SHARE
TWEET

#MalwareMustDie! Debugging a Ransomware

MalwareMustDie Sep 8th, 2014 (edited) 476 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. .#MalwareMustDie!  Debugging Ransonware
  2. // hash: 8028ee3776ac68bb5789575e5a904465
  3. // Locking timer Forensics.
  4. // Env: WinVista | @unixfreaxjp - 20:53 Mon Sep  8 20:53:33 JST 2014
  5.  
  6. 1. Window created  
  7.  
  8.    Window Name: +vgC>=_~!s_b0$>-TG)wIrh&8T*)Yg+t*5)Qwl%
  9.    7zD{DVL3gRfDq~=(I(fNe}3{lSxJ[zD=mTN*}s^oj1%aOXo-6tKfE~64
  10.    }T>B3lH+xdLOsOjLNUV&Porz[8s>m~[D6L_d<[7I[C#GP-3BZ_S]9TgV
  11.    Siqr$_Z]gUEJ<~#%Lu(9[@Ix*(n_afsP^Q=k_AR5BgTeC *tfl%FT-e<
  12.    ()HaZz^3&MEXw=l5xxNWAgW~*7wgPbZtOo3QJ]XI[ZCiZG<p Class N
  13.    ame: +vgC>=_~!s_b0$>-TG)wIrh&amp;8T*)Yg+t*5)Qwl%7zD{DVL3
  14.    gRfDq~=(I(fNe}3{lSxJ[zD=mTN*}s^oj1%aOXo-6tKfE~64}T>B3lH+
  15.    xdLOsOjLNUV&Porz[8s>m~[D6L_d<[7I[C#GP-3BZ_S]9TgVSiqr$_Z]
  16.    gUEJ<~#%Lu(9[@Ix*(n_afsP^Q=k_AR5BgTeC *tfl%FT-e<()HaZz^3
  17.    &MEXw=l5xxNWAgW~*7wgPbZtOo3QJ]XI[ZCiZG<p
  18.    HWND: 50116
  19.  
  20. 2. Input blocked On or Off: true | Mem Dmp Addr: 0x0403105   NtUserBlockInput
  21.  
  22. 3. Malicious activity Calls (Memory Dump))
  23.  
  24.     KillTimer.USER32 ref: 0x402EC3
  25.     PostQuitMessage.USER32(00000000) ref: 0x402EDB
  26.     DefWindowProcW.USER32 ref: 0x402EED
  27.         Part of subcall function 0x40223C: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,000F013F,00000000,00000000) ref: 0x40226E
  28.         Part of subcall function 0x40223C: RegSetValueExW.ADVAPI32(00000000,00000004,00000004) ref: 0x4022A5
  29.         Part of subcall function 0x40223C: RegSetValueExW.ADVAPI32(00000000,00000004,00000004) ref: 0x4022CA
  30.         Part of subcall function 0x40223C: RegFlushKey.ADVAPI32 ref: 0x4022CF
  31.         Part of subcall function 0x40223C: RegCloseKey.ADVAPI32 ref: 0x4022D8
  32.     SetTimer.USER32(00000002,00000001,00000000) ref: 0x402F0F
  33.         Part of subcall function 0x40532D: IsBadWritePtr.KERNEL32(00000000,00000000) ref: 0x405344
  34.     SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,0x410AA8) ref: 0x402F3A
  35.     lstrcatW.KERNEL32(0x410AA8) ref: 0x402F57
  36.         Part of subcall function 0x405B82: inet_addr.WSOCK32(0x410AA8,0x402FBA) ref: 0x405B87
  37.         Part of subcall function 0x405B82: gethostbyname.WSOCK32 ref: 0x405B98
  38.         Part of subcall function 0x402B25: memset.NTDLL(00000000) ref: 0x402B4C
  39.         Part of subcall function 0x402B25: GetVersionExW.KERNEL32 ref: 0x402B65
  40.         Part of subcall function 0x402B25: GlobalMemoryStatusEx.KERNEL32 ref: 0x402B7D
  41.         Part of subcall function 0x402B25: GetSystemInfo.KERNEL32 ref: 0x402B87
  42.         Part of subcall function 0x402B25: GetCurrentProcess.KERNEL32 ref: 0x402BB8
