Microsoft (R) COFF/PE Dumper Version 14.29.30148.0 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file psremote.o File Type: COFF OBJECT BeaconPrintToStreamW: 0000000000000000: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx 0000000000000005: 48 89 54 24 10 mov qword ptr [rsp+10h],rdx 000000000000000A: 4C 89 44 24 18 mov qword ptr [rsp+18h],r8 000000000000000F: 4C 89 4C 24 20 mov qword ptr [rsp+20h],r9 0000000000000014: 48 83 EC 58 sub rsp,58h 0000000000000018: C7 44 24 30 01 00 mov dword ptr [rsp+30h],1 00 00 0000000000000020: C7 44 24 34 00 00 mov dword ptr [rsp+34h],0 00 00 0000000000000028: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],1 00 01 0000000000000030: 77 28 ja 000000000000005A 0000000000000032: 4C 8D 05 00 00 00 lea r8,[g_lpStream] 00 0000000000000039: BA 01 00 00 00 mov edx,1 000000000000003E: 33 C9 xor ecx,ecx 0000000000000040: FF 15 00 00 00 00 call qword ptr [__imp_OLE32$CreateStreamOnHGlobal] 0000000000000046: 89 44 24 30 mov dword ptr [rsp+30h],eax 000000000000004A: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0 000000000000004F: 7D 09 jge 000000000000005A 0000000000000051: 8B 44 24 30 mov eax,dword ptr [rsp+30h] 0000000000000055: E9 01 01 00 00 jmp 000000000000015B 000000000000005A: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],1 00 01 0000000000000062: 77 2E ja 0000000000000092 0000000000000064: BA 02 00 00 00 mov edx,2 0000000000000069: B9 00 20 00 00 mov ecx,2000h 000000000000006E: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$calloc] 0000000000000074: 48 89 05 00 00 00 mov qword ptr [g_lpwPrintBuffer],rax 00 000000000000007B: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0 00 00 0000000000000083: 75 0D jne 0000000000000092 0000000000000085: C7 44 24 30 05 40 mov dword ptr [rsp+30h],80004005h 00 80 000000000000008D: E9 9D 00 00 00 jmp 000000000000012F 0000000000000092: 48 8D 44 24 68 lea rax,[rsp+68h] 0000000000000097: 48 89 44 24 38 mov qword ptr [rsp+38h],rax 000000000000009C: 48 8B 44 24 38 mov rax,qword ptr [rsp+38h] 00000000000000A1: 48 89 44 24 20 mov qword ptr [rsp+20h],rax 00000000000000A6: 4C 8B 4C 24 60 mov r9,qword ptr [rsp+60h] 00000000000000AB: 41 B8 FF 1F 00 00 mov r8d,1FFFh 00000000000000B1: BA 00 20 00 00 mov edx,2000h 00000000000000B6: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer] 00 00000000000000BD: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$_vsnwprintf_s] 00000000000000C3: 85 C0 test eax,eax 00000000000000C5: 75 0A jne 00000000000000D1 00000000000000C7: C7 44 24 30 05 40 mov dword ptr [rsp+30h],80004005h 00 80 00000000000000CF: EB 5E jmp 000000000000012F 00000000000000D1: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],0 00 00 00000000000000D9: 74 4C je 0000000000000127 00000000000000DB: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer] 00 00000000000000E2: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$wcslen] 00000000000000E8: 8B C0 mov eax,eax 00000000000000EA: 48 D1 E0 shl rax,1 00000000000000ED: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream] 00 00000000000000F4: 48 8B 09 mov rcx,qword ptr [rcx] 00000000000000F7: 48 89 4C 24 40 mov qword ptr [rsp+40h],rcx 00000000000000FC: 4C 8D 4C 24 34 lea r9,[rsp+34h] 0000000000000101: 44 8B C0 mov r8d,eax 0000000000000104: 48 8B 15 00 00 00 mov rdx,qword ptr [g_lpwPrintBuffer] 00 000000000000010B: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream] 00 0000000000000112: 48 8B 44 24 40 mov rax,qword ptr [rsp+40h] 0000000000000117: FF 50 20 call qword ptr [rax+20h] 000000000000011A: 89 44 24 30 mov dword ptr [rsp+30h],eax 000000000000011E: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0 0000000000000123: 7D 02 jge 0000000000000127 0000000000000125: EB 08 jmp 000000000000012F 0000000000000127: C7 44 24 30 00 00 mov dword ptr [rsp+30h],0 00 00 000000000000012F: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0 