Windows Analysis Report
LisectAVT_2403002A_140.exe

Overview

General Information

Sample name: LisectAVT_2403002A_140.exe
Analysis ID: 1482502
MD5: 8623f3410c6571a3880ed83c11197518
SHA1: 35396e27d5528a5c4740a93be024ec11db698df2
SHA256: 421f1f9e96fc1d6d553fa47a0ae79c23751471a02174524465eff1f6ec1fe897
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_140.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: TR/Redcap.dchmo
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: TR/Redcap.dchmo
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002A_140.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_140.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 193.233.132.74:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.74 193.233.132.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D3E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket, 0_2_00D3E0A0
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4147804202.000000000181E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4147850074.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4148390163.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT;
Source: RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTR

System Summary
barindex
PE file contains section with special chars
Source: LisectAVT_2403002A_140.exe Static PE information: section name:
Source: LisectAVT_2403002A_140.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_140.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00DA9880 0_2_00DA9880
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D950B0 0_2_00D950B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00E19824 0_2_00E19824
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D291A0 0_2_00D291A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D973F0 0_2_00D973F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00E02CE0 0_2_00E02CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D224F0 0_2_00D224F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00E084A0 0_2_00E084A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00E0646A 0_2_00E0646A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00DA55B0 0_2_00DA55B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00DA6550 0_2_00DA6550
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D28D70 0_2_00D28D70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00E0BEAF 0_2_00E0BEAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D39F50 0_2_00D39F50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00E1F771 0_2_00E1F771
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00A950B0 5_2_00A950B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00AA9880 5_2_00AA9880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00B19824 5_2_00B19824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00A291A0 5_2_00A291A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00A973F0 5_2_00A973F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00B084A0 5_2_00B084A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00B02CE0 5_2_00B02CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00A224F0 5_2_00A224F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00B0646A 5_2_00B0646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00AA55B0 5_2_00AA55B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00A28D70 5_2_00A28D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00AA6550 5_2_00AA6550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00B0BEAF 5_2_00B0BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00B1F771 5_2_00B1F771
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00A39F50 5_2_00A39F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00A950B0 6_2_00A950B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00AA9880 6_2_00AA9880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00B19824 6_2_00B19824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00A291A0 6_2_00A291A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00A973F0 6_2_00A973F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00B084A0 6_2_00B084A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00B02CE0 6_2_00B02CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00A224F0 6_2_00A224F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00B0646A 6_2_00B0646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00AA55B0 6_2_00AA55B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00A28D70 6_2_00A28D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00AA6550 6_2_00AA6550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00B0BEAF 6_2_00B0BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00B1F771 6_2_00B1F771
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00A39F50 6_2_00A39F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_003B9824 7_2_003B9824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_003350B0 7_2_003350B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00349880 7_2_00349880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_002C91A0 7_2_002C91A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_003373F0 7_2_003373F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_003A646A 7_2_003A646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_003A84A0 7_2_003A84A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_003A2CE0 7_2_003A2CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_002C24F0 7_2_002C24F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_002C8D70 7_2_002C8D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00346550 7_2_00346550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_003455B0 7_2_003455B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_003ABEAF 7_2_003ABEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_003BF771 7_2_003BF771
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_002D9F50 7_2_002D9F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_003B9824 11_2_003B9824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_003350B0 11_2_003350B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_00349880 11_2_00349880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_002C91A0 11_2_002C91A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_003373F0 11_2_003373F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_003A646A 11_2_003A646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_003A84A0 11_2_003A84A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_003A2CE0 11_2_003A2CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_002C24F0 11_2_002C24F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_002C8D70 11_2_002C8D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_00346550 11_2_00346550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_003455B0 11_2_003455B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_003ABEAF 11_2_003ABEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_003BF771 11_2_003BF771
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_002D9F50 11_2_002D9F50
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 0039FED0 appears 52 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00AFFED0 appears 52 times
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4152424609.00000000055E0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_140.exe
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_140.exe
Source: LisectAVT_2403002A_140.exe Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_140.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_140.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_140.exe Static PE information: Section: ZLIB complexity 0.9993574134199135
Source: LisectAVT_2403002A_140.exe Static PE information: Section: yxaifgwn ZLIB complexity 0.9896825177147919
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9993574134199135
Source: RageMP131.exe.0.dr Static PE information: Section: yxaifgwn ZLIB complexity 0.9896825177147919
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9993574134199135
Source: MPGPH131.exe.0.dr Static PE information: Section: yxaifgwn ZLIB complexity 0.9896825177147919
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Command line argument: nI 0_2_00E248C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Command line argument: nI< 7_2_003C48C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Command line argument: nI< 11_2_003C48C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LisectAVT_2403002A_140.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe "C:\Users\user\Desktop\LisectAVT_2403002A_140.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_140.exe Static file information: File size 2334728 > 1048576
Source: LisectAVT_2403002A_140.exe Static PE information: Raw size of yxaifgwn is bigger than: 0x100000 < 0x1a7600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Unpacked PE file: 0.2.LisectAVT_2403002A_140.exe.d20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 5.2.MPGPH131.exe.a20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.a20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 7.2.RageMP131.exe.2c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 11.2.RageMP131.exe.2c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: yvccconk
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x23c767 should be: 0x23c76f
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x23c767 should be: 0x23c76f
Source: LisectAVT_2403002A_140.exe Static PE information: real checksum: 0x23c767 should be: 0x23c76f
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_140.exe Static PE information: section name:
Source: LisectAVT_2403002A_140.exe Static PE information: section name: .idata
Source: LisectAVT_2403002A_140.exe Static PE information: section name:
Source: LisectAVT_2403002A_140.exe Static PE information: section name: yxaifgwn
Source: LisectAVT_2403002A_140.exe Static PE information: section name: yvccconk
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: yxaifgwn
Source: RageMP131.exe.0.dr Static PE information: section name: yvccconk
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: yxaifgwn
Source: MPGPH131.exe.0.dr Static PE information: section name: yvccconk
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_012C21BD push 6955E4D9h; mov dword ptr [esp], ecx 0_2_012C21C2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_012C21BD push ecx; mov dword ptr [esp], 7BCBAC04h 0_2_012C21E8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_012C21BD push ecx; mov dword ptr [esp], eax 0_2_012C21FA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_012C2000 push eax; mov dword ptr [esp], 7F4E0ED2h 0_2_012C2001
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_012C2000 push ebp; mov dword ptr [esp], 745DEF78h 0_2_012C2016
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_012C2000 push 78960941h; mov dword ptr [esp], esi 0_2_012C20EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_012C2000 push eax; mov dword ptr [esp], 5DEDB1E5h 0_2_012C2115
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_012C2046 push 78960941h; mov dword ptr [esp], esi 0_2_012C20EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_012C2046 push eax; mov dword ptr [esp], 5DEDB1E5h 0_2_012C2115
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00DFFA97 push ecx; ret 0_2_00DFFAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00FC2046 push 78960941h; mov dword ptr [esp], esi 5_2_00FC20EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00FC2046 push eax; mov dword ptr [esp], 5DEDB1E5h 5_2_00FC2115
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00FC2000 push eax; mov dword ptr [esp], 7F4E0ED2h 5_2_00FC2001
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00FC2000 push ebp; mov dword ptr [esp], 745DEF78h 5_2_00FC2016
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00FC2000 push 78960941h; mov dword ptr [esp], esi 5_2_00FC20EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00FC2000 push eax; mov dword ptr [esp], 5DEDB1E5h 5_2_00FC2115
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00FC21BD push 6955E4D9h; mov dword ptr [esp], ecx 5_2_00FC21C2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00FC21BD push ecx; mov dword ptr [esp], 7BCBAC04h 5_2_00FC21E8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00FC21BD push ecx; mov dword ptr [esp], eax 5_2_00FC21FA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00AFFA97 push ecx; ret 5_2_00AFFAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC2046 push 78960941h; mov dword ptr [esp], esi 6_2_00FC20EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC2046 push eax; mov dword ptr [esp], 5DEDB1E5h 6_2_00FC2115
