Analysis Date2014-11-27 20:14:27
MD5aeaf03ec13bb911aca1829a30a52d33f
SHA1e720028a0cef5fc2a8ac26e33869fe9858888870

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 848109517e0663a3eb228bb02a52cd90 sha1: 2eacc73317cd31377335c66ce788b72750028e3a size: 21504
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: e6a16128996d4143d477b0dd9398c835 sha1: dd4715f9a65790a47a6a2418121a3f6fe2e040e9 size: 9728
Section.data md5: 48b50b97ed4968cee16e1b2126476a32 sha1: b4e256f35afffe32f66c7157cf046bef3d6e927a size: 162304
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: a9d506c9dbc2e338d3cc6a8e4d312df0 sha1: d081129d137beab15907696150f4ab73d0b3c657 size: 3072
Timestamp2014-05-26 15:09:44
PackerMicrosoft Visual C++ ?.?
PEhash289a0dd3938523f24ff4c10b7b0eb447143f2131
IMPhash85c40d1ec866f848ca6e9921cf521257
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Agent.212992.241
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.origin - infected, incurable
AVEmsisoftno_virus
AVEset (nod32)Win32/Agent.PEX
AVFortinetW32/Agent.PEX!tr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Win32/DH{gRKBE3lYCA83ATYSgQ4eO1BPFVGBFRMUGAo}
AVIkarusTrojan.Win32.Agent
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.L
AVMicroWorld (escan)no_virus
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\Application Data\WallPaper\wallpaper.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dfjdcs324aaaoijs.bat
Creates Processrundll32.exe "C:\Documents and Settings\All Users\Application Data\WallPaper\wallpaper.dll" Resource 1
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dfjdcs324aaaoijs.bat

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dfjdcs324aaaoijs.bat

Creates Processattrib -a -r -s -h "C:\malware.exe"

Process
↳ rundll32.exe "C:\Documents and Settings\All Users\Application Data\WallPaper\wallpaper.dll" Resource 1

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexGlobal\ufiggmvpeeiwv
Creates MutexGlobal\elthiffdi

Process
↳ attrib -a -r -s -h "C:\malware.exe"

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileC:\Documents and Settings\All Users\DRM\ksetup\nprqyjadoqkp
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\qzkdc
Creates MutexGlobal\eklrhgdvaqrfzgugv
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\ufiggmvpeeiwv
Creates MutexGlobal\mxufovgpujrelcqpp
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\ylknm
Creates MutexGlobal\mschu
Creates MutexGlobal\eklebbotbcnlyjehk
Creates MutexGlobal\gxitk
Creates Mutexkor
Creates MutexGlobal\mwmwahssfgzhbdlaa
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\ypsoayzmexnwqzmrx
Creates MutexGlobal\ykbchaeqgqtdt
Creates MutexGlobal\iqlpefsfveadljlia
Creates MutexGlobal\khutgmgyc
Creates MutexGlobal\uinglqjbkrilvyqrh
Creates MutexGlobal\aelyqgtun
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\aelgflwcvvytstumy

Network Details:

DNSwww.map800.com
Type: A
223.25.247.214
Flows UDP192.168.1.1:1031 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1031 ➝ 8.8.8.8:53
Flows TCP192.168.1.1:1032 ➝ 223.25.247.214:443

Raw Pcap
0x00000000 (00000)   f01f6f14 ca6b8908 4bbcd325 ecd7cd01   ..o..k..K..%....
0x00000010 (00016)   ed18e708 1afc93c1 36756a25 7c747d05   ........6uj%|t}.
0x00000020 (00032)   95988022 02d0e79a c496                ..."......


Strings
CC
\
.
 
