| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930 |
- Microsoft (R) COFF/PE Dumper Version 14.29.30148.0
- Copyright (C) Microsoft Corporation. All rights reserved.
- Dump of file findsysmon.o
- File Type: COFF OBJECT
- BeaconPrintToStreamW:
- 0000000000000000: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx
- 0000000000000005: 48 89 54 24 10 mov qword ptr [rsp+10h],rdx
- 000000000000000A: 4C 89 44 24 18 mov qword ptr [rsp+18h],r8
- 000000000000000F: 4C 89 4C 24 20 mov qword ptr [rsp+20h],r9
- 0000000000000014: 48 83 EC 58 sub rsp,58h
- 0000000000000018: C7 44 24 30 01 00 mov dword ptr [rsp+30h],1
- 00 00
- 0000000000000020: C7 44 24 34 00 00 mov dword ptr [rsp+34h],0
- 00 00
- 0000000000000028: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],1
- 00 01
- 0000000000000030: 77 28 ja 000000000000005A
- 0000000000000032: 4C 8D 05 00 00 00 lea r8,[g_lpStream]
- 00
- 0000000000000039: BA 01 00 00 00 mov edx,1
- 000000000000003E: 33 C9 xor ecx,ecx
- 0000000000000040: FF 15 00 00 00 00 call qword ptr [__imp_OLE32$CreateStreamOnHGlobal]
- 0000000000000046: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 000000000000004A: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 000000000000004F: 7D 09 jge 000000000000005A
- 0000000000000051: 8B 44 24 30 mov eax,dword ptr [rsp+30h]
- 0000000000000055: E9 01 01 00 00 jmp 000000000000015B
- 000000000000005A: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],1
- 00 01
- 0000000000000062: 77 2E ja 0000000000000092
- 0000000000000064: BA 02 00 00 00 mov edx,2
- 0000000000000069: B9 00 20 00 00 mov ecx,2000h
- 000000000000006E: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$calloc]
- 0000000000000074: 48 89 05 00 00 00 mov qword ptr [g_lpwPrintBuffer],rax
- 00
- 000000000000007B: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0
- 00 00
- 0000000000000083: 75 0D jne 0000000000000092
- 0000000000000085: C7 44 24 30 05 40 mov dword ptr [rsp+30h],80004005h
- 00 80
- 000000000000008D: E9 9D 00 00 00 jmp 000000000000012F
- 0000000000000092: 48 8D 44 24 68 lea rax,[rsp+68h]
- 0000000000000097: 48 89 44 24 38 mov qword ptr [rsp+38h],rax
- 000000000000009C: 48 8B 44 24 38 mov rax,qword ptr [rsp+38h]
- 00000000000000A1: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 00000000000000A6: 4C 8B 4C 24 60 mov r9,qword ptr [rsp+60h]
- 00000000000000AB: 41 B8 FF 1F 00 00 mov r8d,1FFFh
- 00000000000000B1: BA 00 20 00 00 mov edx,2000h
- 00000000000000B6: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
- 00
- 00000000000000BD: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$_vsnwprintf_s]
- 00000000000000C3: 85 C0 test eax,eax
- 00000000000000C5: 75 0A jne 00000000000000D1
- 00000000000000C7: C7 44 24 30 05 40 mov dword ptr [rsp+30h],80004005h
- 00 80
- 00000000000000CF: EB 5E jmp 000000000000012F
- 00000000000000D1: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],0
- 00 00
- 00000000000000D9: 74 4C je 0000000000000127
- 00000000000000DB: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
- 00
- 00000000000000E2: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$wcslen]
- 00000000000000E8: 8B C0 mov eax,eax
- 00000000000000EA: 48 D1 E0 shl rax,1
- 00000000000000ED: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 00000000000000F4: 48 8B 09 mov rcx,qword ptr [rcx]
- 00000000000000F7: 48 89 4C 24 40 mov qword ptr [rsp+40h],rcx
- 00000000000000FC: 4C 8D 4C 24 34 lea r9,[rsp+34h]
- 0000000000000101: 44 8B C0 mov r8d,eax
- 0000000000000104: 48 8B 15 00 00 00 mov rdx,qword ptr [g_lpwPrintBuffer]
- 00
- 000000000000010B: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 0000000000000112: 48 8B 44 24 40 mov rax,qword ptr [rsp+40h]
- 0000000000000117: FF 50 20 call qword ptr [rax+20h]
- 000000000000011A: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 000000000000011E: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 0000000000000123: 7D 02 jge 0000000000000127
- 0000000000000125: EB 08 jmp 000000000000012F
- 0000000000000127: C7 44 24 30 00 00 mov dword ptr [rsp+30h],0
- 00 00
- 000000000000012F: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0
- 00 00
- 0000000000000137: 74 15 je 000000000000014E
- 0000000000000139: 41 B8 00 40 00 00 mov r8d,4000h
- 000000000000013F: 33 D2 xor edx,edx
- 0000000000000141: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
- 00
- 0000000000000148: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset]
- 000000000000014E: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0
- 00 00 00
- 0000000000000157: 8B 44 24 30 mov eax,dword ptr [rsp+30h]
- 000000000000015B: 48 83 C4 58 add rsp,58h
- 000000000000015F: C3 ret
- 0000000000000160: CC int 3
- 0000000000000161: CC int 3
- 0000000000000162: CC int 3
- 0000000000000163: CC int 3
- 0000000000000164: CC int 3
- 0000000000000165: CC int 3
- 0000000000000166: CC int 3
- 0000000000000167: CC int 3
- 0000000000000168: CC int 3
- 0000000000000169: CC int 3
- 000000000000016A: CC int 3
- 000000000000016B: CC int 3
- 000000000000016C: CC int 3
- 000000000000016D: CC int 3
- 000000000000016E: CC int 3
- 000000000000016F: CC int 3
- BeaconOutputStreamW:
- 0000000000000170: 40 57 push rdi
- 0000000000000172: 48 81 EC A0 00 00 sub rsp,0A0h
- 00
- 0000000000000179: 48 8D 44 24 50 lea rax,[rsp+50h]
- 000000000000017E: 48 8B F8 mov rdi,rax
- 0000000000000181: 33 C0 xor eax,eax
- 0000000000000183: B9 50 00 00 00 mov ecx,50h
- 0000000000000188: F3 AA rep stos byte ptr [rdi]
- 000000000000018A: 48 C7 44 24 30 00 mov qword ptr [rsp+30h],0