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC2000 push eax; mov dword ptr [esp], 7F4E0ED2h 6_2_00FC2001
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC2000 push ebp; mov dword ptr [esp], 745DEF78h 6_2_00FC2016
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC2000 push 78960941h; mov dword ptr [esp], esi 6_2_00FC20EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC2000 push eax; mov dword ptr [esp], 5DEDB1E5h 6_2_00FC2115
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC21BD push 6955E4D9h; mov dword ptr [esp], ecx 6_2_00FC21C2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC21BD push ecx; mov dword ptr [esp], 7BCBAC04h 6_2_00FC21E8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC21BD push ecx; mov dword ptr [esp], eax 6_2_00FC21FA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00AFFA97 push ecx; ret 6_2_00AFFAAA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00862000 push eax; mov dword ptr [esp], 7F4E0ED2h 7_2_00862001
Source: LisectAVT_2403002A_140.exe Static PE information: section name: entropy: 7.988366600079935
Source: LisectAVT_2403002A_140.exe Static PE information: section name: yxaifgwn entropy: 7.949631188388849
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.988366600079935
Source: RageMP131.exe.0.dr Static PE information: section name: yxaifgwn entropy: 7.949631188388849
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.988366600079935
Source: MPGPH131.exe.0.dr Static PE information: section name: yxaifgwn entropy: 7.949631188388849
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: E603D1 second address: E5FC69 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158DB38F8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f add dword ptr [ebp+122D17BDh], edx 0x00000015 push dword ptr [ebp+122D0BF1h] 0x0000001b pushad 0x0000001c mov eax, dword ptr [ebp+122D2B70h] 0x00000022 mov eax, dword ptr [ebp+122D2BC8h] 0x00000028 popad 0x00000029 call dword ptr [ebp+122D17C2h] 0x0000002f pushad 0x00000030 jmp 00007FF158DB3909h 0x00000035 jmp 00007FF158DB3907h 0x0000003a xor eax, eax 0x0000003c stc 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jno 00007FF158DB38FEh 0x00000047 mov dword ptr [ebp+122D29E0h], eax 0x0000004d jmp 00007FF158DB3905h 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D1FFBh], edi 0x0000005d jmp 00007FF158DB3909h 0x00000062 add esi, dword ptr [esp+24h] 0x00000066 sub dword ptr [ebp+122D1FFBh], edx 0x0000006c lodsw 0x0000006e jmp 00007FF158DB3900h 0x00000073 add eax, dword ptr [esp+24h] 0x00000077 or dword ptr [ebp+122D192Fh], esi 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 xor dword ptr [ebp+122D2850h], edi 0x00000087 jno 00007FF158DB390Ah 0x0000008d push eax 0x0000008e push eax 0x0000008f push edx 0x00000090 jmp 00007FF158DB3904h 0x00000095 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FE0790 second address: FE07CC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FF158548898h 0x0000000e push 00000000h 0x00000010 xor ecx, dword ptr [ebp+122D38B4h] 0x00000016 push 2D083B55h 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF15854888Bh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FE07CC second address: FE07D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FE09C8 second address: FE0A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FF158548891h 0x0000000c popad 0x0000000d add dword ptr [esp], 326D3141h 0x00000014 mov ecx, dword ptr [ebp+122D2C74h] 0x0000001a xor dword ptr [ebp+122D1864h], ebx 0x00000020 push 00000003h 0x00000022 mov esi, dword ptr [ebp+122D1860h] 0x00000028 mov di, cx 0x0000002b push 00000000h 0x0000002d jmp 00007FF158548891h 0x00000032 push 00000003h 0x00000034 movzx edx, bx 0x00000037 push 679ED040h 0x0000003c push ecx 0x0000003d jmp 00007FF158548895h 0x00000042 pop ecx 0x00000043 add dword ptr [esp], 58612FC0h 0x0000004a and si, 2711h 0x0000004f lea ebx, dword ptr [ebp+1245468Ah] 0x00000055 jmp 00007FF158548892h 0x0000005a xchg eax, ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jnc 00007FF158548886h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FE0A62 second address: FE0A6C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FE0A6C second address: FE0A88 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158548891h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FE0B27 second address: FE0B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnc 00007FF158DB38F6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FE0B3C second address: FE0B85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548893h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FF158548888h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 xor dword ptr [ebp+122D1BCFh], ebx 0x0000002d push 922D7AF7h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 pop eax 0x00000038 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FE0B85 second address: FE0B8B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FE0C7A second address: FE0C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF15854888Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FF1B5D second address: FF1B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FF1B63 second address: FF1B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFF4A1 second address: FFF4B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jbe 00007FF158DB38F6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFF4B5 second address: FFF4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFF4BA second address: FFF4D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3904h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFF4D4 second address: FFF4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF15854888Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFF7AF second address: FFF7BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFF7BF second address: FFF7D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b je 00007FF15854888Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFF98B second address: FFF997 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF158DB38FEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFFAF2 second address: FFFB14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158548898h 0x00000009 jbe 00007FF158548886h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFFB14 second address: FFFB18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFFEDA second address: FFFF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FF158548894h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push esi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop esi 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FFFF00 second address: FFFF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10001A1 second address: 10001AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF158548886h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10001AB second address: 10001C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3902h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FF158DB3902h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1000308 second address: 100030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100030C second address: 100032E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF158DB3907h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FD4DF7 second address: FD4E17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF158548890h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FF158548886h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FD4E17 second address: FD4E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1000BE3 second address: 1000BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF15854888Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1000BF4 second address: 1000BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1000BF9 second address: 1000BFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1001072 second address: 1001077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FC92D3 second address: FC92F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548892h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FF15854888Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1008F59 second address: 1008F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1007800 second address: 1007804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100CA2E second address: 100CA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100CA32 second address: 100CA3E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100CA3E second address: 100CA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100CA42 second address: 100CA46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100CFB3 second address: 100CFBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100D2A1 second address: 100D2C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548892h 0x00000007 jnl 00007FF158548886h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100E37A second address: 100E393 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FF158DB38F8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100E393 second address: 100E399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100E602 second address: 100E63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB3908h 0x00000009 popad 0x0000000a jmp 00007FF158DB3904h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FF158DB38F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100E63E second address: 100E642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100E70D second address: 100E711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100E711 second address: 100E715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100EA6A second address: 100EA74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100EF20 second address: 100EF24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100EF24 second address: 100EF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100F0B5 second address: 100F0CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FF15854888Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100F0CA second address: 100F0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100F36E second address: 100F374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 100F374 second address: 100F379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101045E second address: 10104C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FF158548886h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FF158548898h 0x00000014 nop 0x00000015 jmp 00007FF158548891h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007FF158548888h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000015h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 push 00000000h 0x00000038 mov esi, dword ptr [ebp+122D2CECh] 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push ecx 0x00000042 pushad 0x00000043 popad 0x00000044 pop ecx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1010C7E second address: 1010C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1011EB7 second address: 1011EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1012999 second address: 10129A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10129A3 second address: 10129FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b or dword ptr [ebp+122D2EADh], ebx 0x00000011 push 00000000h 0x00000013 movzx esi, ax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FF158548888h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 jmp 00007FF158548890h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FF15854888Ah 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10129FD second address: 1012A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10131DE second address: 10131F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158548893h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10149CF second address: 1014A43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FF158DB38F8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov si, 332Dh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007FF158DB38F8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov esi, eax 0x00000047 push 00000000h 0x00000049 clc 0x0000004a xchg eax, ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e jmp 00007FF158DB3903h 0x00000053 pop eax 0x00000054 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1014A43 second address: 1014A48 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10176F1 second address: 10176F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10147A6 second