CC
.
\
 
...
e.M..P&
041904b0
1927
- abort() has been called
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
Copyright (C) 2005
- CRT not initialized
dddd, MMMM dd, yyyy
December
DOMAIN error
February
FileVersion
- floating point support not loaded
Friday
                                 H
         (((((                  H
         h((((                  H
HH:mm:ss
January
July
June
@KERNEL32.DLL
KERNEL32.DLL
LegalCopyright
March
@Microsoft Visual C++ Runtime Library
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
nruntime error 
<<<Obsolete>>
October
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
runtime error 
Runtime Error!
Saturday
September
SING error
STRING
StringFileInfo
Sunday
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Translation
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
VarFileInfo
VS_VERSION_INFO
Wednesday
WUSER32.DLL
                          
?/&'/]
{|}|`|
#:$+0/,
0&0+030=0H0
0-0;0A0d0k0
0'03080=0C0G0M0R0X0]0l0
/;{<01
^011:2/
0%1+161<1K1Y1f1
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
01|-3b
0.2?2y2
061117000000Z
090617152221Z
).0br]~!
;);0;:;L;c;q;w;
0P0V0h0
=-:}}-1
100208000000Z
<,>&11:
(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
$1(1,101
11121I
111,b3
11^223t
112/3o">!
;&112e
112]ri
1+131>1
%11/3r
::*1152
:[)115]32
1+161A1L1W1b1m1x1
'11b12
11b:53b2
'11g2Vy22
11;X111 
121009000000Z
121:3x221
!1215l
$121b:
1!22-3
1!22-3-
.12,[j
13":Hf3
140526135747Z0#
140526150956Z0#
141014235959Z0g1
14181$>,>4><>D>L>T>\>d>l>t>|>
142C2{2
15!23,
1_6,E.
18qLUUy
1B1H1Z1
.1B3| _
>1E1K1E2Q2\3
-1o">1o*2z
1r15,}
1R2/"-:
1R[r1_
1W2]2c2i2o2u2|2
}-1X"2
|@} 2~
-2-=-%!
:\"-2 :
}<}2|~
200207235959Z0J1
201230235959Z0
|2(|1|
210101235959Z0
2:-@11;
2!))11
2;111o&k
2.11b1
2):'(11}E
212<3a
21`"2X/
21b"3h
,]:2,1e
,;#.22
,":+%22
:|!"22;
."2.2~
"2"2:,
*:?`22
2/,2,:=
2 2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
2;/2111_
,2212ds
:|2;22}
"2"22:
,"22:@2/}1
2221326
 :2222
.22`2_2
2"2221
2222}1
222,22
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
2222c^:
222:2]d22
2"222eJ
.2225>_
222ab22<(h"k!A
222bV:
2&2,2e2r2x2
222f-V
2-2;2I2W2e2
222}(ki
22@~2oc
2;}22r^73l