- 00 00 00
- 0000000000000193: C7 44 24 28 00 00 mov dword ptr [rsp+28h],0
- 00 00
- 000000000000019B: 48 C7 44 24 20 00 mov qword ptr [rsp+20h],0
- 00 00 00
- 00000000000001A4: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
- 00
- 00000000000001AB: 48 8B 00 mov rax,qword ptr [rax]
- 00000000000001AE: 41 B8 01 00 00 00 mov r8d,1
- 00000000000001B4: 48 8D 54 24 50 lea rdx,[rsp+50h]
- 00000000000001B9: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 00000000000001C0: FF 50 60 call qword ptr [rax+60h]
- 00000000000001C3: 85 C0 test eax,eax
- 00000000000001C5: 7D 05 jge 00000000000001CC
- 00000000000001C7: E9 13 01 00 00 jmp 00000000000002DF
- 00000000000001CC: 8B 44 24 60 mov eax,dword ptr [rsp+60h]
- 00000000000001D0: 48 89 44 24 30 mov qword ptr [rsp+30h],rax
- 00000000000001D5: 48 8B 44 24 30 mov rax,qword ptr [rsp+30h]
- 00000000000001DA: 48 FF C0 inc rax
- 00000000000001DD: 48 89 44 24 38 mov qword ptr [rsp+38h],rax
- 00000000000001E2: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 00000000000001E8: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 00000000000001ED: 4C 8B C1 mov r8,rcx
- 00000000000001F0: BA 08 00 00 00 mov edx,8
- 00000000000001F5: 48 8B C8 mov rcx,rax
- 00000000000001F8: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc]
- 00000000000001FE: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 0000000000000203: 48 83 7C 24 20 00 cmp qword ptr [rsp+20h],0
- 0000000000000209: 74 6B je 0000000000000276
- 000000000000020B: 48 C7 44 24 40 00 mov qword ptr [rsp+40h],0
- 00 00 00
- 0000000000000214: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
- 00
- 000000000000021B: 48 8B 00 mov rax,qword ptr [rax]
- 000000000000021E: 45 33 C9 xor r9d,r9d
- 0000000000000221: 45 33 C0 xor r8d,r8d
- 0000000000000224: 48 8B 54 24 40 mov rdx,qword ptr [rsp+40h]
- 0000000000000229: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 0000000000000230: FF 50 28 call qword ptr [rax+28h]
- 0000000000000233: 85 C0 test eax,eax
- 0000000000000235: 7D 02 jge 0000000000000239
- 0000000000000237: EB 3D jmp 0000000000000276
- 0000000000000239: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
- 00
- 0000000000000240: 48 8B 00 mov rax,qword ptr [rax]
- 0000000000000243: 4C 8D 4C 24 28 lea r9,[rsp+28h]
- 0000000000000248: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h]
- 000000000000024D: 48 8B 54 24 20 mov rdx,qword ptr [rsp+20h]
- 0000000000000252: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 0000000000000259: FF 50 18 call qword ptr [rax+18h]
- 000000000000025C: 85 C0 test eax,eax
- 000000000000025E: 7D 02 jge 0000000000000262
- 0000000000000260: EB 14 jmp 0000000000000276
- 0000000000000262: 4C 8B 44 24 20 mov r8,qword ptr [rsp+20h]
- 0000000000000267: 48 8D 15 00 00 00 lea rdx,[$SG105135]
- 00
- 000000000000026E: 33 C9 xor ecx,ecx
- 0000000000000270: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000276: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],0
- 00 00
- 000000000000027E: 74 1F je 000000000000029F
- 0000000000000280: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
- 00
- 0000000000000287: 48 8B 00 mov rax,qword ptr [rax]
- 000000000000028A: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 0000000000000291: FF 50 10 call qword ptr [rax+10h]
- 0000000000000294: 48 C7 05 00 00 00 mov qword ptr [g_lpStream],0
- 00 00 00 00 00
- 000000000000029F: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0
- 00 00
- 00000000000002A7: 74 18 je 00000000000002C1
- 00000000000002A9: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
- 00
- 00000000000002B0: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free]
- 00000000000002B6: 48 C7 05 00 00 00 mov qword ptr [g_lpwPrintBuffer],0
- 00 00 00 00 00
- 00000000000002C1: 48 83 7C 24 20 00 cmp qword ptr [rsp+20h],0
- 00000000000002C7: 74 16 je 00000000000002DF
- 00000000000002C9: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 00000000000002CF: 4C 8B 44 24 20 mov r8,qword ptr [rsp+20h]
- 00000000000002D4: 33 D2 xor edx,edx
- 00000000000002D6: 48 8B C8 mov rcx,rax
- 00000000000002D9: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree]
- 00000000000002DF: 48 81 C4 A0 00 00 add rsp,0A0h
- 00
- 00000000000002E6: 5F pop rdi
- 00000000000002E7: C3 ret
- 00000000000002E8: CC int 3
- 00000000000002E9: CC int 3
- 00000000000002EA: CC int 3
- 00000000000002EB: CC int 3
- 00000000000002EC: CC int 3
- 00000000000002ED: CC int 3
- 00000000000002EE: CC int 3
- 00000000000002EF: CC int 3
- PrintSysmonPID:
- 00000000000002F0: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx
- 00000000000002F5: 48 81 EC E8 00 00 sub rsp,0E8h
- 00
- 00000000000002FC: C7 44 24 30 00 00 mov dword ptr [rsp+30h],0
- 00 00
- 0000000000000304: 48 C7 44 24 40 00 mov qword ptr [rsp+40h],0
- 00 00 00
- 000000000000030D: C7 44 24 70 13 75 mov dword ptr [rsp+70h],3837513h
- 83 03
- 0000000000000315: B8 8B 09 00 00 mov eax,98Bh
- 000000000000031A: 66 89 44 24 74 mov word ptr [rsp+74h],ax
- 000000000000031F: B8 D8 11 00 00 mov eax,11D8h
- 0000000000000324: 66 89 44 24 76 mov word ptr [rsp+76h],ax
- 0000000000000329: C6 44 24 78 94 mov byte ptr [rsp+78h],94h
- 000000000000032E: C6 44 24 79 14 mov byte ptr [rsp+79h],14h
- 0000000000000333: C6 44 24 7A 50 mov byte ptr [rsp+7Ah],50h
- 0000000000000338: C6 44 24 7B 50 mov byte ptr [rsp+7Bh],50h
- 000000000000033D: C6 44 24 7C 54 mov byte ptr [rsp+7Ch],54h
- 0000000000000342: C6 44 24 7D 50 mov byte ptr [rsp+7Dh],50h
- 0000000000000347: C6 44 24 7E 30 mov byte ptr [rsp+7Eh],30h
