ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 jmp 00007F4860DF3FCDh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1155142 second address: 1155151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DEC966h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1155151 second address: 1155157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1155157 second address: 1155175 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC972h 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F4860DEC966h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1155175 second address: 1155179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1155179 second address: 115517D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 114809D second address: 11480BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4860DF3FD8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11480BF second address: 11480DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC977h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 11480DB second address: 11480EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCBh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154737 second address: 115476D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F4860DEC966h 0x0000000d ja 00007F4860DEC966h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4860DEC977h 0x0000001c ja 00007F4860DEC96Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 115476D second address: 1154771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154771 second address: 1154785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC96Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154785 second address: 1154789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154A07 second address: 1154A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154A0B second address: 1154A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F4860DF3FC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154A1C second address: 1154A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154A24 second address: 1154A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F4860DF3FD6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154A46 second address: 1154A4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154A4E second address: 1154A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1154A54 second address: 1154A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 117763B second address: 1177661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DF3FD2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F4860DF3FCEh 0x00000011 js 00007F4860DF3FC6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe RDTSC instruction interceptor: First address: 1177661 second address: 117767E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC979h 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Special instruction interceptor: First address: AFFB3A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Special instruction interceptor: First address: AFFBFF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Special instruction interceptor: First address: CF7A33 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 71FB3A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 71FBFF instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 917A33 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: FCFB3A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: FCFBFF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 11C7A33 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Window / User API: threadDelayed 1346 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Window / User API: threadDelayed 1067 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 630 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 396 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1445 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1258 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1207 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6592 Thread sleep time: -56028s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6568 Thread sleep count: 1346 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6568 Thread sleep time: -2693346s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6552 Thread sleep count: 1067 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6552 Thread sleep time: -2135067s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6448 Thread sleep count: 190 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 3732 Thread sleep count: 236 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5684 Thread sleep count: 103 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5684 Thread sleep time: -206103s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4500 Thread sleep count: 138 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4500 Thread sleep time: -276138s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 928 Thread sleep count: 109 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 928 Thread sleep time: -218109s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4412 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4412 Thread sleep time: -222111s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1364 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1364 Thread sleep count: 630 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1364 Thread sleep time: -63630s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7020 Thread sleep count: 334 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7020 Thread sleep count: 94 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3328 Thread sleep count: 128 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3328 Thread sleep time: -256128s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6228 Thread sleep count: 123 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6228 Thread sleep time: -246123s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436 Thread sleep count: 396 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436 Thread sleep time: -39996s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7084 Thread sleep count: 342 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7084 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3760 Thread sleep count: 68 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3760 Thread sleep time: -136068s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7244 Thread sleep time: -54027s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7228 Thread sleep count: 1445 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7228 Thread sleep time: -2891445s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7200 Thread sleep count: 196 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7336 Thread sleep count: 229 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7224 Thread sleep count: 1258 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7224 Thread sleep time: -2517258s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7232 Thread sleep count: 1207 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7232 Thread sleep time: -2415207s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7492 Thread sleep count: 46 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7492 Thread sleep time: -92046s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7500 Thread sleep count: 46 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7500 Thread sleep time: -92046s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7460 Thread sleep count: 220 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7664 Thread sleep count: 240 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A29610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 00A2962Ah 0_2_00A29610
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A27780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00A27790h country: Indonesian (id) 0_2_00A27780
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A27750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00A27760h country: Hungarian (hu) 0_2_00A27750
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A27D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00A27D50h country: Upper Sorbian (hsb) 0_2_00A27D40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00647D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00647D50h country: Upper Sorbian (hsb) 5_2_00647D40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00649610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 0064962Ah 5_2_00649610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00647750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00647760h country: Hungarian (hu) 5_2_00647750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00647780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00647790h country: Indonesian (id) 5_2_00647780