222,t2
}|222w8+
222Wz[z
2'232O2U2^2e2
=223o2*#_&
2,~2b:
22bB2b
22dr-32
2,":2EZ11b1
22:.G.11.
22;K.-
.22]:N,;,
:22,O3
22o::i#
22;,PR
$22r22
2/:@2r22
22R22eB
22R3"e
"2"2:S
"22v3222
/2,	2z
2:<3":
2:{322
2"3262
23"J1X.
2,,3r V
{23vc23j
251231195959Z0
25;ltr
26:1'11
:>2611a
}28}?}3~
283H3X3h3x3
>'>2>8>H>M>^>f>l>v>|>
2:~A11
2a/225
!2b1}:
2B.:\1n22
2"B22]
2]b222
2b:Er,
2b,":;f222
2bo22V3r.2
2~b.-r
|2B|s}
2C,o,m
2dJd=d
2|Drp;
}2E}0}
2e)e	f
2eqfof`f
2f111:
2:fI01]:
2fKf5f1f
2Fq+q2
2gDg@g0g
2g pFp#q
2gzgggcg
.2.H2.
2h2Ri:
2}H}&}y~o.~
}2I}@}+}
2:i&01
],"2-J[--
;!<2<J<f<
|2J|N|;|@|2*|2}
:2#K01
~2K~vioi
2: .}l
.:_,2l2
:	2M22
]2m]:,3~
2m.3b22
2@MM(v
2n3"b:
:2:N:f:
2np"Ye
2o&.eX
~2|~p~
2P3"T5<
2q2!2:
2q.q.1q.q.q.q.q.q.q.~.
2q qpqbq
2q.q.q.q.q.q.q.qq.q.q.q.q.
2qTq]q
2qxquqVq
~2r22:
^2r22:Z
2R3"b1ZH
2rB11r
2rfVfcf
2-:S,22
,2SjF2
.2srN2*
2uY.ub
2;v322]
2VN3":
2W2f*n:
2W32 2:"?11
2X3{432{
}2"}Y}b}
2:Yf11
2y,l!3l
2yR2 !
2#-Z.C2
+&3"/"
3}~_"/.
31"}:5.
31R{2n
,3225"h]:
,"323"
%3":25
32}"(k
3,2r/2
32r2.2
3.2VB,
3#3)3:3?3G3U3c3q3
3%333A3O3]3k3y3
3"3(3.3D3K3
3!3*393\3a3f3}3
3"3'393C3H3d3n3
3!3l3w3
3(3L3X3\3`3d3h3
//33v:
382*S2x,L2
3B4\4m4
3b:xR/
3>:_C11
3Cro&"1
3]:.F6
3f;^9&,
?3FC3<ea} c3
3!,fe2
{3i2:N
3lsg`fR.,
3m2"3Xv
3m2-`o,Y2
3MSc]3Js
3<[]mW
.,-^3-n--"
&3.N -.
3n,"o,*S
;3o6rme
#3o*b:
?3o>R#er
|3&Pb-
3Q2V3.2
":{3r!
3R`;~.
3roWB:'
3r\:Svo
].3{V".3.2
3 W{X@
|4|,="
4=4D4H4L4P4T4X4\4`4
4&4L4S4m4t4
4"5-5H5O5T5X5\5}5
<4=8=X=d=
?$?,?4?<?D?L?T?\?d?l?t?
4I5\5n5
4M5S5o5
\4p(p%2p
.}(5^]
,52\2R8Ej
52585C5I5Z5_5g5u5
536?6R6d6
5(5J5_5
5	6/656_6
:5bK22
5D5J5t5
5F6L6P6T6X6
5T(Rwc
6222w2b
6^2322
6&6Q6i6
677A7o7u7
6	7C7P7Z7h7q7{7
6B6O6d6
7~<~)2~1~
:723eP
.:72V2
768A8K8d8n8
7%7+757;7E7N7Y7^7g7q7|7
7.7@7R7x7
7,7:7X7g7
7>7D7Y7y7
7<7T7r7
7.7W7h7
7'808<8U8
7;8F8P8a8l8,:=:E:K:P:V:
:!:7:B:\:g:o:
7P:T:X:\:`:d:h:l:p:t:
7.vN._
8"8)858=8M8U8`8v8
8$8)888N8T8\8a8i8n8v8{8
8)8/8C8H8i8n8
8,8>8P8
8-8S8q8}8
=8=D=`=l=
8,-H1W
960801000000Z
9I9a9i9r9
9q6q=q*
":a11.1
a2,":<
a/223#
*\A6:;
:!aB3B:E
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
#a:BKY,
AdjustTokenPrivileges
Advapi32.dll
<%<+<A<H<R<Y<e<k<w<}<
:ak1b1
Application Data\
+,a<,S3;
attrib -a -r -s -h 
August
