| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438 |
- Microsoft (R) COFF/PE Dumper Version 14.29.30148.0
- Copyright (C) Microsoft Corporation. All rights reserved.
- Dump of file finddotnet.o
- File Type: COFF OBJECT
- BeaconPrintToStreamW:
- 0000000000000000: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx
- 0000000000000005: 48 89 54 24 10 mov qword ptr [rsp+10h],rdx
- 000000000000000A: 4C 89 44 24 18 mov qword ptr [rsp+18h],r8
- 000000000000000F: 4C 89 4C 24 20 mov qword ptr [rsp+20h],r9
- 0000000000000014: 48 83 EC 58 sub rsp,58h
- 0000000000000018: C7 44 24 30 01 00 mov dword ptr [rsp+30h],1
- 00 00
- 0000000000000020: C7 44 24 34 00 00 mov dword ptr [rsp+34h],0
- 00 00
- 0000000000000028: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],1
- 00 01
- 0000000000000030: 77 28 ja 000000000000005A
- 0000000000000032: 4C 8D 05 00 00 00 lea r8,[g_lpStream]
- 00
- 0000000000000039: BA 01 00 00 00 mov edx,1
- 000000000000003E: 33 C9 xor ecx,ecx
- 0000000000000040: FF 15 00 00 00 00 call qword ptr [__imp_OLE32$CreateStreamOnHGlobal]
- 0000000000000046: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 000000000000004A: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 000000000000004F: 7D 09 jge 000000000000005A
- 0000000000000051: 8B 44 24 30 mov eax,dword ptr [rsp+30h]
- 0000000000000055: E9 01 01 00 00 jmp 000000000000015B
- 000000000000005A: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],1
- 00 01
- 0000000000000062: 77 2E ja 0000000000000092
- 0000000000000064: BA 02 00 00 00 mov edx,2
- 0000000000000069: B9 00 20 00 00 mov ecx,2000h
- 000000000000006E: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$calloc]
- 0000000000000074: 48 89 05 00 00 00 mov qword ptr [g_lpwPrintBuffer],rax
- 00
- 000000000000007B: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0
- 00 00
- 0000000000000083: 75 0D jne 0000000000000092
- 0000000000000085: C7 44 24 30 05 40 mov dword ptr [rsp+30h],80004005h
- 00 80
- 000000000000008D: E9 9D 00 00 00 jmp 000000000000012F
- 0000000000000092: 48 8D 44 24 68 lea rax,[rsp+68h]
- 0000000000000097: 48 89 44 24 38 mov qword ptr [rsp+38h],rax
- 000000000000009C: 48 8B 44 24 38 mov rax,qword ptr [rsp+38h]
- 00000000000000A1: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 00000000000000A6: 4C 8B 4C 24 60 mov r9,qword ptr [rsp+60h]
- 00000000000000AB: 41 B8 FF 1F 00 00 mov r8d,1FFFh
- 00000000000000B1: BA 00 20 00 00 mov edx,2000h
- 00000000000000B6: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
- 00
- 00000000000000BD: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$_vsnwprintf_s]
- 00000000000000C3: 85 C0 test eax,eax
- 00000000000000C5: 75 0A jne 00000000000000D1
- 00000000000000C7: C7 44 24 30 05 40 mov dword ptr [rsp+30h],80004005h
- 00 80
- 00000000000000CF: EB 5E jmp 000000000000012F
- 00000000000000D1: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],0
- 00 00
- 00000000000000D9: 74 4C je 0000000000000127
- 00000000000000DB: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
- 00
- 00000000000000E2: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$wcslen]
- 00000000000000E8: 8B C0 mov eax,eax
- 00000000000000EA: 48 D1 E0 shl rax,1
- 00000000000000ED: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 00000000000000F4: 48 8B 09 mov rcx,qword ptr [rcx]