address: 10147B0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF15854888Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1017C98 second address: 1017C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1017C9D second address: 1017CA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FF158548886h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1017CA8 second address: 1017CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FF158DB38FCh 0x0000000f jnl 00007FF158DB38F6h 0x00000015 popad 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1018EDC second address: 1018EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101BEE1 second address: 101BEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101B045 second address: 101B063 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548890h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FF158548886h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101B063 second address: 101B067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101CE15 second address: 101CE28 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007FF158548886h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101C034 second address: 101C038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101CE28 second address: 101CE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 cld 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FF158548888h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov edi, 54D955E5h 0x0000002d jmp 00007FF15854888Bh 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push esi 0x00000038 pop esi 0x00000039 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101C038 second address: 101C0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FF158DB38F8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D2846h], ecx 0x00000027 push dword ptr fs:[00000000h] 0x0000002e add dword ptr [ebp+122D2DAEh], edx 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov ebx, dword ptr [ebp+122D2AE0h] 0x00000041 mov eax, dword ptr [ebp+122D153Dh] 0x00000047 mov edi, ecx 0x00000049 push FFFFFFFFh 0x0000004b call 00007FF158DB3902h 0x00000050 or dword ptr [ebp+122D183Bh], ecx 0x00000056 pop ebx 0x00000057 nop 0x00000058 jg 00007FF158DB3902h 0x0000005e jp 00007FF158DB38FCh 0x00000064 jg 00007FF158DB38F6h 0x0000006a push eax 0x0000006b pushad 0x0000006c jng 00007FF158DB38FCh 0x00000072 push esi 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101CE6F second address: 101CE79 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101DE6A second address: 101DE7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158DB3901h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101CFDF second address: 101CFE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101CFE5 second address: 101CFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 101CFE9 second address: 101CFFB instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1020F3B second address: 1020F45 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158DB38FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1023115 second address: 102311F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1025038 second address: 102503C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 102428C second address: 1024292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 102503C second address: 1025055 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FF158DB38F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1025055 second address: 10250E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FF158548888h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 jmp 00007FF15854888Eh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007FF158548888h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 push eax 0x00000046 call 00007FF15854888Fh 0x0000004b and edi, dword ptr [ebp+122D2AB8h] 0x00000051 pop ebx 0x00000052 pop ebx 0x00000053 push 00000000h 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 jg 00007FF15854888Ch 0x0000005d jg 00007FF158548886h 0x00000063 pop eax 0x00000064 push eax 0x00000065 push ecx 0x00000066 jl 00007FF15854888Ch 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1027179 second address: 102717D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1025237 second address: 102523C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 102523C second address: 1025259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FF158DB3903h 0x00000010 jmp 00007FF158DB38FDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1025259 second address: 1025307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FF15854888Eh 0x0000000f jmp 00007FF158548896h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b jc 00007FF1585488A0h 0x00000021 call 00007FF158548893h 0x00000026 sub dword ptr [ebp+122D3366h], edi 0x0000002c pop ebx 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007FF158548888h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e mov edi, dword ptr [ebp+1247DC54h] 0x00000054 mov eax, dword ptr [ebp+122D1439h] 0x0000005a mov di, cx 0x0000005d push FFFFFFFFh 0x0000005f mov dword ptr [ebp+122D192Fh], edx 0x00000065 nop 0x00000066 push eax 0x00000067 je 00007FF158548888h 0x0000006d push eax 0x0000006e pop eax 0x0000006f pop eax 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1025307 second address: 1025312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF158DB38F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1027892 second address: 10278A7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10285A6 second address: 10285AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10278A7 second address: 10278AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 102ABB6 second address: 102ABBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103817E second address: 1038182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1038182 second address: 1038186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1038186 second address: 103818C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103818C second address: 10381B2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158DB3900h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FF158DB38FCh 0x00000016 je 00007FF158DB38F6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10381B2 second address: 10381C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FF158548886h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10381C6 second address: 10381D0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10381D0 second address: 10381D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10381D5 second address: 10381EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FF158DB38F8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103836D second address: 1038371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1038371 second address: 1038377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1038377 second address: 10383B9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158548896h 0x00000008 jmp 00007FF158548890h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 ja 00007FF15854888Ah 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007FF158548892h 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103C294 second address: 103C2DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3905h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FF158DB391Eh 0x0000000f jmp 00007FF158DB3904h 0x00000014 jmp 00007FF158DB3904h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103C2DB second address: 103C2F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158548893h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103C2F2 second address: 103C2F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103C2F8 second address: 103C312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FF15854888Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103CD44 second address: 103CD48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103CD48 second address: 103CD62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF158548894h 0x0000000c jmp 00007FF15854888Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103CFF2 second address: 103D011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF158DB38F6h 0x0000000a popad 0x0000000b jmp 00007FF158DB3904h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103D011 second address: 103D02B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF15854888Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FF158548886h 0x0000000f jc 00007FF158548886h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103D02B second address: 103D035 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158DB38F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103D035 second address: 103D047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FF15854888Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103D047 second address: 103D050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 103D050 second address: 103D055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10419E7 second address: 10419ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1015B99 second address: 1015B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1015CD6 second address: 1015CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1015CDA second address: 1015CDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1015DD9 second address: 1015DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1015DDD second address: 1015DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10163CD second address: 10163FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FF158DB3908h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], esi 0x00000012 xor dword ptr [ebp+122D19ACh], eax 0x00000018 nop 0x00000019 push esi 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10166AA second address: 10166B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10166B1 second address: 10166DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3907h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF158DB38FDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016A77 second address: 1016A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016A7B second address: 1016A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016A81 second address: 1016A86 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016A86 second address: 1016AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FF158DB38FFh 0x0000000e pushad 0x0000000f jp 00007FF158DB38F6h 0x00000015 jo 00007FF158DB38F6h 0x0000001b popad 0x0000001c popad 0x0000001d nop 0x0000001e mov dword ptr [ebp+122D2114h], eax 0x00000024 push 0000001Eh 0x00000026 add dword ptr [ebp+122D2216h], edx 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push esi 0x00000030 pushad 0x00000031 popad 0x00000032 pop esi 0x00000033 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016C36 second address: 1016C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016C3A second address: 1016C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016DBF second address: 1016DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016DC5 second address: 1016DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF158DB3905h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FF158DB38F8h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016DEB second address: 1016E11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548899h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016E11 second address: 1016E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FF4EB5 second address: FF4EC4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007FF158548886h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FF4EC4 second address: FF4EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FF4EC9 second address: FF4ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FF158548886h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FCC993 second address: FCC9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jnp 00007FF158DB38F6h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FF158DB38F6h 0x00000018 jmp 00007FF158DB38FAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FCC9B5 second address: FCC9C1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF158548886h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1042285 second address: 1042289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1042289 second address: 10422B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FF158548886h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FF1585488A1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10422B6 