 B-1bbB
]b.1Hr
,^B]^^|2
:-b221
"B22:%3
"B2"2:4
b"2!"32!
b2:6i22
b:2F711
>b 2ko*
B 2kW&
b2:<Y32}
b3_/!3_
,b33l3Z0
b\3-E_3.
b$3"-R
,/B3/+w
B5,}2(
B5,r}(
B:%5r01b
B5tl{:X
b:A7r/
".baB:
ba],,rma``om
baW	6sv
-bb1b."
B,bbr,^c,:
B Be"=
_B\cc2
/:BD11
<b<<=D=\=w=
#bfN}7
B,g3B,
>Bi7I2
bk	1IJ
]b:K32`g,322
BLSoft Co.,Ltd 0
BLSoft Co.,Ltd 1
b,"l|Z
B_M2>S2
."B"	m.|^3
}bm}Z5
bn:_R2
b-Q1_F
bqB:Pr
<,*B,R
b-/]-rv
B:t!s."n.
*}(bu*1
Bu)2)P
b:v2111
Bv2}(k
bv:Hs3
B:X@l-Rb3
bZ)5=t2
bZM}2!~
b:zssw
/C'11/
/(c) 2006 thawte, Inc. - For authorized use only1
#;c,22
c2c]}E
c2re_"
\c2uJb
c,)3E<3lC3
~.c3R`
	Cape Town1
\c--b!
:cB012
`"c}E2b
Certification Services Division1!0
Certification Services Division1806
ChangeServiceConfig2A
ChangeServiceConfigA
C,h=,,+,@xG
"cJLrjtm
CloseHandle
CloseServiceHandle
closesocket
connect
ControlService
CorExitProcess
C,q2!2),2?,d
~.c]R,
CreateDirectoryA
CreateFileA
CreatePipe
CreateProcessA
CreateRemoteThread
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
_>,d=,
d2DdQd?d0d2
d$2d.e
d2sdXd
,d^3d'
,-.d5,co/".
Daejeon1
:':D:a:p:v:{:
@.data
d#<B.M0
dD8'r+
dddd, MMMM dd, yyyy
December
DecodePointer
del %0
DeleteCriticalSection
DeleteFileA
dfjdcs324aaaoijs.bat
dGd8d<d
>(>D>H>h>
DhjlqWsgdwhThvrxufhC
>=>D>H>L>P>T>X>\>`>
:Dj112q}:,x
d|m|b|p
:\Documents and Settings\All Users\
>_>d>q>
d:,[r,uo&g
}D}S2}:}A}(}'2}.~
dVd eOre
dVe_e2
=,>D>X>
|E2|:|
:,}E2}(
~E~2=~a
e#2c2r.es.
e2GeLe
e2keqene
e.322}
~E3yE3
}E]:42
.eb:1s2
e	Bv21e
@echo off
eDe28e5e
e:eCe$be2f/
e{edeV2e
e~egeTe2
.:Ej2,2B
eJePe2;e&e
EkdqjhUhuylfhErqilj5C
EkdqjhUhuylfhErqiljC
eKeOe4e2
<e=k=u=
EncodePointer
EnterCriticalSection
EorvhJdqgoh
EorvhUhuylfhJdqgoh
eosao&
eQ2co&3
!e)r11
:e?r J
ErqwuroUhuylfh
eue|2e
EuhdwhFluhfwrubC
EuhdwhHlohC
EuhdwhRurfhvvC
EuhdwhUhuylfhC
ewe2kepe[e\e2
ewf>WS
eX2e`e
ExitProcess
eze].e
F0L0P0T0X0
F2/,";
F2:(@01k
f2;f<f0f-g
f2Ff:f
f2ifnf
February
fEf9f26f
f/gZhg
Fh=p#C
FindResourceA
F:,Ir/
Fj;j="j&j
~Fl4$ks'
fL\eQ2
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
fOf@2f$f1f
fq2f`f_f
FreeEnvironmentStringsW
Friday
Fz222r
g2dgXgUg]g2
g2?ggpXp\p2
|g2|l|
/-@".g5
GalwRurfhvv
"g\,B"
GetACP
GetActiveWindow
GetAdaptersInfo