00 00 0000000000000137: 74 15 je 000000000000014E 0000000000000139: 41 B8 00 40 00 00 mov r8d,4000h 000000000000013F: 33 D2 xor edx,edx 0000000000000141: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer] 00 0000000000000148: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset] 000000000000014E: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0 00 00 00 0000000000000157: 8B 44 24 30 mov eax,dword ptr [rsp+30h] 000000000000015B: 48 83 C4 58 add rsp,58h 000000000000015F: C3 ret 0000000000000160: CC int 3 0000000000000161: CC int 3 0000000000000162: CC int 3 0000000000000163: CC int 3 0000000000000164: CC int 3 0000000000000165: CC int 3 0000000000000166: CC int 3 0000000000000167: CC int 3 0000000000000168: CC int 3 0000000000000169: CC int 3 000000000000016A: CC int 3 000000000000016B: CC int 3 000000000000016C: CC int 3 000000000000016D: CC int 3 000000000000016E: CC int 3 000000000000016F: CC int 3 BeaconOutputStreamW: 0000000000000170: 40 57 push rdi 0000000000000172: 48 81 EC A0 00 00 sub rsp,0A0h 00 0000000000000179: 48 8D 44 24 50 lea rax,[rsp+50h] 000000000000017E: 48 8B F8 mov rdi,rax 0000000000000181: 33 C0 xor eax,eax 0000000000000183: B9 50 00 00 00 mov ecx,50h 0000000000000188: F3 AA rep stos byte ptr [rdi] 000000000000018A: 48 C7 44 24 30 00 mov qword ptr [rsp+30h],0 00 00 00 0000000000000193: C7 44 24 28 00 00 mov dword ptr [rsp+28h],0 00 00 000000000000019B: 48 C7 44 24 20 00 mov qword ptr [rsp+20h],0 00 00 00 00000000000001A4: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream] 00 00000000000001AB: 48 8B 00 mov rax,qword ptr [rax] 00000000000001AE: 41 B8 01 00 00 00 mov r8d,1 00000000000001B4: 48 8D 54 24 50 lea rdx,[rsp+50h] 00000000000001B9: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream] 00 00000000000001C0: FF 50 60 call qword ptr [rax+60h] 00000000000001C3: 85 C0 test eax,eax 00000000000001C5: 7D 05 jge 00000000000001CC 00000000000001C7: E9 13 01 00 00 jmp 00000000000002DF 00000000000001CC: 8B 44 24 60 mov eax,dword ptr [rsp+60h] 00000000000001D0: 48 89 44 24 30 mov qword ptr [rsp+30h],rax 00000000000001D5: 48 8B 44 24 30 mov rax,qword ptr [rsp+30h] 00000000000001DA: 48 FF C0 inc rax 00000000000001DD: 48 89 44 24 38 mov qword ptr [rsp+38h],rax 00000000000001E2: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap] 00000000000001E8: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h] 00000000000001ED: 4C 8B C1 mov r8,rcx 00000000000001F0: BA 08 00 00 00 mov edx,8 00000000000001F5: 48 8B C8 mov rcx,rax 00000000000001F8: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc] 00000000000001FE: 48 89 44 24 20 mov qword ptr [rsp+20h],rax 0000000000000203: 48 83 7C 24 20 00 cmp qword ptr [rsp+20h],0 0000000000000209: 74 6B je 0000000000000276 000000000000020B: 48 C7 44 24 40 00 mov qword ptr [rsp+40h],0 00 00 00 0000000000000214: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream] 00 000000000000021B: 48 8B 00 mov rax,qword ptr [rax] 000000000000021E: 45 33 C9 xor r9d,r9d 0000000000000221: 45 33 C0 xor r8d,r8d 0000000000000224: 48 8B 54 24 40 mov rdx,qword ptr [rsp+40h] 0000000000000229: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream] 00 0000000000000230: FF 50 28 call qword ptr [rax+28h] 0000000000000233: 85 C0 test eax,eax 0000000000000235: 7D 02 jge 0000000000000239 0000000000000237: EB 3D jmp 0000000000000276 0000000000000239: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream] 00 0000000000000240: 48 8B 00 mov rax,qword ptr [rax] 0000000000000243: 4C 8D 4C 24 28 lea r9,[rsp+28h] 0000000000000248: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h] 000000000000024D: 48 8B 54 24 20 mov rdx,qword ptr [rsp+20h] 0000000000000252: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream] 00 0000000000000259: FF 50 18 call qword ptr [rax+18h] 000000000000025C: 85 C0 test eax,eax 000000000000025E: 7D 02 jge 