- 000000000000034C: C6 44 24 7F 30 mov byte ptr [rsp+7Fh],30h
- 0000000000000351: C7 44 24 60 12 75 mov dword ptr [rsp+60h],3837512h
- 83 03
- 0000000000000359: B8 8B 09 00 00 mov eax,98Bh
- 000000000000035E: 66 89 44 24 64 mov word ptr [rsp+64h],ax
- 0000000000000363: B8 D8 11 00 00 mov eax,11D8h
- 0000000000000368: 66 89 44 24 66 mov word ptr [rsp+66h],ax
- 000000000000036D: C6 44 24 68 94 mov byte ptr [rsp+68h],94h
- 0000000000000372: C6 44 24 69 14 mov byte ptr [rsp+69h],14h
- 0000000000000377: C6 44 24 6A 50 mov byte ptr [rsp+6Ah],50h
- 000000000000037C: C6 44 24 6B 50 mov byte ptr [rsp+6Bh],50h
- 0000000000000381: C6 44 24 6C 54 mov byte ptr [rsp+6Ch],54h
- 0000000000000386: C6 44 24 6D 50 mov byte ptr [rsp+6Dh],50h
- 000000000000038B: C6 44 24 6E 30 mov byte ptr [rsp+6Eh],30h
- 0000000000000390: C6 44 24 6F 30 mov byte ptr [rsp+6Fh],30h
- 0000000000000395: C7 84 24 80 00 00 mov dword ptr [rsp+80h],20404h
- 00 04 04 02 00
- 00000000000003A0: 33 C0 xor eax,eax
- 00000000000003A2: 66 89 84 24 84 00 mov word ptr [rsp+84h],ax
- 00 00
- 00000000000003AA: 33 C0 xor eax,eax
- 00000000000003AC: 66 89 84 24 86 00 mov word ptr [rsp+86h],ax
- 00 00
- 00000000000003B4: C6 84 24 88 00 00 mov byte ptr [rsp+88h],0C0h
- 00 C0
- 00000000000003BC: C6 84 24 89 00 00 mov byte ptr [rsp+89h],0
- 00 00
- 00000000000003C4: C6 84 24 8A 00 00 mov byte ptr [rsp+8Ah],0
- 00 00
- 00000000000003CC: C6 84 24 8B 00 00 mov byte ptr [rsp+8Bh],0
- 00 00
- 00000000000003D4: C6 84 24 8C 00 00 mov byte ptr [rsp+8Ch],0
- 00 00
- 00000000000003DC: C6 84 24 8D 00 00 mov byte ptr [rsp+8Dh],0
- 00 00
- 00000000000003E4: C6 84 24 8E 00 00 mov byte ptr [rsp+8Eh],0
- 00 00
- 00000000000003EC: C6 84 24 8F 00 00 mov byte ptr [rsp+8Fh],46h
- 00 46
- 00000000000003F4: C7 84 24 90 00 00 mov dword ptr [rsp+90h],3837533h
- 00 33 75 83 03
- 00000000000003FF: B8 8B 09 00 00 mov eax,98Bh
- 0000000000000404: 66 89 84 24 94 00 mov word ptr [rsp+94h],ax
- 00 00
- 000000000000040C: B8 D8 11 00 00 mov eax,11D8h
- 0000000000000411: 66 89 84 24 96 00 mov word ptr [rsp+96h],ax
- 00 00
- 0000000000000419: C6 84 24 98 00 00 mov byte ptr [rsp+98h],94h
- 00 94
- 0000000000000421: C6 84 24 99 00 00 mov byte ptr [rsp+99h],14h
- 00 14
- 0000000000000429: C6 84 24 9A 00 00 mov byte ptr [rsp+9Ah],50h
- 00 50
- 0000000000000431: C6 84 24 9B 00 00 mov byte ptr [rsp+9Bh],50h
- 00 50
- 0000000000000439: C6 84 24 9C 00 00 mov byte ptr [rsp+9Ch],54h
- 00 54
- 0000000000000441: C6 84 24 9D 00 00 mov byte ptr [rsp+9Dh],50h
- 00 50
- 0000000000000449: C6 84 24 9E 00 00 mov byte ptr [rsp+9Eh],30h
- 00 30
- 0000000000000451: C6 84 24 9F 00 00 mov byte ptr [rsp+9Fh],30h
- 00 30
- 0000000000000459: C7 44 24 4C 00 00 mov dword ptr [rsp+4Ch],0
- 00 00
- 0000000000000461: 33 D2 xor edx,edx
- 0000000000000463: 33 C9 xor ecx,ecx
- 0000000000000465: FF 15 00 00 00 00 call qword ptr [__imp_OLE32$CoInitializeEx]
- 000000000000046B: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 000000000000046F: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 0000000000000474: 7D 07 jge 000000000000047D
- 0000000000000476: 33 C0 xor eax,eax
- 0000000000000478: E9 55 02 00 00 jmp 00000000000006D2
- 000000000000047D: 48 8D 44 24 40 lea rax,[rsp+40h]
- 0000000000000482: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 0000000000000487: 4C 8D 4C 24 60 lea r9,[rsp+60h]
- 000000000000048C: 41 B8 01 00 00 00 mov r8d,1
- 0000000000000492: 33 D2 xor edx,edx
- 0000000000000494: 48 8D 4C 24 70 lea rcx,[rsp+70h]
- 0000000000000499: FF 15 00 00 00 00 call qword ptr [__imp_OLE32$CoCreateInstance]
- 000000000000049F: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 00000000000004A3: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 00000000000004A8: 7D 17 jge 00000000000004C1
- 00000000000004AA: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h]
- 00000000000004AF: 48 8D 15 00 00 00 lea rdx,[$SG105178]
- 00
- 00000000000004B6: B9 0D 00 00 00 mov ecx,0Dh
- 00000000000004BB: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 00000000000004C1: 48 8B 44 24 40 mov rax,qword ptr [rsp+40h]
- 00000000000004C6: 48 8B 00 mov rax,qword ptr [rax]
- 00000000000004C9: 45 33 C0 xor r8d,r8d
- 00000000000004CC: 48 8B 94 24 F0 00 mov rdx,qword ptr [rsp+0F0h]
- 00 00
- 00000000000004D4: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 00000000000004D9: FF 90 A8 00 00 00 call qword ptr [rax+0A8h]
- 00000000000004DF: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 00000000000004E3: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 00000000000004E8: 7D 17 jge 0000000000000501
- 00000000000004EA: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h]
- 00000000000004EF: 48 8D 15 00 00 00 lea rdx,[$SG105180]
- 00
- 00000000000004F6: B9 0D 00 00 00 mov ecx,0Dh
- 00000000000004FB: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000501: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0
- 00 00 00
- 000000000000050A: 48 8B 44 24 40 mov rax,qword ptr [rsp+40h]
- 000000000000050F: 48 8B 00 mov rax,qword ptr [rax]
- 0000000000000512: 48 8D 54 24 38 lea rdx,[rsp+38h]
- 0000000000000517: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 000000000000051C: FF 90 C8 00 00 00 call qword ptr [rax+0C8h]
- 0000000000000522: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 0000000000000526: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 000000000000052B: 0F 85 77 01 00 00 jne 00000000000006A8
- 0000000000000531: C7 44 24 48 00 00 mov dword ptr [rsp+48h],0
- 00 00
- 0000000000000539: 48 8B 44 24 38 mov rax,qword ptr [rsp+38h]