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileAttributesA
GetFileTime
GetFileType
GetForegroundWindow
gethostbyname
gethostname
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryA
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetUserObjectInformationW
GetVersionExA
GetWindowsDirectoryA
GetWindowTextA
gFgSg2zqfqoqUq2bq_q
g+gj.p_
Gj2OjCj'jwk2hklkYkck2
gJgG2g:gCg'g,2p
GlobalAlloc
GlobalFree
gO-2b2!
 goto selfdelete
GqgWsgdwhThvrxufhC
gqgZ2g^g
	Guam-dong1
G)w8\H
~g~X2~]~
GX^Z-\
:>h22s
h=2h&h
h2[h\h
h2{h~hqhWh2]h
h2Sh8h$h-i2!i
h4hBh?h2
=& h9<u
hAh&.h.
Hamburg1
"H~E~2;~X
h;e32Z2
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
hehs2hThah
>$>(>H>h>
@h(hji2si`i
HH:mm:ss
Hhttp://www.trustcenter.de/certservices/cacerts/tc_class2-II_L1_CA_IV.crt0
'h!i~i
hJh2Gh8hAh%h22i
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer SUCC!
hlh2Uh
:H;M;V;e;
>"?-?H?O?T?X?\?}?
h:rh)h
#http://crl.thawte.com/ThawtePCA.crl0
/http://crl.thawte.com/ThawtePremiumServerCA.crl0
*http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
http://ocsp.thawte.com0
https://www.thawte.com/cps0
$http://www.trustcenter.de/guidelines0
hVk_2k
)hwi|ii2iqi
hwjhj2ljYj
i2~22Xo
i29iAi
i2xjvj
i2ziUi^i
&I9S2M1
IC2Fi9PJ
}I}d~2^~
|I|F.|.
~I~F~>~2'~
if exist 
ifisi]i2
Ifzp|p
i+G8F2
Ihttp://crl.IV.tcclass2-II.trustcenter.de/crl/v2/tc_class2-II_L1_CA_IV.crl0
IhwHlohCwwulexwhvC
IhwUbvwhpFluhfwrubC
IhwVhpsRdwkC
i|"idiPr
i@"i+i
i;i=i&i3
inet_addr
inet_ntoa
iNi62i+i-jfjXo
InitializeCriticalSectionAndSpinCount
iniW2i\i
InterlockedDecrement
InterlockedIncrement
Iphlpapi.dll
IqFq8qA
;.;I;Q;Y;p;
iS-BR-
IsDebuggerPresent
iSi4i(i2%i
IsProcessorFeaturePresent
IsValidCodePage
J"}1:@R.!
j2Hj@j
:j3222
J5H3bj
J):7,M22
January
?,jC,%)),
j}j2djsjYjbj2
j@j ^V
jKjMj6j2*j'j/k k2
j"kxk2pk\k
jlj2_j
:J;m;v;
J*:n2,R3-
jN3"f:f
~J~O~2
jSk4k(2k%k
j:TE11
juj~jrj2ojbj
jwj~joj2
k2Tkbk
k2zk~kkkZk2_k
K3,:{r
kAk*k2.d
kal"S2"ka
kaMfwm
k[d2\d
Kernel32.dll
KERNEL32.dll
kIkMk2:k0k
|K|M|2>|$|
_k_m7?
k]mRr.
kNk<k2d
:,ko:!2
kR20R2
.KR3[=#.
ks :,'"
K	tF>Q)
:L2222
l22"33
L,2.25
l-[22B\.
l2,glO"
l2/:ZR25
L3b:"R3
l3Jl3Fl3R_l3Nl3:l36l3B_l3>l3*l3&l32\-r
_l3"l3
l3~r3: S
l3^]:t
l3vs3]r3
l3zl3v