0000000000000262 0000000000000260: EB 14 jmp 0000000000000276 0000000000000262: 4C 8B 44 24 20 mov r8,qword ptr [rsp+20h] 0000000000000267: 48 8D 15 00 00 00 lea rdx,[$SG99870] 00 000000000000026E: 33 C9 xor ecx,ecx 0000000000000270: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf] 0000000000000276: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],0 00 00 000000000000027E: 74 1F je 000000000000029F 0000000000000280: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream] 00 0000000000000287: 48 8B 00 mov rax,qword ptr [rax] 000000000000028A: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream] 00 0000000000000291: FF 50 10 call qword ptr [rax+10h] 0000000000000294: 48 C7 05 00 00 00 mov qword ptr [g_lpStream],0 00 00 00 00 00 000000000000029F: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0 00 00 00000000000002A7: 74 18 je 00000000000002C1 00000000000002A9: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer] 00 00000000000002B0: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free] 00000000000002B6: 48 C7 05 00 00 00 mov qword ptr [g_lpwPrintBuffer],0 00 00 00 00 00 00000000000002C1: 48 83 7C 24 20 00 cmp qword ptr [rsp+20h],0 00000000000002C7: 74 16 je 00000000000002DF 00000000000002C9: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap] 00000000000002CF: 4C 8B 44 24 20 mov r8,qword ptr [rsp+20h] 00000000000002D4: 33 D2 xor edx,edx 00000000000002D6: 48 8B C8 mov rcx,rax 00000000000002D9: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree] 00000000000002DF: 48 81 C4 A0 00 00 add rsp,0A0h 00 00000000000002E6: 5F pop rdi 00000000000002E7: C3 ret 00000000000002E8: CC int 3 00000000000002E9: CC int 3 00000000000002EA: CC int 3 00000000000002EB: CC int 3 00000000000002EC: CC int 3 00000000000002ED: CC int 3 00000000000002EE: CC int 3 00000000000002EF: CC int 3 ListProcesses: 00000000000002F0: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx 00000000000002F5: 48 81 EC 58 02 00 sub rsp,258h 00 00000000000002FC: C7 44 24 38 00 00 mov dword ptr [rsp+38h],0 00 00 0000000000000304: C7 44 24 34 00 00 mov dword ptr [rsp+34h],0 00 00 000000000000030C: 48 8D 44 24 38 lea rax,[rsp+38h] 0000000000000311: 48 89 44 24 20 mov qword ptr [rsp+20h],rax 0000000000000316: 4C 8D 4C 24 40 lea r9,[rsp+40h] 000000000000031B: 41 B8 01 00 00 00 mov r8d,1 0000000000000321: 33 D2 xor edx,edx 0000000000000323: 48 8B 8C 24 60 02 mov rcx,qword ptr [rsp+260h] 00 00 000000000000032B: FF 15 00 00 00 00 call qword ptr [__imp_WTSAPI32$WTSEnumerateProcessesA] 0000000000000331: 85 C0 test eax,eax 0000000000000333: 75 1B jne 0000000000000350 0000000000000335: 48 8D 15 00 00 00 lea rdx,[$SG99888] 00 000000000000033C: B9 0D 00 00 00 mov ecx,0Dh 0000000000000341: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf] 0000000000000347: 8B 44 24 34 mov eax,dword ptr [rsp+34h] 000000000000034B: E9 CE 00 00 00 jmp 000000000000041E 0000000000000350: 48 8D 0D 00 00 00 lea rcx,[$SG99889] 00 0000000000000357: E8 00 00 00 00 call BeaconPrintToStreamW 000000000000035C: 48 8D 0D 00 00 00 lea rcx,[$SG99890] 00 0000000000000363: E8 00 00 00 00 call BeaconPrintToStreamW 0000000000000368: C7 44 24 30 00 00 mov dword ptr [rsp+30h],0 00 00 0000000000000370: EB 0A jmp 000000000000037C 0000000000000372: 8B 44 24 30 mov eax,dword ptr [rsp+30h] 0000000000000376: FF C0 inc eax 0000000000000378: 89 44 24 30 mov dword ptr [rsp+30h],eax 000000000000037C: 8B 44 24 38 mov eax,dword ptr [rsp+38h] 0000000000000380: 39 44 24 30 cmp dword ptr [rsp+30h],eax 0000000000000384: 0F 83 82 00 00 00 jae 000000000000040C 000000000000038A: 48 63 44 24 30 movsxd rax,dword ptr [rsp+30h] 000000000000038F: 48 6B C0 18 imul rax,rax,18h 0000000000000393: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h] 0000000000000398: 48 8B 44 01 08 mov rax,qword ptr [rcx+rax+8] 000000000000039D: 48 89 44 24 48 mov qword ptr [rsp+48h],rax 