- 00000000000000F7: 48 89 4C 24 40 mov qword ptr [rsp+40h],rcx
- 00000000000000FC: 4C 8D 4C 24 34 lea r9,[rsp+34h]
- 0000000000000101: 44 8B C0 mov r8d,eax
- 0000000000000104: 48 8B 15 00 00 00 mov rdx,qword ptr [g_lpwPrintBuffer]
- 00
- 000000000000010B: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 0000000000000112: 48 8B 44 24 40 mov rax,qword ptr [rsp+40h]
- 0000000000000117: FF 50 20 call qword ptr [rax+20h]
- 000000000000011A: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 000000000000011E: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 0000000000000123: 7D 02 jge 0000000000000127
- 0000000000000125: EB 08 jmp 000000000000012F
- 0000000000000127: C7 44 24 30 00 00 mov dword ptr [rsp+30h],0
- 00 00
- 000000000000012F: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0
- 00 00
- 0000000000000137: 74 15 je 000000000000014E
- 0000000000000139: 41 B8 00 40 00 00 mov r8d,4000h
- 000000000000013F: 33 D2 xor edx,edx
- 0000000000000141: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
- 00
- 0000000000000148: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset]
- 000000000000014E: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0
- 00 00 00
- 0000000000000157: 8B 44 24 30 mov eax,dword ptr [rsp+30h]
- 000000000000015B: 48 83 C4 58 add rsp,58h
- 000000000000015F: C3 ret
- 0000000000000160: CC int 3
- 0000000000000161: CC int 3
- 0000000000000162: CC int 3
- 0000000000000163: CC int 3
- 0000000000000164: CC int 3
- 0000000000000165: CC int 3
- 0000000000000166: CC int 3
- 0000000000000167: CC int 3
- 0000000000000168: CC int 3
- 0000000000000169: CC int 3
- 000000000000016A: CC int 3
- 000000000000016B: CC int 3
- 000000000000016C: CC int 3
- 000000000000016D: CC int 3
- 000000000000016E: CC int 3
- 000000000000016F: CC int 3
- BeaconOutputStreamW:
- 0000000000000170: 40 57 push rdi
- 0000000000000172: 48 81 EC A0 00 00 sub rsp,0A0h
- 00
- 0000000000000179: 48 8D 44 24 50 lea rax,[rsp+50h]
- 000000000000017E: 48 8B F8 mov rdi,rax
- 0000000000000181: 33 C0 xor eax,eax
- 0000000000000183: B9 50 00 00 00 mov ecx,50h
- 0000000000000188: F3 AA rep stos byte ptr [rdi]
- 000000000000018A: 48 C7 44 24 30 00 mov qword ptr [rsp+30h],0
- 00 00 00
- 0000000000000193: C7 44 24 28 00 00 mov dword ptr [rsp+28h],0
- 00 00
- 000000000000019B: 48 C7 44 24 20 00 mov qword ptr [rsp+20h],0
- 00 00 00
- 00000000000001A4: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
- 00
- 00000000000001AB: 48 8B 00 mov rax,qword ptr [rax]
- 00000000000001AE: 41 B8 01 00 00 00 mov r8d,1
- 00000000000001B4: 48 8D 54 24 50 lea rdx,[rsp+50h]
- 00000000000001B9: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 00000000000001C0: FF 50 60 call qword ptr [rax+60h]
- 00000000000001C3: 85 C0 test eax,eax
- 00000000000001C5: 7D 05 jge 00000000000001CC
- 00000000000001C7: E9 13 01 00 00 jmp 00000000000002DF
- 00000000000001CC: 8B 44 24 60 mov eax,dword ptr [rsp+60h]
- 00000000000001D0: 48 89 44 24 30 mov qword ptr [rsp+30h],rax
- 00000000000001D5: 48 8B 44 24 30 mov rax,qword ptr [rsp+30h]
- 00000000000001DA: 48 FF C0 inc rax
- 00000000000001DD: 48 89 44 24 38 mov qword ptr [rsp+38h],rax