  43.         Part of subcall function 0x4053FE: PathSkipRootW.SHLWAPI ref: 0x40541D
  44.         Part of subcall function 0x4053FE: GetFileAttributesW.KERNEL32 ref: 0x405445
  45.         Part of subcall function 0x4053FE: CreateDirectoryW.KERNEL32(00000000) ref: 0x405453
  46.         Part of subcall function 0x405EBA: lstrcpynA.KERNEL32(00000032,0x410AA8,00000000) ref: 0x405F14
  47.     GetModuleHandleW.KERNEL32 ref: 0x403022
  48.     GetModuleFileNameW.KERNEL32(00000104) ref: 0x403029
  49.     GetFileAttributesW.KERNEL32(0x410AA8) ref: 0x403030
  50.     SetFileAttributesW.KERNEL32(0x410AA8) ref: 0x40303B
  51.         Part of subcall function 0x404A47: CreateFileW.KERNEL32(80000000,00000001,00000000,00000003,02000000,00000000) ref: 0x404A99
  52.         Part of subcall function 0x404A47: GetFileTime.KERNEL32(0x401E0B) ref: 0x404AAF
  53.         Part of subcall function 0x404A47: CreateFileW.KERNEL32(00000100,00000000,00000000,00000003,02000000,00000000) ref: 0x404ACA
  54.         Part of subcall function 0x404A47: SetFileTime.KERNEL32(0x401E0B) ref: 0x404AE0
  55.     memset.NTDLL(00000000) ref: 0x403069
  56.     CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,01000000,00000000,00000000) ref: 0x4030C6
  57.     BlockInput.USER32(00000001) ref: 0x4030FF
  58.     ShowWindow.USER32(00000005) ref: 0x40310A
  59.     BeginPaint.USER32 ref: 0x40311D
  60.     GetClientRect.USER32 ref: 0x403135
  61.     FillRect.USER32(00000006) ref: 0x403143
  62.     SetBkMode.GDI32(00000001) ref: 0x40314C
  63.     lstrlenW.KERNEL32 ref: 0x403188
  64.     DrawTextW.USER32 ref: 0x403194
  65.         Part of subcall function 0x40A2EF: GetLastError.KERNEL32(0x403C58) ref: 0x40A2FA
  66.         Part of subcall function 0x40A2EF: HeapFree.KERNEL32(00000000,0x403C58) ref: 0x40A32B
  67.         Part of subcall function 0x40A2EF: SetLastError.KERNEL32(0x403C58) ref: 0x40A332
  68.         Part of subcall function 0x40349C: GetHandleInformation.KERNEL32(00000000) ref: 0x4034B2
  69.         Part of subcall function 0x40349C: CloseHandle.KERNEL32 ref: 0x4034C3
  70.     EndPage.GDI32 ref: 0x4031A5
  71.         Part of subcall function 0x403763: GetCurrentProcessId.KERNEL32 ref: 0x40378D
  72.         Part of subcall function 0x403763: GetCurrentProcessId.KERNEL32 ref: 0x4037A8
  73.     lstrlenW.KERNEL32 ref: 0x4031D8
  74.         Part of subcall function 0x4013F2: SetErrorMode.KERNEL32(00008000) ref: 0x401400
  75.         Part of subcall function 0x4013F2: GetSystemWindowsDirectoryW.KERNEL32(00000104) ref: 0x401412
  76.         Part of subcall function 0x4013F2: lstrcatW.KERNEL32 ref: 0x40143F
  77.     SetTimer.USER32(00000001,00000000) ref: 0x403207
  78.  
  79. 4. Malicious Activity Disassembly (Memory Dump)
  80.  