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00649610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 0064962Ah 6_2_00649610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00647750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00647760h country: Hungarian (hu) 6_2_00647750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00647780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00647790h country: Indonesian (id) 6_2_00647780
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00647D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00647D50h country: Upper Sorbian (hsb) 6_2_00647D40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EF7D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00EF7D50h country: Upper Sorbian (hsb) 7_2_00EF7D40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EF9610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 00EF962Ah 7_2_00EF9610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EF7780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00EF7790h country: Indonesian (id) 7_2_00EF7780
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EF7750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00EF7760h country: Hungarian (hu) 7_2_00EF7750
Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000009.00000002.2909193362.000000000115E000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6Y
Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2909714951.00000000012FC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}hZ7
Source: RageMP131.exe, 00000009.00000003.1907381206.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000007.00000002.2910091238.000000000146E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&pro
Source: MPGPH131.exe, 00000005.00000002.2909594920.00000000010FC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}0
Source: RageMP131.exe, 00000007.00000002.2910091238.000000000145C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}n
Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2909823323.000000000133E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2907853014.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}rX
Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2909823323.000000000133E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 00000007.00000002.2910091238.000000000145C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000nes\AppData\Local\Temp\heidiN
Source: RageMP131.exe, 00000007.00000002.2910091238.0000000001420000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000g
Source: MPGPH131.exe, 00000005.00000002.2909692267.00000000012FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: MPGPH131.exe, 00000005.00000002.2909692267.000000000133D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&k8
Source: RageMP131.exe, 00000009.00000003.1907381206.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}sX
Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&QY
Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B52000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B35512B6
Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: MPGPH131.exe, 00000005.00000002.2909692267.00000000012FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000nes\AppData\Local\Temp\heidiv
Source: RageMP131.exe, 00000007.00000002.2910091238.000000000146E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B35512B6
Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000009.00000002.2909193362.000000000115E000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2909823323.000000000137E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6
Source: MPGPH131.exe, 00000005.00000002.2909692267.00000000012FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D9F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory, 0_2_009D9F50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D5B90 mov ecx, dword ptr fs:[00000030h] 0_2_009D5B90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h] 0_2_009DC0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h] 0_2_009DC0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D4100 mov eax, dword ptr fs:[00000030h] 0_2_009D4100
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h] 0_2_009DC0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D5498 mov eax, dword ptr fs:[00000030h] 0_2_009D5498
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h] 0_2_009DC0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D57B8 mov eax, dword ptr fs:[00000030h] 0_2_009D57B8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h] 0_2_009D48E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h] 0_2_009DC0A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D4DC9 mov eax, dword ptr fs:[00000030h] 0_2_009D4DC9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h] 5_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 5_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 5_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F4100 mov eax, dword ptr fs:[00000030h] 5_2_005F4100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 5_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 5_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F5498 mov eax, dword ptr fs:[00000030h] 5_2_005F5498
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F4DC9 mov eax, dword ptr fs:[00000030h] 5_2_005F4DC9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 5_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_005F57B8 mov eax, dword ptr fs:[00000030h] 5_2_005F57B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F5B90 mov ecx, dword ptr fs:[00000030h] 6_2_005F5B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 6_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 6_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F4100 mov eax, dword ptr fs:[00000030h] 6_2_005F4100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 6_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F5498 mov eax, dword ptr fs:[00000030h] 6_2_005F5498
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 6_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F57B8 mov eax, dword ptr fs:[00000030h] 6_2_005F57B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h] 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h] 6_2_005FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F4DC9 mov eax, dword ptr fs:[00000030h] 6_2_005F4DC9
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h] 7_2_00EA48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h] 7_2_00EAC0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA4100 mov eax, dword ptr fs:[00000030h] 7_2_00EA4100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h] 7_2_00EAC0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h] 7_2_00EAC0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h] 7_2_00EAC0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA5498 mov eax, dword ptr fs:[00000030h] 7_2_00EA5498
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA4DC9 mov eax, dword ptr fs:[00000030h] 7_2_00EA4DC9
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h] 7_2_00EAC0A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00EA57B8 mov eax, dword ptr fs:[00000030h] 7_2_00EA57B8
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D4400 cpuid 0_2_009D4400
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_00A9F26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00A9F26A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Code function: 0_2_009D7DC0 GetUserNameA,GetFileAttributesA,__Mtx_unlock,__Mtx_unlock,CopyFileA,RegOpenKeyExA,RegSetValueExA,GetFileAttributesA,__Mtx_unlock,__Mtx_unlock,CopyFileA, 0_2_009D7DC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_151.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7456, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_151.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7456, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482488 Sample: LisectAVT_2403002A_151.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002A_151.exe 1 9 2->7         started        12 MPGPH131.exe 2 2->12         started        14 RageMP131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.62, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 7->46 48 Tries to evade debugger and weak emulator (self modifying code) 7->48 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        50 Antivirus detection for dropped file 12->50 52 Machine Learning detection for dropped file 12->52 54 Tries to detect virtualization through RDTSC time measurements 12->54 56 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->56 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.62
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true