- 000000000000053E: 48 8B 00 mov rax,qword ptr [rax]
- 0000000000000541: 48 8D 54 24 48 lea rdx,[rsp+48h]
- 0000000000000546: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 000000000000054B: FF 50 38 call qword ptr [rax+38h]
- 000000000000054E: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 0000000000000552: 83 7C 24 48 00 cmp dword ptr [rsp+48h],0
- 0000000000000557: 0F 8E 4B 01 00 00 jle 00000000000006A8
- 000000000000055D: 48 C7 44 24 50 00 mov qword ptr [rsp+50h],0
- 00 00 00
- 0000000000000566: 48 8B 44 24 38 mov rax,qword ptr [rsp+38h]
- 000000000000056B: 48 8B 00 mov rax,qword ptr [rax]
- 000000000000056E: 48 8D 54 24 50 lea rdx,[rsp+50h]
- 0000000000000573: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 0000000000000578: FF 50 48 call qword ptr [rax+48h]
- 000000000000057B: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 000000000000057F: 48 C7 84 24 A0 00 mov qword ptr [rsp+0A0h],0
- 00 00 00 00 00 00
- 000000000000058B: 48 8B 44 24 50 mov rax,qword ptr [rsp+50h]
- 0000000000000590: 48 8B 00 mov rax,qword ptr [rax]
- 0000000000000593: 4C 8D 84 24 A0 00 lea r8,[rsp+0A0h]
- 00 00
- 000000000000059B: 48 8D 94 24 80 00 lea rdx,[rsp+80h]
- 00 00
- 00000000000005A3: 48 8B 4C 24 50 mov rcx,qword ptr [rsp+50h]
- 00000000000005A8: FF 10 call qword ptr [rax]
- 00000000000005AA: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 00000000000005AE: 48 8B 44 24 50 mov rax,qword ptr [rsp+50h]
- 00000000000005B3: 48 8B 00 mov rax,qword ptr [rax]
- 00000000000005B6: 48 8B 4C 24 50 mov rcx,qword ptr [rsp+50h]
- 00000000000005BB: FF 50 10 call qword ptr [rax+10h]
- 00000000000005BE: 48 8D 8C 24 C0 00 lea rcx,[rsp+0C0h]
- 00 00
- 00000000000005C6: FF 15 00 00 00 00 call qword ptr [__imp_OLEAUT32$VariantInit]
- 00000000000005CC: 48 8D 8C 24 A8 00 lea rcx,[rsp+0A8h]
- 00 00
- 00000000000005D4: FF 15 00 00 00 00 call qword ptr [__imp_OLEAUT32$VariantInit]
- 00000000000005DA: 48 C7 44 24 58 00 mov qword ptr [rsp+58h],0
- 00 00 00
- 00000000000005E3: 48 8B 84 24 A0 00 mov rax,qword ptr [rsp+0A0h]
- 00 00
- 00000000000005EB: 48 8B 00 mov rax,qword ptr [rax]
- 00000000000005EE: 45 33 C9 xor r9d,r9d
- 00000000000005F1: 4C 8D 84 24 C0 00 lea r8,[rsp+0C0h]
- 00 00
- 00000000000005F9: BA 01 00 00 00 mov edx,1
- 00000000000005FE: 48 8B 8C 24 A0 00 mov rcx,qword ptr [rsp+0A0h]
- 00 00
- 0000000000000606: FF 50 18 call qword ptr [rax+18h]
- 0000000000000609: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 000000000000060D: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 0000000000000612: 0F 85 90 00 00 00 jne 00000000000006A8
- 0000000000000618: 48 8B 84 24 C8 00 mov rax,qword ptr [rsp+0C8h]
- 00 00
- 0000000000000620: 48 8B 00 mov rax,qword ptr [rax]
- 0000000000000623: 4C 8D 44 24 58 lea r8,[rsp+58h]
- 0000000000000628: 48 8D 94 24 90 00 lea rdx,[rsp+90h]
- 00 00
- 0000000000000630: 48 8B 8C 24 C8 00 mov rcx,qword ptr [rsp+0C8h]
- 00 00
- 0000000000000638: FF 10 call qword ptr [rax]
- 000000000000063A: 48 8B 44 24 58 mov rax,qword ptr [rsp+58h]
- 000000000000063F: 48 8B 00 mov rax,qword ptr [rax]
- 0000000000000642: 48 8D 94 24 A8 00 lea rdx,[rsp+0A8h]
- 00 00
- 000000000000064A: 48 8B 4C 24 58 mov rcx,qword ptr [rsp+58h]
- 000000000000064F: FF 50 68 call qword ptr [rax+68h]
- 0000000000000652: 83 BC 24 B0 00 00 cmp dword ptr [rsp+0B0h],0
- 00 00
- 000000000000065A: 74 1B je 0000000000000677
- 000000000000065C: 8B 94 24 B0 00 00 mov edx,dword ptr [rsp+0B0h]
- 00
- 0000000000000663: 48 8D 0D 00 00 00 lea rcx,[$SG105184]
- 00
- 000000000000066A: E8 00 00 00 00 call BeaconPrintToStreamW
- 000000000000066F: C7 44 24 4C 01 00 mov dword ptr [rsp+4Ch],1
- 00 00
- 0000000000000677: 48 8D 8C 24 A8 00 lea rcx,[rsp+0A8h]
- 00 00
- 000000000000067F: FF 15 00 00 00 00 call qword ptr [__imp_OLEAUT32$VariantClear]
- 0000000000000685: 48 8B 44 24 58 mov rax,qword ptr [rsp+58h]
- 000000000000068A: 48 8B 00 mov rax,qword ptr [rax]
- 000000000000068D: 48 8B 4C 24 58 mov rcx,qword ptr [rsp+58h]
- 0000000000000692: FF 50 10 call qword ptr [rax+10h]
- 0000000000000695: 48 8D 8C 24 C0 00 lea rcx,[rsp+0C0h]
- 00 00
- 000000000000069D: FF 15 00 00 00 00 call qword ptr [__imp_OLEAUT32$VariantClear]
- 00000000000006A3: E9 3B FF FF FF jmp 00000000000005E3
- 00000000000006A8: 48 8B 44 24 38 mov rax,qword ptr [rsp+38h]
- 00000000000006AD: 48 8B 00 mov rax,qword ptr [rax]
- 00000000000006B0: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 00000000000006B5: FF 50 10 call qword ptr [rax+10h]
- 00000000000006B8: 48 8B 44 24 40 mov rax,qword ptr [rsp+40h]
- 00000000000006BD: 48 8B 00 mov rax,qword ptr [rax]
- 00000000000006C0: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 00000000000006C5: FF 50 10 call qword ptr [rax+10h]
- 00000000000006C8: FF 15 00 00 00 00 call qword ptr [__imp_OLE32$CoUninitialize]
- 00000000000006CE: 8B 44 24 4C mov eax,dword ptr [rsp+4Ch]
- 00000000000006D2: 48 81 C4 E8 00 00 add rsp,0E8h
- 00
- 00000000000006D9: C3 ret
- 00000000000006DA: CC int 3
- 00000000000006DB: CC int 3
- 00000000000006DC: CC int 3
- 00000000000006DD: CC int 3
- 00000000000006DE: CC int 3
- 00000000000006DF: CC int 3
- FindSysmon:
- 00000000000006E0: 48 81 EC E8 02 00 sub rsp,2E8h
- 00
- 00000000000006E7: C7 44 24 4C 00 00 mov dword ptr [rsp+4Ch],0
- 00 00
- 00000000000006EF: 48 C7 44 24 40 00 mov qword ptr [rsp+40h],0
- 00 00 00
- 00000000000006F8: 48 C7 44 24 70 00 mov qword ptr [rsp+70h],0
- 00 00 00
- 0000000000000701: C7 44 24 50 00 00 mov dword ptr [rsp+50h],0
- 00 00