- 00000000000001E2: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 00000000000001E8: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 00000000000001ED: 4C 8B C1 mov r8,rcx
- 00000000000001F0: BA 08 00 00 00 mov edx,8
- 00000000000001F5: 48 8B C8 mov rcx,rax
- 00000000000001F8: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc]
- 00000000000001FE: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 0000000000000203: 48 83 7C 24 20 00 cmp qword ptr [rsp+20h],0
- 0000000000000209: 74 6B je 0000000000000276
- 000000000000020B: 48 C7 44 24 40 00 mov qword ptr [rsp+40h],0
- 00 00 00
- 0000000000000214: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
- 00
- 000000000000021B: 48 8B 00 mov rax,qword ptr [rax]
- 000000000000021E: 45 33 C9 xor r9d,r9d
- 0000000000000221: 45 33 C0 xor r8d,r8d
- 0000000000000224: 48 8B 54 24 40 mov rdx,qword ptr [rsp+40h]
- 0000000000000229: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 0000000000000230: FF 50 28 call qword ptr [rax+28h]
- 0000000000000233: 85 C0 test eax,eax
- 0000000000000235: 7D 02 jge 0000000000000239
- 0000000000000237: EB 3D jmp 0000000000000276
- 0000000000000239: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
- 00
- 0000000000000240: 48 8B 00 mov rax,qword ptr [rax]
- 0000000000000243: 4C 8D 4C 24 28 lea r9,[rsp+28h]
- 0000000000000248: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h]
- 000000000000024D: 48 8B 54 24 20 mov rdx,qword ptr [rsp+20h]
- 0000000000000252: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 0000000000000259: FF 50 18 call qword ptr [rax+18h]
- 000000000000025C: 85 C0 test eax,eax
- 000000000000025E: 7D 02 jge 0000000000000262
- 0000000000000260: EB 14 jmp 0000000000000276
- 0000000000000262: 4C 8B 44 24 20 mov r8,qword ptr [rsp+20h]
- 0000000000000267: 48 8D 15 00 00 00 lea rdx,[$SG105371]
- 00
- 000000000000026E: 33 C9 xor ecx,ecx
- 0000000000000270: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000276: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],0
- 00 00
- 000000000000027E: 74 1F je 000000000000029F
- 0000000000000280: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
- 00
- 0000000000000287: 48 8B 00 mov rax,qword ptr [rax]
- 000000000000028A: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
- 00
- 0000000000000291: FF 50 10 call qword ptr [rax+10h]
- 0000000000000294: 48 C7 05 00 00 00 mov qword ptr [g_lpStream],0
- 00 00 00 00 00
- 000000000000029F: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0
- 00 00
- 00000000000002A7: 74 18 je 00000000000002C1
- 00000000000002A9: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
- 00
- 00000000000002B0: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free]
- 00000000000002B6: 48 C7 05 00 00 00 mov qword ptr [g_lpwPrintBuffer],0
- 00 00 00 00 00
- 00000000000002C1: 48 83 7C 24 20 00 cmp qword ptr [rsp+20h],0
- 00000000000002C7: 74 16 je 00000000000002DF
- 00000000000002C9: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 00000000000002CF: 4C 8B 44 24 20 mov r8,qword ptr [rsp+20h]
- 00000000000002D4: 33 D2 xor edx,edx
- 00000000000002D6: 48 8B C8 mov rcx,rax
- 00000000000002D9: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree]
- 00000000000002DF: 48 81 C4 A0 00 00 add rsp,0A0h
- 00
- 00000000000002E6: 5F pop rdi
- 00000000000002E7: C3 ret