second address: 10422BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10423E3 second address: 10423E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10423E9 second address: 10423F6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104257C second address: 1042580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1042580 second address: 1042595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3901h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1042595 second address: 10425BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FF1585488A4h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1042748 second address: 104274E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104C13A second address: 104C140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104C140 second address: 104C14E instructions: 0x00000000 rdtsc 0x00000002 js 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104C14E second address: 104C16C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF158548892h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104C16C second address: 104C18B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FF158DB38F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF158DB3900h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104C18B second address: 104C19B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104C19B second address: 104C19F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104C19F second address: 104C1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104AFB4 second address: 104AFBA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104B10F second address: 104B15C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF158548896h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF158548896h 0x00000014 jmp 00007FF158548897h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104B15C second address: 104B162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104B162 second address: 104B16D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104B813 second address: 104B818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104B818 second address: 104B820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104BB02 second address: 104BB23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FF158DB3908h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104BE5F second address: 104BE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 104BE64 second address: 104BE88 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF158DB390Fh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1051D0E second address: 1051D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FF158548886h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1051D25 second address: 1051D3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3901h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1051D3A second address: 1051D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FF1585488A1h 0x0000000c je 00007FF158548886h 0x00000012 jmp 00007FF158548895h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1051D61 second address: 1051D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF158DB3906h 0x00000008 ja 00007FF158DB38F6h 0x0000000e jl 00007FF158DB38F6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105089E second address: 10508B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF158548886h 0x0000000a jmp 00007FF15854888Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10508B3 second address: 10508B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1050A08 second address: 1050A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1050E18 second address: 1050E1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1050E1E second address: 1050E2C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1050E2C second address: 1050E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1050F86 second address: 1050FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF15854888Dh 0x0000000e jmp 00007FF158548897h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1050FB3 second address: 1050FC0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1051108 second address: 1051112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1051112 second address: 1051123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007FF158DB38FCh 0x0000000b js 00007FF158DB38F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1051123 second address: 1051128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1051128 second address: 105113B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF158DB38F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FF158DB38F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105113B second address: 105113F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105057A second address: 105058A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF158DB38F6h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105058A second address: 105058F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105058F second address: 10505A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FFh 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105554C second address: 1055550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105AA3F second address: 105AA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105AA46 second address: 105AA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FF158548886h 0x0000000c popad 0x0000000d pushad 0x0000000e jnp 00007FF158548886h 0x00000014 jg 00007FF158548886h 0x0000001a jnl 00007FF158548886h 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 jns 00007FF158548892h 0x00000029 push edi 0x0000002a jmp 00007FF158548890h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105A36F second address: 105A38D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007FF158DB3902h 0x0000000a js 00007FF158DB38F6h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105F908 second address: 105F90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105F90E second address: 105F924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB3901h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105F924 second address: 105F929 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105EE42 second address: 105EE4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105EFCF second address: 105EFD4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105F50E second address: 105F52E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF158DB390Bh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 105F52E second address: 105F534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1064BB2 second address: 1064BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF158DB3902h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1064BCA second address: 1064BCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1064BCE second address: 1064BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FF158DB38F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1064D69 second address: 1064D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF15854888Dh 0x00000009 popad 0x0000000a jmp 00007FF158548896h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1064D91 second address: 1064D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF158DB38F6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1064D9D second address: 1064DA3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1064EE5 second address: 1064EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158DB38FCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1064EF7 second address: 1064EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1064EFB second address: 1064EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10651B8 second address: 10651BE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10651BE second address: 10651DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3903h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1065304 second address: 106530E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF15854888Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1016957 second address: 101698B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c mov ecx, 3522221Ch 0x00000011 push 00000004h 0x00000013 call 00007FF158DB38FEh 0x00000018 or edx, dword ptr [ebp+122D29B4h] 0x0000001e pop edi 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1066101 second address: 1066105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1066105 second address: 1066126 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FF158DB3906h 0x0000000e jnp 00007FF158DB38F6h 0x00000014 jmp 00007FF158DB38FAh 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1069498 second address: 106949E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106949E second address: 10694A8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10694A8 second address: 10694C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF158548897h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10694C5 second address: 10694F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FF158DB3909h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007FF158DB38F6h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1068C0F second address: 1068C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158548899h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FF158548897h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1068C4A second address: 1068C52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1068DA0 second address: 1068DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnc 00007FF158548886h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1068DAD second address: 1068DB8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007FF158DB38F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1068F32 second address: 1068F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106922A second address: 106922F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1070D12 second address: 1070D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1070D22 second address: 1070D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FF158DB3902h 0x0000000b jmp 00007FF158DB38FCh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1070D3D second address: 1070D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158548891h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1070D52 second address: 1070D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106ED9F second address: 106EDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106EF40 second address: 106EF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF158DB38F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106EF4F second address: 106EF73 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007FF158548886h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF158548894h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106EF73 second address: 106EF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106F0B6 second address: 106F0C8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FF158548888h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106F0C8 second address: 106F0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106F0D0 second address: 106F0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106F8E8 second address: 106F8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF158DB38F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106F8F3 second address: 106F8FA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106FB75 second address: 106FB7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106FB7F second address: 106FB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106FB83 second address: 106FB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF158DB38F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106FEAB second address: 106FEAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 106FEAF second address: 106FEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1073E0C second address: 1073E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1073E13 second address: 1073E18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1077DAA second address: 1077DC4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FF158548894h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10781F0 second address: 10781F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10781F6 second address: 10781FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10781FA second address: 1078206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1078397 