- 0000000000000709: C7 44 24 64 00 00 mov dword ptr [rsp+64h],0
- 00 00
- 0000000000000711: C7 44 24 60 E8 FD mov dword ptr [rsp+60h],0FDE8h
- 00 00
- 0000000000000719: 48 C7 44 24 58 00 mov qword ptr [rsp+58h],0
- 00 00 00
- 0000000000000722: C7 44 24 68 00 00 mov dword ptr [rsp+68h],0
- 00 00
- 000000000000072A: 48 8D 44 24 78 lea rax,[rsp+78h]
- 000000000000072F: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 0000000000000734: 41 B9 19 00 02 00 mov r9d,20019h
- 000000000000073A: 45 33 C0 xor r8d,r8d
- 000000000000073D: 48 8D 15 00 00 00 lea rdx,[$SG105226]
- 00
- 0000000000000744: 48 C7 C1 02 00 00 mov rcx,0FFFFFFFF80000002h
- 80
- 000000000000074B: FF 15 00 00 00 00 call qword ptr [__imp_ADVAPI32$RegOpenKeyExA]
- 0000000000000751: 85 C0 test eax,eax
- 0000000000000753: 0F 85 CD 00 00 00 jne 0000000000000826
- 0000000000000759: 8B 44 24 60 mov eax,dword ptr [rsp+60h]
- 000000000000075D: 48 89 84 24 88 00 mov qword ptr [rsp+88h],rax
- 00 00
- 0000000000000765: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 000000000000076B: 48 8B 8C 24 88 00 mov rcx,qword ptr [rsp+88h]
- 00 00
- 0000000000000773: 4C 8B C1 mov r8,rcx
- 0000000000000776: BA 08 00 00 00 mov edx,8
- 000000000000077B: 48 8B C8 mov rcx,rax
- 000000000000077E: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc]
- 0000000000000784: 48 89 44 24 58 mov qword ptr [rsp+58h],rax
- 0000000000000789: 48 83 7C 24 58 00 cmp qword ptr [rsp+58h],0
- 000000000000078F: 75 07 jne 0000000000000798
- 0000000000000791: 33 C0 xor eax,eax
- 0000000000000793: E9 7A 02 00 00 jmp 0000000000000A12
- 0000000000000798: 48 8D 44 24 60 lea rax,[rsp+60h]
- 000000000000079D: 48 89 44 24 30 mov qword ptr [rsp+30h],rax
- 00000000000007A2: 48 8B 44 24 58 mov rax,qword ptr [rsp+58h]
- 00000000000007A7: 48 89 44 24 28 mov qword ptr [rsp+28h],rax
- 00000000000007AC: 48 8D 84 24 80 00 lea rax,[rsp+80h]
- 00 00
- 00000000000007B4: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 00000000000007B9: 41 B9 FF FF 00 00 mov r9d,0FFFFh
- 00000000000007BF: 4C 8D 05 00 00 00 lea r8,[$SG105229]
- 00
- 00000000000007C6: 33 D2 xor edx,edx
- 00000000000007C8: 48 8B 4C 24 78 mov rcx,qword ptr [rsp+78h]
- 00000000000007CD: FF 15 00 00 00 00 call qword ptr [__imp_ADVAPI32$RegGetValueA]
- 00000000000007D3: 85 C0 test eax,eax
- 00000000000007D5: 74 07 je 00000000000007DE
- 00000000000007D7: 33 C0 xor eax,eax
- 00000000000007D9: E9 34 02 00 00 jmp 0000000000000A12
- 00000000000007DE: 48 8B 4C 24 58 mov rcx,qword ptr [rsp+58h]
- 00000000000007E3: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$strlen]
- 00000000000007E9: 48 85 C0 test rax,rax
- 00000000000007EC: 74 2F je 000000000000081D
- 00000000000007EE: C7 44 24 28 00 01 mov dword ptr [rsp+28h],100h
- 00 00
- 00000000000007F6: 48 8D 84 24 E0 00 lea rax,[rsp+0E0h]
- 00 00
- 00000000000007FE: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 0000000000000803: 41 B9 FF FF FF FF mov r9d,0FFFFFFFFh
- 0000000000000809: 4C 8B 44 24 58 mov r8,qword ptr [rsp+58h]
- 000000000000080E: 33 D2 xor edx,edx
- 0000000000000810: B9 E9 FD 00 00 mov ecx,0FDE9h
- 0000000000000815: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$MultiByteToWideChar]
- 000000000000081B: EB 07 jmp 0000000000000824
- 000000000000081D: 33 C0 xor eax,eax
- 000000000000081F: E9 EE 01 00 00 jmp 0000000000000A12
- 0000000000000824: EB 07 jmp 000000000000082D
- 0000000000000826: 33 C0 xor eax,eax
- 0000000000000828: E9 E5 01 00 00 jmp 0000000000000A12
- 000000000000082D: 48 83 7C 24 58 00 cmp qword ptr [rsp+58h],0
- 0000000000000833: 74 16 je 000000000000084B
- 0000000000000835: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 000000000000083B: 4C 8B 44 24 58 mov r8,qword ptr [rsp+58h]
- 0000000000000840: 33 D2 xor edx,edx
- 0000000000000842: 48 8B C8 mov rcx,rax
- 0000000000000845: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree]
- 000000000000084B: 48 8B 4C 24 78 mov rcx,qword ptr [rsp+78h]
- 0000000000000850: FF 15 00 00 00 00 call qword ptr [__imp_ADVAPI32$RegCloseKey]
- 0000000000000856: 48 8D 54 24 50 lea rdx,[rsp+50h]
- 000000000000085B: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 0000000000000860: FF 15 00 00 00 00 call qword ptr [__imp_TDH$TdhEnumerateProviders]
- 0000000000000866: 89 44 24 4C mov dword ptr [rsp+4Ch],eax
- 000000000000086A: 83 7C 24 4C 7A cmp dword ptr [rsp+4Ch],7Ah
- 000000000000086F: 75 4E jne 00000000000008BF
- 0000000000000871: 8B 44 24 50 mov eax,dword ptr [rsp+50h]
- 0000000000000875: 8B D0 mov edx,eax
- 0000000000000877: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 000000000000087C: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$realloc]
- 0000000000000882: 48 89 44 24 70 mov qword ptr [rsp+70h],rax
- 0000000000000887: 48 83 7C 24 70 00 cmp qword ptr [rsp+70h],0
- 000000000000088D: 75 07 jne 0000000000000896
- 000000000000088F: 33 C0 xor eax,eax
- 0000000000000891: E9 7C 01 00 00 jmp 0000000000000A12
- 0000000000000896: 48 8B 44 24 70 mov rax,qword ptr [rsp+70h]
- 000000000000089B: 48 89 44 24 40 mov qword ptr [rsp+40h],rax
- 00000000000008A0: 48 C7 44 24 70 00 mov qword ptr [rsp+70h],0
- 00 00 00
- 00000000000008A9: 48 8D 54 24 50 lea rdx,[rsp+50h]
- 00000000000008AE: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 00000000000008B3: FF 15 00 00 00 00 call qword ptr [__imp_TDH$TdhEnumerateProviders]
- 00000000000008B9: 89 44 24 4C mov dword ptr [rsp+4Ch],eax
- 00000000000008BD: EB AB jmp 000000000000086A
- 00000000000008BF: 83 7C 24 4C 00 cmp dword ptr [rsp+4Ch],0