- 00000000000002E8: CC int 3
- 00000000000002E9: CC int 3
- 00000000000002EA: CC int 3
- 00000000000002EB: CC int 3
- 00000000000002EC: CC int 3
- 00000000000002ED: CC int 3
- 00000000000002EE: CC int 3
- 00000000000002EF: CC int 3
- FindDotNet:
- 00000000000002F0: 40 56 push rsi
- 00000000000002F2: 57 push rdi
- 00000000000002F3: 48 81 EC 68 04 00 sub rsp,468h
- 00
- 00000000000002FA: C7 44 24 70 00 00 mov dword ptr [rsp+70h],0
- 00 00
- 0000000000000302: C7 44 24 30 00 00 mov dword ptr [rsp+30h],0
- 00 00
- 000000000000030A: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0
- 00 00 00
- 0000000000000313: 48 8D 44 24 40 lea rax,[rsp+40h]
- 0000000000000318: 48 8B F8 mov rdi,rax
- 000000000000031B: 33 C0 xor eax,eax
- 000000000000031D: B9 10 00 00 00 mov ecx,10h
- 0000000000000322: F3 AA rep stos byte ptr [rdi]
- 0000000000000324: C7 44 24 34 00 00 mov dword ptr [rsp+34h],0
- 00 00
- 000000000000032C: 48 8D 0D 00 00 00 lea rcx,[$SG105407]
- 00
- 0000000000000333: FF 15 00 00 00 00 call qword ptr [__imp_GetModuleHandleA]
- 0000000000000339: 48 8D 15 00 00 00 lea rdx,[$SG105406]
- 00
- 0000000000000340: 48 8B C8 mov rcx,rax
- 0000000000000343: FF 15 00 00 00 00 call qword ptr [__imp_GetProcAddress]
- 0000000000000349: 48 89 44 24 58 mov qword ptr [rsp+58h],rax
- 000000000000034E: 48 8D 0D 00 00 00 lea rcx,[$SG105409]
- 00
- 0000000000000355: FF 15 00 00 00 00 call qword ptr [__imp_GetModuleHandleA]
- 000000000000035B: 48 8D 15 00 00 00 lea rdx,[$SG105408]
- 00
- 0000000000000362: 48 8B C8 mov rcx,rax
- 0000000000000365: FF 15 00 00 00 00 call qword ptr [__imp_GetProcAddress]
- 000000000000036B: 48 89 44 24 60 mov qword ptr [rsp+60h],rax
- 0000000000000370: 48 83 7C 24 58 00 cmp qword ptr [rsp+58h],0
- 0000000000000376: 74 08 je 0000000000000380
- 0000000000000378: 48 83 7C 24 60 00 cmp qword ptr [rsp+60h],0
- 000000000000037E: 75 1C jne 000000000000039C
- 0000000000000380: 48 8D 15 00 00 00 lea rdx,[$SG105412]
- 00
- 0000000000000387: B9 0D 00 00 00 mov ecx,0Dh
- 000000000000038C: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000392: B8 FF FF FF FF mov eax,0FFFFFFFFh
- 0000000000000397: E9 17 02 00 00 jmp 00000000000005B3
- 000000000000039C: 48 8D 84 24 B0 00 lea rax,[rsp+0B0h]
- 00 00
- 00000000000003A4: 48 8D 0D 00 00 00 lea rcx,[$SG105413]
- 00
- 00000000000003AB: 48 8B F8 mov rdi,rax
- 00000000000003AE: 48 8B F1 mov rsi,rcx
- 00000000000003B1: B9 56 00 00 00 mov ecx,56h
- 00000000000003B6: F3 A4 rep movs byte ptr [rdi],byte ptr [rsi]
- 00000000000003B8: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 00000000000003BE: 41 B8 F4 01 00 00 mov r8d,1F4h
- 00000000000003C4: BA 08 00 00 00 mov edx,8
- 00000000000003C9: 48 8B C8 mov rcx,rax
- 00000000000003CC: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc]
- 00000000000003D2: 48 89 44 24 48 mov qword ptr [rsp+48h],rax
- 00000000000003D7: 48 8D 0D 00 00 00 lea rcx,[$SG105414]
- 00
- 00000000000003DE: E8 00 00 00 00 call BeaconPrintToStreamW
- 00000000000003E3: 48 8D 0D 00 00 00 lea rcx,[$SG105415]
- 00
- 00000000000003EA: E8 00 00 00 00 call BeaconPrintToStreamW
- 00000000000003EF: 48 8D 44 24 38 lea rax,[rsp+38h]
- 00000000000003F4: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 00000000000003F9: 45 33 C9 xor r9d,r9d