  81. 0x402E8C   push ebp  
  82. 0x402E8D   mov ebp, esp  
  83. 0x402E8F   and esp, FFFFFFF8h  
  84. 0x402E92   mov eax, dword ptr [ebp+0Ch]  
  85. 0x402E95   sub esp, 00000274h  
  86. 0x402E9B   push ebx  
  87. 0x402E9C   push esi  
  88. 0x402E9D   xor ebx, ebx  
  89. 0x402E9F   dec eax  
  90. 0x402EA0   push edi  
  91. 0x402EA1   je 0x4031B0h   target: 0x4031B0
  92. 0x402EA7   dec eax  
  93. 0x402EA8   je 0x402EF5h   target: 0x402EF5
  94. 0x402EAA   sub eax, 0Dh  
  95. 0x402EAD   je 0x403115h   target: 0x403115
  96. 0x402EB3   dec eax  
  97. 0x402EB4   je 0x402EF5h   target: 0x402EF5
  98. 0x402EB6   sub eax, 00000103h  
  99. 0x402EBB   jne 0x402EE1h   target: 0x402EE1
  100. 0x402EBD   push dword ptr [ebp+10h]  
  101. 0x402EC0   push dword ptr [ebp+08h]  
  102. 0x402EC3   call dword ptr [0x40D200h]   KillTimer@USER32.DLL (Import, 2 Params)
  103. 0x402EC9   mov eax, dword ptr [ebp+10h]  
  104. 0x402ECC   sub eax, ebx   xref: 0x40308B
  105. 0x402ECE   je 0x4030FDh   target: 0x4030FD
  106. 0x402ED4   dec eax  
  107. 0x402ED5   je 0x402F00h   target: 0x402F00
  108. 0x402ED7   dec eax  
  109. 0x402ED8   jne 0x402EE1h   target: 0x402EE1
  110. 0x402EDA   push ebx  
  111. 0x402EDB   call dword ptr [0x40D22Ch]   PostQuitMessage@USER32.DLL (Import, 1 Params)
  112. 0x402EE1   push dword ptr [ebp+14h]   xref: 0x403127 0x4031AB 0x402EBB 0x403110 0x402F1C 0x402FF6 0x4030F8 0x402F80 0x402ED8
  113. 0x402EE4   push dword ptr [ebp+10h]  
  114. 0x402EE7   push dword ptr [ebp+0Ch]  
  115. 0x402EEA   push dword ptr [ebp+08h]  
  116. 0x402EED   call dword ptr [0x40D230h]   DefWindowProcW@USER32.DLL (Import, 4 Params)
  117. 0x402EF3   mov ebx, eax   ; <==== executed
  118. 0x402EF5   pop edi   xref: 0x402EA8 0x402EB4
  119. 0x402EF6   pop esi  
  120. 0x402EF7   mov eax, ebx  
  121. 0x402EF9   pop ebx  
  122. 0x402EFA   mov esp, ebp  
  123. 0x402EFC   pop ebp  
  124. 0x402EFD   retn 0010h   function end
  125. 0x402F00   call 0x40223Ch   xref: 0x402ED5 target: 0x40223C
  126. 0x402F05   push ebx  
  127. 0x402F06   xor edi, edi  
  128. 0x402F08   inc edi  
  129. 0x402F09   push edi  
  130. 0x402F0A   push 00000002h  
  131. 0x402F0C   push dword ptr [ebp+08h]  
  132. 0x402F0F   call dword ptr [0x40D1F0h]   SetTimer@USER32.DLL (Import, 4 Params)
  133. 0x402F15   call 0x402E34h   target: 0x402E34
  134. 0x402F1A   test al, al  
  135. 0x402F1C   je 0x402EE1h   target: 0x402EE1
  136. 0x402F1E   push 00000208h  
  137. 0x402F23   mov esi, 0x410AA8h  
  138. 0x402F28   push esi  
  139. 0x402F29   call 0x40532Dh   target: 0x40532D
  140. 0x402F2E   pop ecx  
  141. 0x402F2F   pop ecx  
  142. 0x402F30   test al, al  
  143. 0x402F32   je 0x402F40h   target: 0x402F40
  144. 0x402F34   push esi  
  145. 0x402F35   push ebx  
  146. 0x402F36   push ebx  
  147. 0x402F37   push 0000001Ah  
  148. 0x402F39   push ebx  
  149. 0x402F3A   call dword ptr [0x40D1B8h]   SHGetFolderPathW@SHELL32.DLL (Import, 5 Params)
  150. 0x402F40   push edi   xref: 0x402F32
  151. 0x402F41   push D2B37023h  
  152. 0x402F46   push 0000001Bh  
  153. 0x402F48   push 0x40DD2Ch  