- 00000000000008C4: 74 17 je 00000000000008DD
- 00000000000008C6: 48 8D 15 00 00 00 lea rdx,[$SG105236]
- 00
- 00000000000008CD: B9 0D 00 00 00 mov ecx,0Dh
- 00000000000008D2: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 00000000000008D8: E9 17 01 00 00 jmp 00000000000009F4
- 00000000000008DD: C7 44 24 48 00 00 mov dword ptr [rsp+48h],0
- 00 00
- 00000000000008E5: EB 0A jmp 00000000000008F1
- 00000000000008E7: 8B 44 24 48 mov eax,dword ptr [rsp+48h]
- 00000000000008EB: FF C0 inc eax
- 00000000000008ED: 89 44 24 48 mov dword ptr [rsp+48h],eax
- 00000000000008F1: 48 8B 44 24 40 mov rax,qword ptr [rsp+40h]
- 00000000000008F6: 8B 00 mov eax,dword ptr [rax]
- 00000000000008F8: 39 44 24 48 cmp dword ptr [rsp+48h],eax
- 00000000000008FC: 0F 83 F2 00 00 00 jae 00000000000009F4
- 0000000000000902: 8B 44 24 48 mov eax,dword ptr [rsp+48h]
- 0000000000000906: 48 6B C0 18 imul rax,rax,18h
- 000000000000090A: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 000000000000090F: 48 8D 44 01 08 lea rax,[rcx+rax+8]
- 0000000000000914: 41 B8 27 00 00 00 mov r8d,27h
- 000000000000091A: 48 8D 94 24 90 00 lea rdx,[rsp+90h]
- 00 00
- 0000000000000922: 48 8B C8 mov rcx,rax
- 0000000000000925: FF 15 00 00 00 00 call qword ptr [__imp_OLE32$StringFromGUID2]
- 000000000000092B: 89 44 24 64 mov dword ptr [rsp+64h],eax
- 000000000000092F: 83 7C 24 64 00 cmp dword ptr [rsp+64h],0
- 0000000000000934: 7D 07 jge 000000000000093D
- 0000000000000936: 33 C0 xor eax,eax
- 0000000000000938: E9 D5 00 00 00 jmp 0000000000000A12
- 000000000000093D: 48 8D 94 24 E0 00 lea rdx,[rsp+0E0h]
- 00 00
- 0000000000000945: 48 8D 8C 24 90 00 lea rcx,[rsp+90h]
- 00 00
- 000000000000094D: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$_wcsicmp]
- 0000000000000953: 85 C0 test eax,eax
- 0000000000000955: 0F 85 94 00 00 00 jne 00000000000009EF
- 000000000000095B: 48 8D 0D 00 00 00 lea rcx,[$SG105239]
- 00
- 0000000000000962: E8 00 00 00 00 call BeaconPrintToStreamW
- 0000000000000967: 48 8D 8C 24 E0 00 lea rcx,[rsp+0E0h]
- 00 00
- 000000000000096F: E8 00 00 00 00 call PrintSysmonPID
- 0000000000000974: 89 44 24 68 mov dword ptr [rsp+68h],eax
- 0000000000000978: 83 7C 24 68 00 cmp dword ptr [rsp+68h],0
- 000000000000097D: 75 0E jne 000000000000098D
- 000000000000097F: 48 8D 0D 00 00 00 lea rcx,[$SG105242]
- 00
- 0000000000000986: E8 00 00 00 00 call BeaconPrintToStreamW
- 000000000000098B: EB 0C jmp 0000000000000999
- 000000000000098D: 48 8D 0D 00 00 00 lea rcx,[$SG105243]
- 00
- 0000000000000994: E8 00 00 00 00 call BeaconPrintToStreamW
- 0000000000000999: 8B 44 24 48 mov eax,dword ptr [rsp+48h]
- 000000000000099D: 48 6B C0 18 imul rax,rax,18h
- 00000000000009A1: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 00000000000009A6: 8B 44 01 1C mov eax,dword ptr [rcx+rax+1Ch]
- 00000000000009AA: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 00000000000009AF: 48 03 C8 add rcx,rax
- 00000000000009B2: 48 8B C1 mov rax,rcx
- 00000000000009B5: 4C 8D 84 24 90 00 lea r8,[rsp+90h]
- 00 00
- 00000000000009BD: 48 8B D0 mov rdx,rax
- 00000000000009C0: 48 8D 0D 00 00 00 lea rcx,[$SG105244]
- 00
- 00000000000009C7: E8 00 00 00 00 call BeaconPrintToStreamW
- 00000000000009CC: 48 83 7C 24 40 00 cmp qword ptr [rsp+40h],0
- 00000000000009D2: 74 14 je 00000000000009E8
- 00000000000009D4: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 00000000000009D9: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free]
- 00000000000009DF: 48 C7 44 24 40 00 mov qword ptr [rsp+40h],0
- 00 00 00
- 00000000000009E8: B8 01 00 00 00 mov eax,1
- 00000000000009ED: EB 23 jmp 0000000000000A12
- 00000000000009EF: E9 F3 FE FF FF jmp 00000000000008E7
- 00000000000009F4: 48 83 7C 24 40 00 cmp qword ptr [rsp+40h],0
- 00000000000009FA: 74 14 je 0000000000000A10
- 00000000000009FC: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 0000000000000A01: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free]
- 0000000000000A07: 48 C7 44 24 40 00 mov qword ptr [rsp+40h],0
- 00 00 00
- 0000000000000A10: 33 C0 xor eax,eax
- 0000000000000A12: 48 81 C4 E8 02 00 add rsp,2E8h
- 00
- 0000000000000A19: C3 ret
- 0000000000000A1A: CC int 3
- 0000000000000A1B: CC int 3
- 0000000000000A1C: CC int 3
- 0000000000000A1D: CC int 3
- 0000000000000A1E: CC int 3
- 0000000000000A1F: CC int 3
- PrintMiniFilterData:
- 0000000000000A20: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx
- 0000000000000A25: 48 83 EC 58 sub rsp,58h
- 0000000000000A29: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0
- 00 00 00
- 0000000000000A32: 48 8B 44 24 60 mov rax,qword ptr [rsp+60h]
- 0000000000000A37: 48 89 44 24 28 mov qword ptr [rsp+28h],rax
- 0000000000000A3C: 48 8B 44 24 28 mov rax,qword ptr [rsp+28h]
- 0000000000000A41: 0F B7 40 14 movzx eax,word ptr [rax+14h]
- 0000000000000A45: 89 44 24 20 mov dword ptr [rsp+20h],eax
- 0000000000000A49: 48 8B 44 24 28 mov rax,qword ptr [rsp+28h]
- 0000000000000A4E: 0F B7 40 16 movzx eax,word ptr [rax+16h]
- 0000000000000A52: 48 8B 4C 24 60 mov rcx,qword ptr [rsp+60h]
- 0000000000000A57: 48 03 C8 add rcx,rax
- 0000000000000A5A: 48 8B C1 mov rax,rcx
- 0000000000000A5D: 48 89 44 24 40 mov qword ptr [rsp+40h],rax
- 0000000000000A62: 8B 44 24 20 mov eax,dword ptr [rsp+20h]
- 0000000000000A66: 83 C0 02 add eax,2
- 0000000000000A69: 48 98 cdqe
- 0000000000000A6B: 48 8B C8 mov rcx,rax
- 0000000000000A6E: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$malloc]
- 0000000000000A74: 48 89 44 24 30 mov qword ptr [rsp+30h],rax
- 0000000000000A79: 8B 44 24 20 mov eax,dword ptr [rsp+20h]