second address: 10783A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1086C0D second address: 1086C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10873C9 second address: 10873D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10873D3 second address: 10873D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10873D9 second address: 10873DE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10873DE second address: 10873E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10873E7 second address: 10873EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10873EB second address: 10873F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1088475 second address: 1088479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1088479 second address: 108847D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1086327 second address: 1086331 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 108E1BF second address: 108E1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 108E1C5 second address: 108E1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007FF15854889Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 108E1E9 second address: 108E1F8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158DB38F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 108DD48 second address: 108DD69 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF15854888Ah 0x00000008 pushad 0x00000009 jmp 00007FF158548892h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 108DEB5 second address: 108DEBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 108DEBA second address: 108DEDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007FF158548886h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FF15854888Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 jc 00007FF158548886h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 109CEC9 second address: 109CECE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 109E966 second address: 109E96A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 109E96A second address: 109E9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FF158DB3905h 0x0000000c pop ecx 0x0000000d jmp 00007FF158DB38FFh 0x00000012 pushad 0x00000013 jmp 00007FF158DB3902h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 109E7BD second address: 109E7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 109E7C3 second address: 109E7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB38FDh 0x00000009 popad 0x0000000a jmp 00007FF158DB38FFh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10A1CCA second address: 10A1CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007FF1585488A0h 0x0000000b jmp 00007FF158548894h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10A785F second address: 10A7865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10A7865 second address: 10A7873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007FF158548886h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10A7873 second address: 10A7891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158DB3903h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10A7891 second address: 10A78A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF15854888Eh 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FCE3F2 second address: FCE3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FF158DB38F6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10BAB3B second address: 10BAB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF15854888Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10B941E second address: 10B943C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF158DB3907h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10B943C second address: 10B9440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10B9440 second address: 10B944C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF158DB38F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10B944C second address: 10B9474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FF158548886h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007FF158548897h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10B9474 second address: 10B9480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF158DB38F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10B95BD second address: 10B95C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF158548886h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10B9DAD second address: 10B9DBD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FF158DB38F6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10BA89A second address: 10BA89F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10BE376 second address: 10BE387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB38FBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: FCFE66 second address: FCFEA9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 jmp 00007FF158548897h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FF158548891h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF158548890h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10E1A1F second address: 10E1A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF158DB38F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e jne 00007FF158DB38F6h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10E1A34 second address: 10E1A39 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10E1A39 second address: 10E1A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB3907h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FF158DB38F6h 0x00000012 je 00007FF158DB38F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10E1A63 second address: 10E1A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF15854888Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10E1732 second address: 10E1736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10E1736 second address: 10E173A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10E173A second address: 10E1740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10E1740 second address: 10E174B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 10E174B second address: 10E1750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1104CFD second address: 1104D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1104D03 second address: 1104D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110555E second address: 1105564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1105564 second address: 1105568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1105842 second address: 1105846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1105846 second address: 110584A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110584A second address: 1105850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1105850 second address: 1105856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 11071D1 second address: 11071D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 11071D7 second address: 11071DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 11071DD second address: 11071EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF158548886h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 11071EC second address: 11071F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 11071F0 second address: 11071F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 1108871 second address: 1108885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB38FEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110A05F second address: 110A065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110A065 second address: 110A069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110A069 second address: 110A06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110A06F second address: 110A09A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FF158DB38F8h 0x0000000c jmp 00007FF158DB3907h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110A09A second address: 110A0BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF15854888Ch 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c jmp 00007FF15854888Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110CD7C second address: 110CD80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110CD80 second address: 110CD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110CD8A second address: 110CDC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FF158DB38FCh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110CDC0 second address: 110CDC6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110D03F second address: 110D043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110D043 second address: 110D047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110D047 second address: 110D090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FF158DB38FCh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 sbb edx, 3ACF01A2h 0x00000016 mov edx, dword ptr [ebp+122D3B14h] 0x0000001c push dword ptr [ebp+122D380Eh] 0x00000022 sbb dl, FFFFFF92h 0x00000025 push 7675B700h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FF158DB3905h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110D090 second address: 110D0A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110D0A5 second address: 110D0AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110EA60 second address: 110EA65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110EA65 second address: 110EA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110EA6D second address: 110EA77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110E5F1 second address: 110E5FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110E5FB second address: 110E610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110E610 second address: 110E634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jnc 00007FF158DB38F6h 0x00000010 jmp 00007FF158DB38FFh 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110E634 second address: 110E63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110E63A second address: 110E63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 110E63E second address: 110E65E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548896h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 11105BE second address: 11105C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 11105C2 second address: 11105CC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57F06A9 second address: 57F06DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dl 0x00000005 jmp 00007FF158DB3900h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF158DB3907h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57F06DB second address: 57F06FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 59447571h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov edi, 6A7C5130h 0x00000012 mov bx, 505Ch 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movzx esi, bx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57F06FA second address: 57F071A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3905h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57F071A second address: 57F071E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57F071E second address: 57F0732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, 8ABBh 0x0000000a popad 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov eax, 1D0F5F69h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0E82 second address: 57B0E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0E92 second address: 57B0EAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158DB38FDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0EAA second address: 57B0ED6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF15854888Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0ED6 second address: 57B0EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0EDA second address: 57B0EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0EDE second address: 57B0EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0EE4 second address: 57B0EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830621 second address: 5830638 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3903h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0B73 second address: 57B0B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 movsx edi, si 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cl, bl 0x0000000f call 00007FF15854888Ch 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0B90 second address: 