- 00000000000003FC: 45 33 C0 xor r8d,r8d
- 00000000000003FF: BA 00 00 00 02 mov edx,2000000h
- 0000000000000404: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 0000000000000409: FF 54 24 58 call qword ptr [rsp+58h]
- 000000000000040D: 85 C0 test eax,eax
- 000000000000040F: 0F 85 9A 01 00 00 jne 00000000000005AF
- 0000000000000415: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 000000000000041A: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessId]
- 0000000000000420: 89 44 24 30 mov dword ptr [rsp+30h],eax
- 0000000000000424: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
- 0000000000000429: 75 02 jne 000000000000042D
- 000000000000042B: EB C2 jmp 00000000000003EF
- 000000000000042D: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h]
- 0000000000000432: 48 8D 15 00 00 00 lea rdx,[$SG105417]
- 00
- 0000000000000439: 48 8D 8C 24 10 01 lea rcx,[rsp+110h]
- 00 00
- 0000000000000441: FF 15 00 00 00 00 call qword ptr [__imp_USER32$wsprintfW]
- 0000000000000447: 41 B8 F4 01 00 00 mov r8d,1F4h
- 000000000000044D: 33 D2 xor edx,edx
- 000000000000044F: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
- 0000000000000454: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset]
- 000000000000045A: 48 8D 8C 24 B0 00 lea rcx,[rsp+0B0h]
- 00 00
- 0000000000000462: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$wcslen]
- 0000000000000468: 48 D1 E0 shl rax,1
- 000000000000046B: 4C 8B C0 mov r8,rax
- 000000000000046E: 48 8D 94 24 B0 00 lea rdx,[rsp+0B0h]
- 00 00
- 0000000000000476: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
- 000000000000047B: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memcpy]
- 0000000000000481: 48 8D 94 24 10 01 lea rdx,[rsp+110h]
- 00 00
- 0000000000000489: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
- 000000000000048E: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$lstrcatW]
- 0000000000000494: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
- 0000000000000499: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$wcslen]
- 000000000000049F: 48 D1 E0 shl rax,1
- 00000000000004A2: 66 89 44 24 40 mov word ptr [rsp+40h],ax
- 00000000000004A7: 0F B7 44 24 40 movzx eax,word ptr [rsp+40h]
- 00000000000004AC: FF C0 inc eax
- 00000000000004AE: 66 89 44 24 42 mov word ptr [rsp+42h],ax
- 00000000000004B3: C7 84 24 80 00 00 mov dword ptr [rsp+80h],30h
- 00 30 00 00 00
- 00000000000004BE: 48 C7 84 24 88 00 mov qword ptr [rsp+88h],0
- 00 00 00 00 00 00
- 00000000000004CA: C7 84 24 98 00 00 mov dword ptr [rsp+98h],40h
- 00 40 00 00 00
- 00000000000004D5: 48 8D 44 24 40 lea rax,[rsp+40h]
- 00000000000004DA: 48 89 84 24 90 00 mov qword ptr [rsp+90h],rax
- 00 00
- 00000000000004E2: 48 C7 84 24 A0 00 mov qword ptr [rsp+0A0h],0
- 00 00 00 00 00 00
- 00000000000004EE: 48 C7 84 24 A8 00 mov qword ptr [rsp+0A8h],0
- 00 00 00 00 00 00
- 00000000000004FA: 48 C7 44 24 68 00 mov qword ptr [rsp+68h],0
- 00 00 00
- 0000000000000503: 4C 8D 84 24 80 00 lea r8,[rsp+80h]
- 00 00
- 000000000000050B: BA 01 00 00 00 mov edx,1
- 0000000000000510: 48 8D 4C 24 68 lea rcx,[rsp+68h]
- 0000000000000515: FF 54 24 60 call qword ptr [rsp+60h]
- 0000000000000519: 89 44 24 50 mov dword ptr [rsp+50h],eax
- 000000000000051D: 83 7C 24 50 00 cmp dword ptr [rsp+50h],0