- 0000000000000A7D: 83 C0 02 add eax,2
- 0000000000000A80: 48 98 cdqe
- 0000000000000A82: 4C 8B C0 mov r8,rax
- 0000000000000A85: 33 D2 xor edx,edx
- 0000000000000A87: 48 8B 4C 24 30 mov rcx,qword ptr [rsp+30h]
- 0000000000000A8C: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset]
- 0000000000000A92: 48 63 44 24 20 movsxd rax,dword ptr [rsp+20h]
- 0000000000000A97: 4C 8B C0 mov r8,rax
- 0000000000000A9A: 48 8B 54 24 40 mov rdx,qword ptr [rsp+40h]
- 0000000000000A9F: 48 8B 4C 24 30 mov rcx,qword ptr [rsp+30h]
- 0000000000000AA4: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memcpy]
- 0000000000000AAA: 48 8B 44 24 28 mov rax,qword ptr [rsp+28h]
- 0000000000000AAF: 0F B7 40 18 movzx eax,word ptr [rax+18h]
- 0000000000000AB3: 89 44 24 24 mov dword ptr [rsp+24h],eax
- 0000000000000AB7: 48 8B 44 24 28 mov rax,qword ptr [rsp+28h]
- 0000000000000ABC: 0F B7 40 1A movzx eax,word ptr [rax+1Ah]
- 0000000000000AC0: 48 8B 4C 24 60 mov rcx,qword ptr [rsp+60h]
- 0000000000000AC5: 48 03 C8 add rcx,rax
- 0000000000000AC8: 48 8B C1 mov rax,rcx
- 0000000000000ACB: 48 89 44 24 40 mov qword ptr [rsp+40h],rax
- 0000000000000AD0: 8B 44 24 24 mov eax,dword ptr [rsp+24h]
- 0000000000000AD4: 83 C0 02 add eax,2
- 0000000000000AD7: 48 98 cdqe
- 0000000000000AD9: 48 8B C8 mov rcx,rax
- 0000000000000ADC: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$malloc]
- 0000000000000AE2: 48 89 44 24 38 mov qword ptr [rsp+38h],rax
- 0000000000000AE7: 8B 44 24 24 mov eax,dword ptr [rsp+24h]
- 0000000000000AEB: 83 C0 02 add eax,2
- 0000000000000AEE: 48 98 cdqe
- 0000000000000AF0: 4C 8B C0 mov r8,rax
- 0000000000000AF3: 33 D2 xor edx,edx
- 0000000000000AF5: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 0000000000000AFA: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset]
- 0000000000000B00: 48 63 44 24 24 movsxd rax,dword ptr [rsp+24h]
- 0000000000000B05: 4C 8B C0 mov r8,rax
- 0000000000000B08: 48 8B 54 24 40 mov rdx,qword ptr [rsp+40h]
- 0000000000000B0D: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 0000000000000B12: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memcpy]
- 0000000000000B18: 48 8B 44 24 28 mov rax,qword ptr [rsp+28h]
- 0000000000000B1D: 83 78 04 01 cmp dword ptr [rax+4],1
- 0000000000000B21: 75 1F jne 0000000000000B42
- 0000000000000B23: 48 8B 44 24 28 mov rax,qword ptr [rsp+28h]
- 0000000000000B28: 44 8B 48 10 mov r9d,dword ptr [rax+10h]
- 0000000000000B2C: 4C 8B 44 24 38 mov r8,qword ptr [rsp+38h]
- 0000000000000B31: 48 8B 54 24 30 mov rdx,qword ptr [rsp+30h]
- 0000000000000B36: 48 8D 0D 00 00 00 lea rcx,[$SG105266]
- 00
- 0000000000000B3D: E8 00 00 00 00 call BeaconPrintToStreamW
- 0000000000000B42: 48 8B 4C 24 30 mov rcx,qword ptr [rsp+30h]
- 0000000000000B47: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free]
- 0000000000000B4D: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 0000000000000B52: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free]
- 0000000000000B58: 33 C0 xor eax,eax
- 0000000000000B5A: 48 83 C4 58 add rsp,58h
- 0000000000000B5E: C3 ret
- 0000000000000B5F: CC int 3
- 0000000000000B60: CC int 3
- 0000000000000B61: CC int 3
- 0000000000000B62: CC int 3
- 0000000000000B63: CC int 3
- 0000000000000B64: CC int 3
- 0000000000000B65: CC int 3
- 0000000000000B66: CC int 3
- 0000000000000B67: CC int 3
- 0000000000000B68: CC int 3
- 0000000000000B69: CC int 3
- 0000000000000B6A: CC int 3
- 0000000000000B6B: CC int 3
- 0000000000000B6C: CC int 3
- 0000000000000B6D: CC int 3
- 0000000000000B6E: CC int 3
- 0000000000000B6F: CC int 3
- FindMiniFilters:
- 0000000000000B70: 48 83 EC 68 sub rsp,68h
- 0000000000000B74: C7 44 24 38 00 04 mov dword ptr [rsp+38h],400h
- 00 00
- 0000000000000B7C: 8B 44 24 38 mov eax,dword ptr [rsp+38h]
- 0000000000000B80: 48 89 44 24 48 mov qword ptr [rsp+48h],rax
- 0000000000000B85: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 0000000000000B8B: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
- 0000000000000B90: 4C 8B C1 mov r8,rcx
- 0000000000000B93: 33 D2 xor edx,edx
- 0000000000000B95: 48 8B C8 mov rcx,rax
- 0000000000000B98: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc]
- 0000000000000B9E: 48 89 44 24 40 mov qword ptr [rsp+40h],rax
- 0000000000000BA3: C7 44 24 34 00 00 mov dword ptr [rsp+34h],0
- 00 00
- 0000000000000BAB: 8B 44 24 38 mov eax,dword ptr [rsp+38h]
- 0000000000000BAF: 48 8D 4C 24 50 lea rcx,[rsp+50h]
- 0000000000000BB4: 48 89 4C 24 20 mov qword ptr [rsp+20h],rcx
- 0000000000000BB9: 4C 8D 4C 24 3C lea r9,[rsp+3Ch]
- 0000000000000BBE: 44 8B C0 mov r8d,eax
- 0000000000000BC1: 48 8B 54 24 40 mov rdx,qword ptr [rsp+40h]
- 0000000000000BC6: B9 02 00 00 00 mov ecx,2
- 0000000000000BCB: FF 15 00 00 00 00 call qword ptr [__imp_Fltlib$FilterFindFirst]
- 0000000000000BD1: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 0000000000000BD5: 81 7C 24 30 03 01 cmp dword ptr [rsp+30h],80070103h
- 07 80
- 0000000000000BDD: 75 09 jne 0000000000000BE8
- 0000000000000BDF: 8B 44 24 34 mov eax,dword ptr [rsp+34h]
- 0000000000000BE3: E9 A8 00 00 00 jmp 0000000000000C90
- 0000000000000BE8: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 0000000000000BED: 74 09 je 0000000000000BF8
- 0000000000000BEF: 8B 44 24 34 mov eax,dword ptr [rsp+34h]
- 0000000000000BF3: E9 98 00 00 00 jmp 0000000000000C90
- 0000000000000BF8: 48 8D 0D 00 00 00 lea rcx,[$SG105287]
- 00
- 0000000000000BFF: E8 00 00 00 00 call BeaconPrintToStreamW
- 0000000000000C04: 48 8D 0D 00 00 00 lea rcx,[$SG105288]
- 00