l.:4Xr11]:
LCMapStringW
LeaveCriticalSection
l,gg5,
l[HhIY7
Libraries\
LoadLibraryA
LoadLibraryW
LoadResource
LockResource
LookupPrivilegeValueA
:lp3"WR:h
"l<p*p2'p,q
lstrcatA
lstrcpyA
lstrlenA
:>>/m,"
M112,v
-;M-22
m8Y&Rs
mdZd2bd
memcpy
memset
MessageBoxW
MM/dd/yy
m-nl-YY-
Monday
MoveFileA
MoveFileExA
m,r3BR2.
ms3-Z}
m,TpX,5
mUH2ox
MultiByteToWideChar
m wRrr
mZ2B22e
/|/},n
}n}2V}
:N2z11
N3":]3
n3,3-dW&cb
n83".:
Nb!z@/2
N*c]}E
?N?^?d?p?v?
""Ng,;
nj"R-b!
n/Js/by
.nM2R.2v]Z
November
nsl,R-x1
ntdll.dll
n ,wr 5
"o%112v,}
o>1o&ko2&
o*21o*
:O2511
o26b1~
o2*}Eb
o:=2o.C2m
-o}(2Y
o"2[y225
O3]:.<2
O323^33
O3":S 
o"5!ko""
o62}Eb
o6:R'_
o6R 2r
o&:7S,2
o*a/ro
o&b}En
October
oF2b:]
"oF2/r
oJ1o2:
oJ1o6R	
oNb:.j
o>-o2B}
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenServiceA
o>R23,._
o:rb*:.
oRb:v1"
oR:"L(11r
oS qR }
o,.s,w
OutputDebugStringA
?o,VX,
o,zC.6
.ozs2,"b1
p'&0(z
:_P221o
p2eprp
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
pbo222
PeekNamedPipe
pE<W*.p
pFpCp.2q
pHp2Qp5pBpkq2lqZqWq
phpfsb
phpvhw
P~i'$<V).Q
~P~M~A~2%~2
p~pkp2qp
premium-server@thawte.com0
Process32First
Process32Next
pSp8pCp2$p
pt2phpep`p
py2pip[p
pZ~cr~
> ><>_>q>~>
q22232.32222
:q#"3:
qHq2Qq5qBq%q
{Qizjej,n
q$j1jX" 
qKqGqS"qOq$
#|q|o|U#
>"q*q&C
q.q.q.
qsf|,b
QshqUEOdqdjhuC
QshqUhuylfhC
qtq2}qqqnq
qtqhqe2q
QueryPerformanceCounter
:qW222
; ;';R;
R.]:+,
$r015Z
r)11b:
r11b1I
~"[ .:`R21
 R21o"5
&R22 !
"r22r:i
_R24R2
r[2_A=
>R2"b:v
,R2WW*
R2XR2j
"-R3^:
R3,2>2X
--R3;9r2
r3N:f 22
*<r3R!
"r3xm3
r.5,}.1
ra/22R5
r+*b:.
r"]bc1
R.b:lO3
:_R";c
r`"cb:
.rdata
rdN-13R-5
>.>@>R>d>v>
/r,"}E:
 READY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer
RegCloseKey
RegCreateKeyA
RegisterServiceCtrlHandlerA
RegOpenKeyExA
RegSetValueExA
@.reloc
Resource
 Resource  1
ResumeThread
rf>f0f
-^rj"3
-rn12r<}-r3t"
ro&-):
_R{oR-J2u
Rq82qBq(q2
rq[q_rq
]"}rR1.3
r-sxr3
Rt15"":&
RtlUnwind
- rundll32.exe
rundll32.exe 
rVy2dwd|didp2dmd
:rW232:~l
/:]rw5
:*RwH 
r.w.r2"2!
rX$:.32
rX":u 2
rXV}1Ybr
ryR2\sy7R2[s
R:.zT2
_s.]_*-
s.].#.]
S1122c5/
S121b1
S,]/22
s{2@22Vn
;.S22VX3re-
s/2;b2
s2|o|[|W|c2|_|
].S3^.
!S3;[3
"S3;[3-
,-S3;Dr/\
#s-3e3f
"S3;fB,
,.s3R32
^S3/rgB
S3^.z:J
Sab"c1