  154. 0x402F4D   call 0x403763h   target: 0x403763
  155. 0x402F52   add esp, 10h  
  156. 0x402F55   push eax  
  157. 0x402F56   push esi  
  158. 0x402F57   call dword ptr [0x40D110h]   lstrcatW@KERNEL32.DLL (Import, 2 Params)
  159. 0x402F5D   call 0x401F83h   target: 0x401F83
  160. 0x402F62   test al, al  
  161. 0x402F64   je 0x402F85h   target: 0x402F85
  162. 0x402F66   lea edi, dword ptr [esp+10h]  
  163. 0x402F6A   mov dword ptr [esp+10h], ebx  
  164. 0x402F6E   mov byte ptr [esp+14h], 00000001h  
  165. 0x402F73   mov dword ptr [esp+18h], 0x402CD1h  
  166. 0x402F7B   call 0x405EBAh   target: 0x405EBA
  167. 0x402F80   jmp 0x402EE1h   target: 0x402EE1
  168. 0x402F85   push ebx   xref: 0x402F64
  169. 0x402F86   push 51A963ABh  
  170. 0x402F8B   push 00000002h  
  171. 0x402F8D   push 0x40DD48h  
  172. 0x402F92   call 0x403763h   target: 0x403763
  173. 0x402F97   push ebx  
  174. 0x402F98   push 349518EAh  
  175. 0x402F9D   push 0000000Fh  
  176. 0x402F9F   push 0x40DD4Ch  
  177. 0x402FA4   mov dword ptr [esp+4Ch], eax  
  178. 0x402FA8   call 0x403763h   target: 0x403763
  179. 0x402FAD   add esp, 20h  
  180. 0x402FB0   push dword ptr [esp+2Ch]  
  181. 0x402FB4   push eax  
  182. 0x402FB5   call 0x405B82h   target: 0x405B82
  183. 0x402FBA   pop ecx  
  184. 0x402FBB   push eax  
  185. 0x402FBC   call 0x402B25h   target: 0x402B25
  186. 0x402FC1   push esi  
  187. 0x402FC2   call 0x4053FEh   target: 0x4053FE
  188. 0x402FC7   add esp, 0Ch  
  189. 0x402FCA   push esi  
  190. 0x402FCB   call 0x4023C5h   target: 0x4023C5
  191. 0x402FD0   pop ecx  
  192. 0x402FD1   call 0x40295Ah   target: 0x40295A
  193. 0x402FD6   mov dword ptr [esp+10h], edi  
  194. 0x402FDA   lea edi, dword ptr [esp+10h]  
  195. 0x402FDE   mov byte ptr [esp+14h], 00000001h  
  196. 0x402FE3   mov dword ptr [esp+18h], 0x402CD1h  
  197. 0x402FEB   call 0x405EBAh   target: 0x405EBA
  198. 0x402FF0   cmp dword ptr [0x410CB4h], ebx0x00000000
  199. 0x402FF6   je 0x402EE1h   target: 0x402EE1
  200. 0x402FFC   call 0x401E15h   target: 0x401E15
  201. 0x403001   push 00000001h  
  202. 0x403003   push 2B7588E7h  
  203. 0x403008   push 0000000Ch  
  204. 0x40300A   push 0x40DD5Ch  
  205. 0x40300F   call 0x403763h   target: 0x403763
  206. 0x403014   add esp, 10h  
  207. 0x403017   push 00000104h  
  208. 0x40301C   lea ecx, dword ptr [esp+7Ch]  
  209. 0x403020   push ecx  
  210. 0x403021   push eax  
  211. 0x403022   call dword ptr [0x40D080h]   GetModuleHandleW@KERNEL32.DLL (Import, 1 Params)
  212. 0x403028   push eax  
  213. 0x403029   call dword ptr [0x40D108h]   GetModuleFileNameW@KERNEL32.DLL (Import, Unknown Params)
  214. 0x40302F   push esi  
  215. 0x403030   call dword ptr [0x40D07Ch]   GetFileAttributesW@KERNEL32.DLL (Import, 1 Params)
  216. 0x403036   or eax, 06h  
  217. 0x403039   push eax  
  218. 0x40303A   push esi  
  219. 0x40303B   call dword ptr [0x40D08Ch]   SetFileAttributesW@KERNEL32.DLL (Import, 2 Params)
  220. 0x403041   lea eax, dword ptr [esp+78h]  
  221. 0x403045   push esi  
  222. 0x403046   push eax  
  223. 0x403047   call 0x404A47h   target: 0x404A47