57B0BC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3900h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 movsx ebx, cx 0x00000013 popad 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FF158DB3900h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0BC9 second address: 57B0BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0BCF second address: 57B0BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0BD5 second address: 57B0BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57B0BD9 second address: 57B0C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF158DB3908h 0x00000012 adc eax, 157B9B88h 0x00000018 jmp 00007FF158DB38FBh 0x0000001d popfd 0x0000001e jmp 00007FF158DB3908h 0x00000023 popad 0x00000024 push dword ptr [ebp+0Ch] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF158DB3907h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58303E5 second address: 5830401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF158548897h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830401 second address: 5830442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FF158DB3904h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FF158DB38FCh 0x00000017 xor eax, 65816078h 0x0000001d jmp 00007FF158DB38FBh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830442 second address: 5830447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830447 second address: 583044C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 583044C second address: 583045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 583045A second address: 583045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 583045E second address: 5830477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548895h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800BAB second address: 5800BBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58503EF second address: 5850413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov bl, C8h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov ax, C641h 0x00000010 mov cl, 85h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF15854888Bh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5850413 second address: 5850417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5850417 second address: 585041D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830DCB second address: 5830DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830DD0 second address: 5830DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830DD6 second address: 5830E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF158DB38FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830E05 second address: 5830E0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830E0B second address: 5830E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830E0F second address: 5830E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830E13 second address: 5830E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edx, ax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830E23 second address: 5830E6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF158548896h 0x00000008 pushfd 0x00000009 jmp 00007FF158548892h 0x0000000e jmp 00007FF158548895h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830E6F second address: 5830E75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830E75 second address: 5830EA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548892h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FF158548890h 0x00000010 pop ebp 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57C0455 second address: 57C0459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57C0459 second address: 57C045D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57C045D second address: 57C0463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 57C0463 second address: 57C04BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548899h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF15854888Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007FF158548890h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF158548897h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830500 second address: 583051C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3908h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830B2B second address: 5830B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830B2F second address: 5830B35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830B35 second address: 5830C23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158548890h 0x00000009 xor esi, 26760748h 0x0000000f jmp 00007FF15854888Bh 0x00000014 popfd 0x00000015 mov esi, 7DC70EBFh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FF158548897h 0x00000025 or al, 0000003Eh 0x00000028 jmp 00007FF158548899h 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 call 00007FF158548897h 0x00000036 pushfd 0x00000037 jmp 00007FF158548898h 0x0000003c add eax, 33CE3198h 0x00000042 jmp 00007FF15854888Bh 0x00000047 popfd 0x00000048 pop ecx 0x00000049 pushfd 0x0000004a jmp 00007FF158548899h 0x0000004f add eax, 6956FF36h 0x00000055 jmp 00007FF158548891h 0x0000005a popfd 0x0000005b popad 0x0000005c xchg eax, ebp 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FF15854888Dh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830C23 second address: 5830C48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3901h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movsx edx, si 0x0000000f popad 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830C48 second address: 5830C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830C4C second address: 5830C50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830C50 second address: 5830C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830C56 second address: 5830C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830C5C second address: 5830C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800A6F second address: 5800AA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3901h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF158DB3908h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800AA2 second address: 5800AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF15854888Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800AB1 second address: 5800AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800AB7 second address: 5800ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800ABB second address: 5800ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800ABF second address: 5800ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800ACE second address: 5800AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800AD2 second address: 5800AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548894h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830F66 second address: 5830FA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d mov al, 3Ch 0x0000000f popad 0x00000010 mov dword ptr [esp], ebp 0x00000013 jmp 00007FF158DB3902h 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF158DB3907h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830FA6 second address: 5830FAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 37h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840B54 second address: 5840B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840B5A second address: 5840B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840B5E second address: 5840B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158DB3905h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840B7E second address: 5840B8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840B8E second address: 5840B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840B92 second address: 5840BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF158548897h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov dx, si 0x00000014 pushfd 0x00000015 jmp 00007FF158548890h 0x0000001a xor esi, 0A8AB7B8h 0x00000020 jmp 00007FF15854888Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007FF15854888Bh 0x00000030 mov esi, 08D486DFh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840BF1 second address: 5840C8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 5256h 0x00000007 mov bx, 3DE2h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 movzx ecx, bx 0x00000014 pushfd 0x00000015 jmp 00007FF158DB3901h 0x0000001a xor cx, B3B6h 0x0000001f jmp 00007FF158DB3901h 0x00000024 popfd 0x00000025 popad 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 jmp 00007FF158DB38FDh 0x0000002d mov eax, dword ptr [76FB65FCh] 0x00000032 jmp 00007FF158DB38FEh 0x00000037 test eax, eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c mov bx, 4E20h 0x00000040 pushfd 0x00000041 jmp 00007FF158DB3909h 0x00000046 and cx, F926h 0x0000004b jmp 00007FF158DB3901h 0x00000050 popfd 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840C8C second address: 5840CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF1C9C3B54Bh 0x0000000f pushad 0x00000010 jmp 00007FF15854888Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840CB8 second address: 5840CD7 instructions: 0x00000000 rdtsc 0x00000002 mov cx, C8D3h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ecx, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF158DB3900h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840CD7 second address: 5840CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840CDB second address: 5840CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840CE1 second address: 5840D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, al 0x00000005 jmp 00007FF158548899h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor eax, dword ptr [ebp+08h] 0x00000010 jmp 00007FF158548897h 0x00000015 and ecx, 1Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007FF15854888Bh 0x00000020 pop esi 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840D31 second address: 5840D75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b jmp 00007FF158DB3900h 0x00000010 leave 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF158DB3907h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840D75 second address: 5840D7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5840D7B second address: 5840D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 584014F second address: 584016B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 2D30DE34h 0x00000008 mov cx, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, 316D45F7h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800008 second address: 580000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580000C second address: 580001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF15854888Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580001F second address: 5800024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800024 second address: 5800044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF158548893h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800044 second address: 580005C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158DB3904h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580005C second address: 5800060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800060 second address: 580008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FF158DB3907h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580008A second address: 58000A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548897h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58000A5 second address: 580011D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158DB38FFh 0x00000009 xor ch, 0000006Eh 0x0000000c jmp 00007FF158DB3909h 0x00000011 popfd 0x00000012 call 00007FF158DB3900h 0x00000017 pop esi 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b and esp, FFFFFFF8h 0x0000001e jmp 00007FF158DB3901h 0x00000023 xchg eax, ecx 0x00000024 jmp 00007FF158DB38FEh 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FF158DB38FEh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580011D second address: 580012F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580012F second address: 580013E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580013E second address: 5800156 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548894h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800156 second address: 580015B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580015B second address: 5800186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e mov cx, 9411h 0x00000012 popad 0x00000013 mov dword ptr [esp], ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF158548893h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800186 