Saturday
-#s!~c
select
:selfdelete
September
ServerDll.dll
SetFileTime
SetHandleCount
SetLastError
SetServiceStatus
SetUnhandledExceptionFilter
SHELL32.dll
SHLWAPI.dll
SizeofResource
=-}s=-Jb:RsC-
SL(p/$
so6}r3
socket
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\Policies\explorer
sprintf
./sr2c
^SSSSS
StartServiceA
STRING
StrStrIA
Sunday
sV2t2	
S|:W3s
s+,w<,S3;
`,";,T
t22^}(
T".225rI
T2x&)n
t32r2Z!
t:=36C3p$3
|tBdn"|
TC TrustCenter1
(TC TrustCenter Authenticode Timestamp II0
TC TrustCenter Class 2-II L1 CA1+0)
"TC TrustCenter Class 2-II L1 CA IV
"TC TrustCenter Class 2-II L1 CA IV0
TC TrustCenter GmbH1(0&
TerminateProcess
TerminateThread
Thawte Code Signing CA - G2
Thawte Code Signing CA - G20
Thawte Consulting cc1(0&
thawte, Inc.1(0&
Thawte, Inc.1$0"
Thawte Premium Server CA1(0&
thawte Primary Root CA0
t hh}@
!This program cannot be run in DOS mode.
ThjEorvhMhb
ThjEuhdwhMhbC
ThjFhohwhMhbC
ThjlvwhuUhuylfhEwuoJdqgohuC
ThjQshqMhbGaC
ThjUhwXdoxhGaC
Thursday
	Timestamp110/
< tK<	tG
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t"SS9] u
}t,Sz8
t$<"u	3
Tuesday
;t$,v-
.:T	X,
:T;Z;`;f;l;r;y;
U;$0r^b.
u23"n:
-:U822
(:uBp2
:ubWR9)
U]gc"/
UhwUhuylfhUwdwxv
UnhandledExceptionFilter
!Uo\`oV
UQPXY]Y[
URPQQh
URPQQh@I
USER32.dll
:\Users\Public\
uTVWhe8@
UwduwUhuylfhC
--v]--#
:v-225
V232]b
V?3":`2
:vb..;
Vbs3`l3b/l3\Z3^b
VeriSignMPKI-2-100
v!,":,H2
VirtualAlloc
VirtualAllocEx
VirtualFreeEx
Vm-^r-.
Vn-rxrp
Vor W2
"vr"22
VR32"b
vsulqwi
W22~5Q
W>2-":c1
w<2^m+"W
W>2-*rc1
W,":2u522
W&3-M--;
\W3/nb
W6:wD211
WallPaper
WallPaper\
wallpaper.dll
WB:^J1T1
Wb`S22
W:c:a"3
Wednesday
Western Cape1
"W&g:2
WideCharToMultiByte
WinExec
"WJc],
WN:2W121
-|.wn5
WN{_NR
Wr.2RV
WriteFile
WriteProcessMemory
ws2_32.dll
WSACleanup
WSAStartup
[^Wsb2
WsgdwhThvrxufhC
W::us2r
w:wF11
X..:/>
:X)121
X./2,:
x2-B23
x2:$d32
X2|,!<i
X2#>j:u
X.2SX3"
X#3rs2
X"b2k:
;X;d;s;x;
XK9)2&m
x#mYgCdZ!
x[n)V*
XrO2\W
%x.tmp
XV22.22
}x}w2}i}f}X}
xw33b.
xy225R2
XZ/2g2
:*y113r}
y+11e"
Y1k2o&
Y.2-222
y2225Y
-/y22"]:P7S
|y|2a|
ya_2	22
y/Ar2r
YCG;Qs
Y;=h#C
y"-J22
YlqGahf
>:YR2k
YRichB
-;YR.o
YRzb]:
Y_.S3^.
YSkm s
{z22-yl
z.22Z:
z2-]:B
z2Uo\2`oV}|
z:&E01
.ZNB21H1
.zy1_c