- 0000000000000522: 0F 8C 82 00 00 00 jl 00000000000005AA
- 0000000000000528: 48 8B 4C 24 68 mov rcx,qword ptr [rsp+68h]
- 000000000000052D: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$CloseHandle]
- 0000000000000533: 41 B8 04 01 00 00 mov r8d,104h
- 0000000000000539: 48 8D 94 24 50 01 lea rdx,[rsp+150h]
- 00 00
- 0000000000000541: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 0000000000000546: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$K32GetProcessImageFileNameA]
- 000000000000054C: 48 8D 8C 24 50 01 lea rcx,[rsp+150h]
- 00 00
- 0000000000000554: FF 15 00 00 00 00 call qword ptr [__imp_SHLWAPI$PathFindFileNameA]
- 000000000000055A: 48 89 44 24 78 mov qword ptr [rsp+78h],rax
- 000000000000055F: C7 44 24 28 00 01 mov dword ptr [rsp+28h],100h
- 00 00
- 0000000000000567: 48 8D 84 24 60 02 lea rax,[rsp+260h]
- 00 00
- 000000000000056F: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
- 0000000000000574: 41 B9 FF FF FF FF mov r9d,0FFFFFFFFh
- 000000000000057A: 4C 8B 44 24 78 mov r8,qword ptr [rsp+78h]
- 000000000000057F: 33 D2 xor edx,edx
- 0000000000000581: 33 C9 xor ecx,ecx
- 0000000000000583: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$MultiByteToWideChar]
- 0000000000000589: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h]
- 000000000000058E: 48 8D 94 24 60 02 lea rdx,[rsp+260h]
- 00 00
- 0000000000000596: 48 8D 0D 00 00 00 lea rcx,[$SG105419]
- 00
- 000000000000059D: E8 00 00 00 00 call BeaconPrintToStreamW
- 00000000000005A2: C7 44 24 34 01 00 mov dword ptr [rsp+34h],1
- 00 00
- 00000000000005AA: E9 40 FE FF FF jmp 00000000000003EF
- 00000000000005AF: 8B 44 24 34 mov eax,dword ptr [rsp+34h]
- 00000000000005B3: 48 81 C4 68 04 00 add rsp,468h
- 00
- 00000000000005BA: 5F pop rdi
- 00000000000005BB: 5E pop rsi
- 00000000000005BC: C3 ret
- 00000000000005BD: CC int 3
- 00000000000005BE: CC int 3
- 00000000000005BF: CC int 3
- 00000000000005C0: CC int 3
- 00000000000005C1: CC int 3
- 00000000000005C2: CC int 3
- 00000000000005C3: CC int 3
- 00000000000005C4: CC int 3
- 00000000000005C5: CC int 3
- 00000000000005C6: CC int 3
- 00000000000005C7: CC int 3
- 00000000000005C8: CC int 3
- 00000000000005C9: CC int 3
- 00000000000005CA: CC int 3
- 00000000000005CB: CC int 3
- 00000000000005CC: CC int 3
- 00000000000005CD: CC int 3
- 00000000000005CE: CC int 3
- 00000000000005CF: CC int 3
- go:
- 00000000000005D0: 48 83 EC 38 sub rsp,38h
- 00000000000005D4: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0
- 00 00
- 00000000000005DC: E8 00 00 00 00 call FindDotNet
- 00000000000005E1: 89 44 24 20 mov dword ptr [rsp+20h],eax
- 00000000000005E5: 83 7C 24 20 00 cmp dword ptr [rsp+20h],0
- 00000000000005EA: 75 14 jne 0000000000000600
- 00000000000005EC: 48 8D 15 00 00 00 lea rdx,[$SG105427]
- 00
- 00000000000005F3: B9 0D 00 00 00 mov ecx,0Dh
- 00000000000005F8: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 00000000000005FE: EB 05 jmp 0000000000000605
- 0000000000000600: E8 00 00 00 00 call BeaconOutputStreamW
- 0000000000000605: 33 C0 xor eax,eax
- 0000000000000607: 48 83 C4 38 add rsp,38h
- 000000000000060B: C3 ret
- Summary
- 38 .chks64
- 1DE .data
- 94 .debug$S
- A8 .drectve
- 30 .pdata
- 60C .text$mn
- 28 .xdata
|