second address: 580018C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580018C second address: 5800190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800190 second address: 5800194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800194 second address: 58001A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58001A5 second address: 58001A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58001A9 second address: 58001AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58001AF second address: 58001B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58001B5 second address: 58001B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58001B9 second address: 58001FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a call 00007FF158DB3904h 0x0000000f jmp 00007FF158DB3902h 0x00000014 pop ecx 0x00000015 push ebx 0x00000016 push ecx 0x00000017 pop ebx 0x00000018 pop esi 0x00000019 popad 0x0000001a mov dword ptr [esp], esi 0x0000001d pushad 0x0000001e mov edx, 15F6BE7Ah 0x00000023 push eax 0x00000024 push edx 0x00000025 mov bx, D734h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58001FE second address: 5800265 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 372F32A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov esi, dword ptr [ebp+08h] 0x0000000d pushad 0x0000000e call 00007FF158548895h 0x00000013 mov esi, 051D57E7h 0x00000018 pop eax 0x00000019 mov bl, 81h 0x0000001b popad 0x0000001c xchg eax, edi 0x0000001d jmp 00007FF158548894h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FF15854888Ch 0x0000002c add eax, 1B2ADA78h 0x00000032 jmp 00007FF15854888Bh 0x00000037 popfd 0x00000038 mov ah, CDh 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800265 second address: 58002B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3902h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF158DB38FDh 0x00000013 or ah, FFFFFFC6h 0x00000016 jmp 00007FF158DB3901h 0x0000001b popfd 0x0000001c jmp 00007FF158DB3900h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58002B3 second address: 580031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158548891h 0x00000009 add ah, FFFFFFD6h 0x0000000c jmp 00007FF158548891h 0x00000011 popfd 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test esi, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FF15854888Fh 0x00000022 xor eax, 45FC070Eh 0x00000028 jmp 00007FF158548899h 0x0000002d popfd 0x0000002e movzx ecx, di 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580031B second address: 5800335 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF1CA4E1BE2h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5800335 second address: 580033B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580033B second address: 580039E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FF158DB3900h 0x00000015 je 00007FF1CA4E1BB7h 0x0000001b jmp 00007FF158DB3900h 0x00000020 mov edx, dword ptr [esi+44h] 0x00000023 jmp 00007FF158DB3900h 0x00000028 or edx, dword ptr [ebp+0Ch] 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov bl, F3h 0x00000030 mov bh, al 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 580039E second address: 58003E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF15854888Eh 0x00000008 mov esi, 0173D731h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test edx, 61000000h 0x00000016 pushad 0x00000017 mov ax, 3B69h 0x0000001b push eax 0x0000001c mov ch, bh 0x0000001e pop esi 0x0000001f popad 0x00000020 jne 00007FF1C9C76B47h 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF158548898h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58003E7 second address: 5800422 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d pushad 0x0000000e call 00007FF158DB3904h 0x00000013 mov ebx, eax 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 call 00007FF158DB38FDh 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810113 second address: 5810134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6B144C7Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF158548893h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810134 second address: 5810167 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FF158DB38FEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810167 second address: 581016B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581016B second address: 581016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581016F second address: 5810175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810175 second address: 581017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581017B second address: 581017F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581017F second address: 58101A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a pushad 0x0000000b mov edx, 5F0773BCh 0x00000010 mov bl, 0Fh 0x00000012 popad 0x00000013 pushad 0x00000014 push esi 0x00000015 pop edx 0x00000016 mov edx, eax 0x00000018 popad 0x00000019 popad 0x0000001a mov esi, dword ptr [ebp+08h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58101A1 second address: 58101A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58101A9 second address: 58101C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158DB3905h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58101C2 second address: 58101E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58101E1 second address: 58101E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58101E5 second address: 58101EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58101EB second address: 5810291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158DB3901h 0x00000009 adc si, 1E86h 0x0000000e jmp 00007FF158DB3901h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF158DB3900h 0x0000001a and cx, F928h 0x0000001f jmp 00007FF158DB38FBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 test esi, esi 0x0000002a jmp 00007FF158DB3906h 0x0000002f je 00007FF1CA4C9A30h 0x00000035 pushad 0x00000036 movzx eax, dx 0x00000039 pushad 0x0000003a pushad 0x0000003b popad 0x0000003c call 00007FF158DB38FFh 0x00000041 pop eax 0x00000042 popad 0x00000043 popad 0x00000044 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000004b jmp 00007FF158DB38FFh 0x00000050 mov ecx, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810291 second address: 5810295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810295 second address: 581029B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581029B second address: 58102A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58102A1 second address: 58102A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58102A5 second address: 581032F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548894h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FF1C9C5E96Ah 0x00000011 jmp 00007FF158548890h 0x00000016 test byte ptr [76FB6968h], 00000002h 0x0000001d jmp 00007FF158548890h 0x00000022 jne 00007FF1C9C5E950h 0x00000028 jmp 00007FF158548890h 0x0000002d mov edx, dword ptr [ebp+0Ch] 0x00000030 jmp 00007FF158548890h 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FF158548897h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581032F second address: 5810383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FF158DB38FCh 0x00000010 xchg eax, ebx 0x00000011 jmp 00007FF158DB3900h 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FF158DB38FDh 0x00000020 xor cl, FFFFFFE6h 0x00000023 jmp 00007FF158DB3901h 0x00000028 popfd 0x00000029 mov cx, 2117h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810383 second address: 581039B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF15854888Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movsx edi, cx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581039B second address: 5810406 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 512A7B15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FF158DB3902h 0x0000000f or ecx, 469AE0E8h 0x00000015 jmp 00007FF158DB38FBh 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FF158DB38FBh 0x00000024 sbb esi, 0824482Eh 0x0000002a jmp 00007FF158DB3909h 0x0000002f popfd 0x00000030 popad 0x00000031 push dword ptr [ebp+14h] 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov dx, 758Eh 0x0000003b mov ecx, edi 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810406 second address: 581040C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581040C second address: 5810410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810410 second address: 5810429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+10h] 0x0000000b pushad 0x0000000c call 00007FF15854888Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810450 second address: 5810454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810454 second address: 581045A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581045A second address: 581046C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581046C second address: 5810470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810470 second address: 5810474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810474 second address: 581047A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5871A13 second address: 5871A72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158DB3907h 0x00000009 sub ecx, 01BA8E1Eh 0x0000000f jmp 00007FF158DB3909h 0x00000014 popfd 0x00000015 movzx eax, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007FF158DB3905h 0x00000024 pop esi 0x00000025 movsx edi, ax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5871A72 second address: 5871A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5871A78 second address: 5871A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5871A7C second address: 5871ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FF158548891h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 mov esi, 2A431743h 0x00000018 movzx esi, di 0x0000001b popad 0x0000001c push 0000007Fh 0x0000001e jmp 00007FF15854888Bh 0x00000023 push 00000001h 0x00000025 jmp 00007FF158548896h 0x0000002a push dword ptr [ebp+08h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FF15854888Ah 0x00000036 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5871ADA second address: 5871ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5871ADE second address: 5871AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5871AE4 second address: 5871AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5830764 second address: 583077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158548894h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 583077C second address: 58307BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF158DB3909h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007FF158DB38FEh 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58307BE second address: 58307C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58307C2 second address: 58307C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58106B2 second address: 58106B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58106B8 second address: 58106DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF158DB3904h 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58106DB second address: 58106DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58106DF second address: 581070D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF158DB38FDh 0x00000008 or ax, 3FD6h 0x0000000d jmp 00007FF158DB3901h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 mov di, ax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581070D second address: 5810728 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158548890h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810728 second address: 581075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 8BD4h 0x00000007 pushfd 0x00000008 jmp 00007FF158DB38FDh 0x0000000d xor ax, B296h 0x00000012 jmp 00007FF158DB3901h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 581075F second address: 5810763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810763 second address: 5810776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 5810776 second address: 58107A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 call 00007FF158548890h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF158548893h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58107A8 second address: 58107AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe RDTSC instruction interceptor: First address: 58901C9 second address: 58901D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Special instruction interceptor: First address: E5FCA3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Special instruction interceptor: First address: 102AC0D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Special instruction interceptor: First address: 1015D50 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Special instruction interceptor: First address: 1090E94 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: B5FCA3 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: D2AC0D instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: D15D50 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: D90E94 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 3FFCA3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 5CAC0D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 5B5D50 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 630E94 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_058809E9 rdtsc 0_2_058809E9