  224. 0x40304C   push dword ptr [0x410CB4h]  
  225. 0x403052   call 0x4023E6h   target: 0x4023E6
  226. 0x403057   add esp, 0Ch  
  227. 0x40305A   push esi  
  228. 0x40305B   call 0x4023A4h   target: 0x4023A4
  229. 0x403060   pop ecx  
  230. 0x403061   push 00000x40h  
  231. 0x403063   lea eax, dword ptr [esp+38h]  
  232. 0x403067   push ebx  
  233. 0x403068   push eax  
  234. 0x403069   call 0x40A4E2h   memset@NTDLL.DLL (Import, 2 Params) target: 0x40A4E2
  235. 0x40306E   add esp, 0Ch  
  236. 0x403071   mov dword ptr [esp+1Ch], ebx  
  237. 0x403075   xor eax, eax  
  238. 0x403077   lea edi, dword ptr [esp+20h]  
  239. 0x40307B   stosd    
  240. 0x40307C   push 00000001h  
  241. 0x40307E   push 9F12C8E3h  
  242. 0x403083   stosd    
  243. 0x403084   push 00000004h  
  244. 0x403086   push 0x40DD6Ch  
  245. 0x40308B   mov dword ptr [esp+40h], 00000044h   ASCII "D" (Chunk)
  246. 0x403093   stosd    
  247. 0x403094   call 0x403763h   target: 0x403763
  248. 0x403099   push dword ptr [0x410CB4h]  
  249. 0x40309F   push eax  
  250. 0x4030A0   lea eax, dword ptr [esp+24h]  
  251. 0x4030A4   push eax  
  252. 0x4030A5   call 0x40469Ch   target: 0x40469C
  253. 0x4030AA   add esp, 1Ch  
  254. 0x4030AD   lea eax, dword ptr [esp+1Ch]  
  255. 0x4030B1   push eax  
  256. 0x4030B2   lea eax, dword ptr [esp+34h]  
  257. 0x4030B6   push eax  
  258. 0x4030B7   push ebx  
  259. 0x4030B8   push ebx  
  260. 0x4030B9   push 01000000h  
  261. 0x4030BE   push ebx  
  262. 0x4030BF   push ebx  
  263. 0x4030C0   push ebx  
  264. 0x4030C1   push dword ptr [esp+2Ch]  
  265. 0x4030C5   push ebx  
  266. 0x4030C6   call dword ptr [0x40D05Ch]   CreateProcessW@KERNEL32.DLL (Import, 10 Params)
  267. 0x4030CC   test eax, eax  
  268. 0x4030CE   je 0x4030E2h   target: 0x4030E2
  269. 0x4030D0   mov esi, dword ptr [esp+20h]  
  270. 0x4030D4   call 0x40349Ch   target: 0x40349C
  271. 0x4030D9   mov esi, dword ptr [esp+1Ch]  
  272. 0x4030DD   call 0x40349Ch   target: 0x40349C
  273. 0x4030E2   push dword ptr [esp+0Ch]   xref: 0x4030CE
  274. 0x4030E6   call 0x40A2EFh   target: 0x40A2EF
  275. 0x4030EB   pop ecx  
  276. 0x4030EC   push dword ptr [0x410CB4h]  
  277. 0x4030F2   call 0x40A2EFh   target: 0x40A2EF
  278. 0x4030F7   pop ecx  
  279. 0x4030F8   jmp 0x402EE1h   target: 0x402EE1
  280. 0x4030FD   push 00000001h   xref: 0x402ECE
  281. 0x4030FF   call dword ptr [0x40D210h]   BlockInput@USER32.DLL (Import, 1 Params)
  282. 0x403105   push 00000005h   ; <==== executed
  283. 0x403107   push dword ptr [ebp+08h]  
  284. 0x40310A   call dword ptr [0x40D214h]   ShowWindow@USER32.DLL (Import, 2 Params)
  285. 0x403110   jmp 0x402EE1h   target: 0x402EE1 ; <==== executed
  286. 0x403115   lea eax, dword ptr [esp+30h]   xref: 0x402EAD
  287. 0x403119   push eax  
  288. 0x40311A   push dword ptr [ebp+08h]  
  289. 0x40311D   call dword ptr [0x40D208h]   BeginPaint@USER32.DLL (Import, 2 Params)
  290. 0x403123   mov esi, eax  
  291. 0x403125   cmp esi, ebx  
  292. 0x403127   je 0x402EE1h   target: 0x402EE1
  293. 0x40312D   lea eax, dword ptr [esp+1Ch]  
  294. 0x403131   push eax  