- 0000000000000C0B: E8 00 00 00 00 call BeaconPrintToStreamW
- 0000000000000C10: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 0000000000000C15: E8 00 00 00 00 call PrintMiniFilterData
- 0000000000000C1A: C7 44 24 34 01 00 mov dword ptr [rsp+34h],1
- 00 00
- 0000000000000C22: 33 C0 xor eax,eax
- 0000000000000C24: 83 F8 01 cmp eax,1
- 0000000000000C27: 74 4D je 0000000000000C76
- 0000000000000C29: 48 8D 44 24 3C lea rax,[rsp+3Ch]
- 0000000000000C2E: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 0000000000000C33: 44 8B 4C 24 38 mov r9d,dword ptr [rsp+38h]
- 0000000000000C38: 4C 8B 44 24 40 mov r8,qword ptr [rsp+40h]
- 0000000000000C3D: BA 02 00 00 00 mov edx,2
- 0000000000000C42: 48 8B 4C 24 50 mov rcx,qword ptr [rsp+50h]
- 0000000000000C47: FF 15 00 00 00 00 call qword ptr [__imp_Fltlib$FilterFindNext]
- 0000000000000C4D: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 0000000000000C51: 81 7C 24 30 03 01 cmp dword ptr [rsp+30h],80070103h
- 07 80
- 0000000000000C59: 75 02 jne 0000000000000C5D
- 0000000000000C5B: EB 19 jmp 0000000000000C76
- 0000000000000C5D: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 0000000000000C62: 74 06 je 0000000000000C6A
- 0000000000000C64: 8B 44 24 34 mov eax,dword ptr [rsp+34h]
- 0000000000000C68: EB 26 jmp 0000000000000C90
- 0000000000000C6A: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 0000000000000C6F: E8 00 00 00 00 call PrintMiniFilterData
- 0000000000000C74: EB AC jmp 0000000000000C22
- 0000000000000C76: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 0000000000000C7C: 4C 8B 44 24 40 mov r8,qword ptr [rsp+40h]
- 0000000000000C81: 33 D2 xor edx,edx
- 0000000000000C83: 48 8B C8 mov rcx,rax
- 0000000000000C86: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree]
- 0000000000000C8C: 8B 44 24 34 mov eax,dword ptr [rsp+34h]
- 0000000000000C90: 48 83 C4 68 add rsp,68h
- 0000000000000C94: C3 ret
- 0000000000000C95: CC int 3
- 0000000000000C96: CC int 3
- 0000000000000C97: CC int 3
- 0000000000000C98: CC int 3
- 0000000000000C99: CC int 3
- 0000000000000C9A: CC int 3
- 0000000000000C9B: CC int 3
- 0000000000000C9C: CC int 3
- 0000000000000C9D: CC int 3
- 0000000000000C9E: CC int 3
- 0000000000000C9F: CC int 3
- go:
- 0000000000000CA0: 89 54 24 10 mov dword ptr [rsp+10h],edx
- 0000000000000CA4: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx
- 0000000000000CA9: 48 83 EC 58 sub rsp,58h
- 0000000000000CAD: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0
- 00 00
- 0000000000000CB5: 44 8B 44 24 68 mov r8d,dword ptr [rsp+68h]
- 0000000000000CBA: 48 8B 54 24 60 mov rdx,qword ptr [rsp+60h]
- 0000000000000CBF: 48 8D 4C 24 30 lea rcx,[rsp+30h]
- 0000000000000CC4: FF 15 00 00 00 00 call qword ptr [__imp_BeaconDataParse]
- 0000000000000CCA: 33 D2 xor edx,edx
- 0000000000000CCC: 48 8D 4C 24 30 lea rcx,[rsp+30h]
- 0000000000000CD1: FF 15 00 00 00 00 call qword ptr [__imp_BeaconDataExtract]
- 0000000000000CD7: 48 89 44 24 28 mov qword ptr [rsp+28h],rax
- 0000000000000CDC: 48 8D 15 00 00 00 lea rdx,[$SG105304]
- 00
- 0000000000000CE3: 48 8B 4C 24 28 mov rcx,qword ptr [rsp+28h]
- 0000000000000CE8: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$strcmp]
- 0000000000000CEE: 85 C0 test eax,eax
- 0000000000000CF0: 75 3E jne 0000000000000D30
- 0000000000000CF2: E8 00 00 00 00 call FindSysmon
- 0000000000000CF7: 89 44 24 20 mov dword ptr [rsp+20h],eax
- 0000000000000CFB: 83 7C 24 20 00 cmp dword ptr [rsp+20h],0
- 0000000000000D00: 75 18 jne 0000000000000D1A
- 0000000000000D02: 48 8D 15 00 00 00 lea rdx,[$SG105307]
- 00
- 0000000000000D09: 33 C9 xor ecx,ecx
- 0000000000000D0B: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000D11: 33 C0 xor eax,eax
- 0000000000000D13: E9 80 00 00 00 jmp 0000000000000D98
- 0000000000000D18: EB 14 jmp 0000000000000D2E
- 0000000000000D1A: E8 00 00 00 00 call BeaconOutputStreamW
- 0000000000000D1F: 48 8D 15 00 00 00 lea rdx,[$SG105308]
- 00
- 0000000000000D26: 33 C9 xor ecx,ecx
- 0000000000000D28: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000D2E: EB 66 jmp 0000000000000D96
- 0000000000000D30: 48 8D 15 00 00 00 lea rdx,[$SG105311]
- 00
- 0000000000000D37: 48 8B 4C 24 28 mov rcx,qword ptr [rsp+28h]
- 0000000000000D3C: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$strcmp]
- 0000000000000D42: 85 C0 test eax,eax
- 0000000000000D44: 75 3E jne 0000000000000D84
- 0000000000000D46: E8 00 00 00 00 call FindMiniFilters
- 0000000000000D4B: 89 44 24 20 mov dword ptr [rsp+20h],eax
- 0000000000000D4F: 83 7C 24 20 00 cmp dword ptr [rsp+20h],0
- 0000000000000D54: 75 18 jne 0000000000000D6E
- 0000000000000D56: 48 8D 15 00 00 00 lea rdx,[$SG105314]
- 00
- 0000000000000D5D: B9 0D 00 00 00 mov ecx,0Dh
- 0000000000000D62: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000D68: 33 C0 xor eax,eax
- 0000000000000D6A: EB 2C jmp 0000000000000D98
- 0000000000000D6C: EB 14 jmp 0000000000000D82
- 0000000000000D6E: E8 00 00 00 00 call BeaconOutputStreamW
- 0000000000000D73: 48 8D 15 00 00 00 lea rdx,[$SG105315]
- 00
- 0000000000000D7A: 33 C9 xor ecx,ecx
- 0000000000000D7C: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000D82: EB 12 jmp 0000000000000D96
- 0000000000000D84: 48 8D 15 00 00 00 lea rdx,[$SG105316]
- 00
- 0000000000000D8B: B9 0D 00 00 00 mov ecx,0Dh
- 0000000000000D90: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000D96: 33 C0 xor eax,eax
- 0000000000000D98: 48 83 C4 58 add rsp,58h
- 0000000000000D9C: C3 ret
- Summary
- 38 .chks64
- 5DA .data
- 84 .debug$S
- DA .drectve
- 54 .pdata
- D9D .text$mn
- 3C .xdata
|