00000000000003A2: C7 44 24 28 00 01 mov dword ptr [rsp+28h],100h 00 00 00000000000003AA: 48 8D 44 24 50 lea rax,[rsp+50h] 00000000000003AF: 48 89 44 24 20 mov qword ptr [rsp+20h],rax 00000000000003B4: 41 B9 FF FF FF FF mov r9d,0FFFFFFFFh 00000000000003BA: 4C 8B 44 24 48 mov r8,qword ptr [rsp+48h] 00000000000003BF: 33 D2 xor edx,edx 00000000000003C1: 33 C9 xor ecx,ecx 00000000000003C3: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$MultiByteToWideChar] 00000000000003C9: 48 63 44 24 30 movsxd rax,dword ptr [rsp+30h] 00000000000003CE: 48 6B C0 18 imul rax,rax,18h 00000000000003D2: 48 63 4C 24 30 movsxd rcx,dword ptr [rsp+30h] 00000000000003D7: 48 6B C9 18 imul rcx,rcx,18h 00000000000003DB: 48 8B 54 24 40 mov rdx,qword ptr [rsp+40h] 00000000000003E0: 44 8B 0C 02 mov r9d,dword ptr [rdx+rax] 00000000000003E4: 48 8B 44 24 40 mov rax,qword ptr [rsp+40h] 00000000000003E9: 44 8B 44 08 04 mov r8d,dword ptr [rax+rcx+4] 00000000000003EE: 48 8D 54 24 50 lea rdx,[rsp+50h] 00000000000003F3: 48 8D 0D 00 00 00 lea rcx,[$SG99891] 00 00000000000003FA: E8 00 00 00 00 call BeaconPrintToStreamW 00000000000003FF: C7 44 24 34 01 00 mov dword ptr [rsp+34h],1 00 00 0000000000000407: E9 66 FF FF FF jmp 0000000000000372 000000000000040C: 48 8B 8C 24 60 02 mov rcx,qword ptr [rsp+260h] 00 00 0000000000000414: FF 15 00 00 00 00 call qword ptr [__imp_WTSAPI32$WTSCloseServer] 000000000000041A: 8B 44 24 34 mov eax,dword ptr [rsp+34h] 000000000000041E: 48 81 C4 58 02 00 add rsp,258h 00 0000000000000425: C3 ret 0000000000000426: CC int 3 0000000000000427: CC int 3 0000000000000428: CC int 3 0000000000000429: CC int 3 000000000000042A: CC int 3 000000000000042B: CC int 3 000000000000042C: CC int 3 000000000000042D: CC int 3 000000000000042E: CC int 3 000000000000042F: CC int 3 go: 0000000000000430: 89 54 24 10 mov dword ptr [rsp+10h],edx 0000000000000434: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx 0000000000000439: 48 83 EC 58 sub rsp,58h 000000000000043D: C7 44 24 24 00 00 mov dword ptr [rsp+24h],0 00 00 0000000000000445: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0 00 00 00 000000000000044E: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0 00 00 0000000000000456: 44 8B 44 24 68 mov r8d,dword ptr [rsp+68h] 000000000000045B: 48 8B 54 24 60 mov rdx,qword ptr [rsp+60h] 0000000000000460: 48 8D 4C 24 38 lea rcx,[rsp+38h] 0000000000000465: FF 15 00 00 00 00 call qword ptr [__imp_BeaconDataParse] 000000000000046B: 48 8D 54 24 24 lea rdx,[rsp+24h] 0000000000000470: 48 8D 4C 24 38 lea rcx,[rsp+38h] 0000000000000475: FF 15 00 00 00 00 call qword ptr [__imp_BeaconDataExtract] 000000000000047B: 48 89 44 24 30 mov qword ptr [rsp+30h],rax 0000000000000480: 48 8B 4C 24 30 mov rcx,qword ptr [rsp+30h] 0000000000000485: FF 15 00 00 00 00 call qword ptr [__imp_WTSAPI32$WTSOpenServerA] 000000000000048B: 48 89 44 24 28 mov qword ptr [rsp+28h],rax 0000000000000490: 48 8B 4C 24 28 mov rcx,qword ptr [rsp+28h] 0000000000000495: E8 00 00 00 00 call ListProcesses 000000000000049A: 89 44 24 20 mov dword ptr [rsp+20h],eax 000000000000049E: 83 7C 24 20 00 cmp dword ptr [rsp+20h],0 00000000000004A3: 75 18 jne 00000000000004BD 00000000000004A5: 48 8D 15 00 00 00 lea rdx,[$SG99908] 00 00000000000004AC: B9 0D 00 00 00 mov ecx,0Dh 00000000000004B1: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf] 00000000000004B7: 33 C0 xor eax,eax 00000000000004B9: EB 18 jmp 00000000000004D3 00000000000004BB: EB 14 jmp 00000000000004D1 00000000000004BD: E8 00 00 00 00 call BeaconOutputStreamW 00000000000004C2: 48 8D 15 00 00 00 lea rdx,[$SG99909] 00 00000000000004C9: 33 C9 xor ecx,ecx 00000000000004CB: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf] 00000000000004D1: 33 C0 xor eax,eax 00000000000004D3: 48 83 C4 58 add rsp,58h 00000000000004D7: C3 ret Summary 38 .chks64 1E1 .data 80 .debug$S 5D .drectve 30 .pdata 4D8 .text$mn 24 .xdata