  295. 0x403132   push dword ptr [ebp+08h]  
  296. 0x403135   call dword ptr [0x40D204h]   GetClientRect@USER32.DLL (Import, 2 Params)
  297. 0x40313B   push 00000006h  
  298. 0x40313D   lea eax, dword ptr [esp+20h]  
  299. 0x403141   push eax  
  300. 0x403142   push esi  
  301. 0x403143   call dword ptr [0x40D1F8h]   FillRect@USER32.DLL (Import, 3 Params)
  302. 0x403149   push 00000001h  
  303. 0x40314B   push esi  
  304. 0x40314C   call dword ptr [0x40D048h]   SetBkMode@GDI32.DLL (Import, 2 Params)
  305. 0x403152   push 00000001h  
  306. 0x403154   push 8182F0FBh  
  307. 0x403159   push 00000056h  
  308. 0x40315B   push 0x40DD78h  
  309. 0x403160   call 0x403763h   target: 0x403763
  310. 0x403165   push dword ptr [0x410CB0h]  
  311. 0x40316B   push eax  
  312. 0x40316C   lea eax, dword ptr [esp+24h]  
  313. 0x403170   push eax  
  314. 0x403171   call 0x40469Ch   target: 0x40469C
  315. 0x403176   add esp, 1Ch  
  316. 0x403179   test eax, eax  
  317. 0x40317B   je 0x4031A4h   target: 0x4031A4
  318. 0x40317D   push 00000025h  
  319. 0x40317F   lea eax, dword ptr [esp+20h]  
  320. 0x403183   push eax  
  321. 0x403184   push dword ptr [esp+14h]  
  322. 0x403188   call dword ptr [0x40D0B8h]   lstrlenW@KERNEL32.DLL (Import, 1 Params)
  323. 0x40318E   push eax  
  324. 0x40318F   push dword ptr [esp+18h]  
  325. 0x403193   push esi  
  326. 0x403194   call dword ptr [0x40D1FCh]   DrawTextW@USER32.DLL (Import, 5 Params)
  327. 0x40319A   push dword ptr [esp+0Ch]  
  328. 0x40319E   call 0x40A2EFh   target: 0x40A2EF
  329. 0x4031A3   pop ecx  
  330. 0x4031A4   push esi   xref: 0x40317B
  331. 0x4031A5   call dword ptr [0x40D044h]   EndPage@GDI32.DLL (Import, 1 Params)
  332. 0x4031AB   jmp 0x402EE1h   target: 0x402EE1
  333. 0x4031B0   lea eax, dword ptr [esp+78h]   xref: 0x402EA1
  334. 0x4031B4   push eax  
  335. 0x4031B5   push 00000001h  
  336. 0x4031B7   push E17754ACh  
  337. 0x4031BC   push 0000000Fh  
  338. 0x4031BE   push 0x40DD1Ch  
  339. 0x4031C3   call 0x403763h   target: 0x403763
  340. 0x4031C8   add esp, 10h  
  341. 0x4031CB   push eax  
  342. 0x4031CC   call 0x4036EAh   target: 0x4036EA
  343. 0x4031D1   pop ecx   executed
  344. 0x4031D2   pop ecx  
  345. 0x4031D3   lea eax, dword ptr [esp+78h]  
  346. 0x4031D7   push eax  
  347. 0x4031D8   call dword ptr [0x40D0B8h]   lstrlenW@KERNEL32.DLL (Import, 1 Params)
  348. 0x4031DE   mov edi, eax  
  349. 0x4031E0   add edi, edi  
  350. 0x4031E2   lea eax, dword ptr [esp+78h]  
  351. 0x4031E6   call 0x405BC4h   target: 0x405BC4
  352. 0x4031EB   mov dword ptr [0x410CB0h], eax  
  353. 0x4031F0   call 0x4013F2h   target: 0x4013F2
  354. 0x4031F5   sub dword ptr [0x4109DCh], eax   executed
  355. 0x4031FB   push ebx  
  356. 0x4031FC   push 00000001h  
  357. 0x4031FE   push dword ptr [0x4109DCh]  
  358. 0x403204   push dword ptr [ebp+08h]  
  359. 0x403207   call dword ptr [0x40D1F0h]   SetTimer@USER32.DLL (Import, 4 Params)
  360. 0x40320D   jmp 0x402EF5h   swap point
  361.  
  362. ---
  363. #MalwareMustDie!!
RAW Paste Data
Challenge yourself this year...
Learn something new in 2017
Top