Hi folks, let me say two more words about the previous code.
I strongly believe that the discussed code at the beginning of his life, followed the fastcall convention (1). As you can see, the first parameters are put directly into CPU registers, and after that saved into the stack (2),this is the classic fastcall behavior.
Due to polymorphism, the code is able to change itself. One of the first basic techniques is to change registers and saved locations like shown in (2). Basically we are in front of a polymorphic and evolved (by meaning: “not the original”) malware .