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window / User API: threadDelayed 1063 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window / User API: threadDelayed 1087 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Window / User API: threadDelayed 1456 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1177 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1173 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 781 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1238 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1122 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 729 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1242 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1100 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1579 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2054 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3808 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3808 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3636 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3636 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 7148 Thread sleep count: 80 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 7148 Thread sleep count: 243 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 7340 Thread sleep count: 234 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 5344 Thread sleep count: 1063 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 5344 Thread sleep time: -2127063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 2676 Thread sleep count: 1087 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 2676 Thread sleep time: -2175087s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3992 Thread sleep count: 1456 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3992 Thread sleep time: -2913456s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7412 Thread sleep count: 96 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7412 Thread sleep time: -192096s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7384 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7384 Thread sleep time: -210105s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7352 Thread sleep count: 1177 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7352 Thread sleep time: -118877s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7620 Thread sleep count: 1173 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7620 Thread sleep count: 781 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7620 Thread sleep time: -78100s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7388 Thread sleep count: 102 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7388 Thread sleep time: -204102s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7396 Thread sleep count: 87 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7396 Thread sleep time: -174087s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484 Thread sleep time: -156078s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7480 Thread sleep count: 123 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7480 Thread sleep time: -246123s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7360 Thread sleep count: 1238 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7360 Thread sleep time: -125038s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7616 Thread sleep count: 1122 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7616 Thread sleep count: 729 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7616 Thread sleep time: -72900s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7492 Thread sleep count: 101 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7492 Thread sleep time: -202101s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7508 Thread sleep count: 108 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7508 Thread sleep time: -216108s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7504 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7504 Thread sleep time: -244122s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7496 Thread sleep count: 137 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7496 Thread sleep time: -274137s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7488 Thread sleep count: 124 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7488 Thread sleep time: -248124s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7692 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7680 Thread sleep count: 1242 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7680 Thread sleep time: -2485242s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7648 Thread sleep count: 44 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7648 Thread sleep count: 253 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7844 Thread sleep count: 253 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7688 Thread sleep count: 1100 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7688 Thread sleep time: -2201100s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8072 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8072 Thread sleep time: -64032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8044 Thread sleep count: 1579 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8044 Thread sleep time: -3159579s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012 Thread sleep count: 269 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8156 Thread sleep count: 232 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8052 Thread sleep count: 2054 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8052 Thread sleep time: -4110054s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8048 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8048 Thread sleep time: -112056s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: RageMP131.exe, RageMP131.exe, 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000005.00000002.4147850074.00000000011E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}GT:/
Source: RageMP131.exe, 0000000B.00000002.4148456840.00000000009FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}H
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8C381D4C
Source: RageMP131.exe, 0000000B.00000003.1948086057.0000000000F93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: RageMP131.exe, 0000000B.00000002.4148938152.0000000000F93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000& T:H
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4147804202.0000000001869000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}~
Source: MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:R
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}y
Source: MPGPH131.exe, 00000006.00000002.4147764213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8C381D4C
Source: RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&c
Source: RageMP131.exe, 0000000B.00000003.1948086057.0000000000F91000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4147804202.0000000001854000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4147850074.00000000011E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4148390163.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000F50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000gz
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_058900F1 Start: 05890149 End: 0589014D 0_2_058900F1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_05060337 Start: 050604A3 End: 05060346 5_2_05060337
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_05060277 Start: 050604A3 End: 05060340 5_2_05060277
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0506027E Start: 050604A3 End: 05060340 5_2_0506027E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_050602AA Start: 050604A3 End: 05060340 5_2_050602AA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_050602BD Start: 050604A3 End: 05060340 5_2_050602BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_050602C3 Start: 050604A3 End: 05060340 5_2_050602C3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_05060AC3 Start: 05060B17 End: 05060AE6 5_2_05060AC3
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_050E0A5D Start: 050E0BAB End: 050E0B5E 7_2_050E0A5D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_050E0ED2 Start: 050E0F55 End: 050E0E9D 7_2_050E0ED2
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_058809E9 rdtsc 0_2_058809E9
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D83A40 mov eax, dword ptr fs:[00000030h] 0_2_00D83A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D83A40 mov eax, dword ptr fs:[00000030h] 0_2_00D83A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00D34100 mov eax, dword ptr fs:[00000030h] 0_2_00D34100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00A83A40 mov eax, dword ptr fs:[00000030h] 5_2_00A83A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00A83A40 mov eax, dword ptr fs:[00000030h] 5_2_00A83A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00A34100 mov eax, dword ptr fs:[00000030h] 5_2_00A34100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00A83A40 mov eax, dword ptr fs:[00000030h] 6_2_00A83A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00A83A40 mov eax, dword ptr fs:[00000030h] 6_2_00A83A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00A34100 mov eax, dword ptr fs:[00000030h] 6_2_00A34100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00323A40 mov eax, dword ptr fs:[00000030h] 7_2_00323A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00323A40 mov eax, dword ptr fs:[00000030h] 7_2_00323A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_002D4100 mov eax, dword ptr fs:[00000030h] 7_2_002D4100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_00323A40 mov eax, dword ptr fs:[00000030h] 11_2_00323A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_00323A40 mov eax, dword ptr fs:[00000030h] 11_2_00323A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 11_2_002D4100 mov eax, dword ptr fs:[00000030h] 11_2_002D4100
Source: LisectAVT_2403002A_140.exe, LisectAVT_2403002A_140.exe, 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 8Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Code function: 0_2_00DFF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00DFF26A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_140.exe PID: 5440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7348, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_140.exe PID: 5440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7348, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7356, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482502 Sample: LisectAVT_2403002A_140.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002A_140.exe 1 9 2->7         started        12 RageMP131.exe 2 2->12         started        14 MPGPH131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.74, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Tries to detect virtualization through RDTSC time measurements 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Antivirus detection for dropped file 12->52 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->54 56 Machine Learning detection for dropped file 12->56 58 Tries to evade debugger and weak emulator (self modifying code) 14->58 60 Hides threads from debuggers 14->60 62 Potentially malicious time measurement code found 14->62 64 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->64 66 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->66 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.74
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true