Analysis Date2014-04-07 12:26:03
MD540d979cca918abe0d83527d3925656b4
SHA11797059839002239d2f279b907a58967e7666c79

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: d6921e72e99045ca76aeb41c5a8f6e16 sha1: 3e4bf0e60d1b183a9ce94c53eb8deaafc04e4d06 size: 16384
Section.rdata md5: 5f9380f14b977bd530f8df47b3ad0e86 sha1: d6dbfac37eb661c3b8e6263ef1c15458f3718f87 size: 4096
Section.data md5: 0b47010786c13c4ab16142efd0a245cc sha1: 652b7a608930c619b78bdb9df2c1eb1a8c6957ee size: 167936
Section.rsrc md5: 77c548e9486c5a0d35091102091a5e7c sha1: 706e2ac107e1f43b6cb7f690bb338f0a1af30b9b size: 4096
Timestamp2010-05-14 05:47:08
VersionLegalCopyright: ? Microsoft Corporation. All rights reserved.
InternalName: MSBuild.exe
FileVersion: 2.0.50727.42 built by: RTM
CompanyName: Microsoft Corporation
PrivateBuild: DDBLD587
Comments: Flavor=Retail
ProductName: Microsoft? .NET Framework
ProductVersion: 2.0.50727.42
FileDescription: MSBuild.exe
OriginalFilename: MSBuild.exe
PEhashf5ffcc4d3ae7d88029f23a3059476d90aa367786
IMPhashdd5abac045c33773902efb2ea4417adc
AVaviraBDS/Backdoor.Gen3
AVavgBackDoor.Generic15.XLL.dropper
AVmcafeeBackDoor-EQO.gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\seRviCes\hidserv\module ➝
C:\malware.exe\\x00
RegistryHKEY_LOCAL_MACHINE\soFTwARE\smmyboquju\DependOnService ➝
NULL
RegistryHKEY_LOCAL_MACHINE\soFTwARE\smmyboquj\servicemaiN ➝
GetEffectiveClientRect\\x00
Creates FileC:\WINDOWS\system32\f5859b27.rdb
Creates Filec:\Documents and Settings\Administrator\Local Settings\temp\cujndjulmy.log
Creates Filesmmyboquj
Deletes Filesmmyboquj
Starts ServiceHidServ

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File\Device\Afd\Endpoint

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePhysicalDrive0
Creates Fileknqxsfeevr
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Deletes Fileknqxsfeevr
Deletes FileC:\malware.exe
Creates Mutexeed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18
Creates MutexGlobal\b85042109_8088j

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1844

Process
↳ Pid 1136

Network Details:

DNSywxx.gnway.net
Type: A
189.163.17.5
DNSqup.qh-lb.com
Type: A
101.226.11.126
DNSqup.qh-lb.com
Type: A
101.226.11.129
DNSqup.qh-lb.com
Type: A
101.226.11.129
DNSqup.qh-lb.com
Type: A
101.226.11.126
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.196.71
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.164.252
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.198.103
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.198.227
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.164.237
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.196.133
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.164.70
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.197.195
DNSsdup.qh-lb.com
Type: A
119.188.70.20
DNSsdup.qh-lb.com
Type: A
119.188.70.21
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.199.173
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.198.247
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.164.217
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.199.62
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.164.81
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.198.97
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.197.36
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.199.215
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSg3-b.stat.360safe.com
Type: A
106.120.168.104
DNSg3-b.stat.360safe.com
Type: A
106.120.168.105
DNSg3-b.stat.360safe.com
Type: A
106.120.168.106
DNSg3-b.stat.360safe.com
Type: A
106.120.168.103
DNSlocini.gslb.360safe.com
Type: A
220.181.158.122
DNSlocini.gslb.360safe.com
Type: A
101.226.161.214
DNSlocini.gslb.360safe.com
Type: A
220.181.158.139
DNSlocini.gslb.360safe.com
Type: A
220.181.150.219
DNSlocini.gslb.360safe.com
Type: A
220.181.158.119
DNSlocini.gslb.360safe.com
Type: A
220.181.158.121
DNStr-b.p.360.cn
Type: A
180.153.227.171
DNStr-b.p.360.cn
Type: A
180.153.227.64
DNStr-b.p.360.cn
Type: A
61.160.224.14
DNStr-b.p.360.cn
Type: A
61.160.224.11
DNStr-b.p.360.cn
Type: A
61.160.224.12
DNStr-b.p.360.cn
Type: A
61.160.224.13
DNStr-b.p.360.cn
Type: A
180.153.227.61
DNStr-b.p.360.cn
Type: A
180.153.227.168
DNSupdateh-b.360safe.com
Type: A
58.68.236.241
DNSwww-b.360.cn
Type: A
220.181.24.100
DNSg2-b.stat.360safe.com
Type: A
106.120.168.104
DNSg2-b.stat.360safe.com
Type: A
106.120.168.105
DNSg2-b.stat.360safe.com
Type: A
106.120.168.106
DNSg2-b.stat.360safe.com
Type: A
106.120.168.103
DNSdl.qhcdn.com
Type: A
218.76.198.142
DNSdl.qhcdn.com
Type: A
218.76.198.146
DNSdl.qhcdn.com
Type: A
218.76.198.146
DNSdl.qhcdn.com
Type: A
218.76.198.142
DNSdl.qh-lb.com
Type: A
220.181.156.73
DNSdl.qh-lb.com
Type: A
183.60.211.43
DNSwww-b.360.cn
Type: A
220.181.24.100
DNSwww.360safe.com
Type: A
54.251.107.25
DNSsoftm-b.update.360safe.com
Type: A
220.181.141.35
DNSsoftm-b.update.360safe.com
Type: A
220.181.141.37
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.28
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.27
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.159
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.158
DNSsoftm-b.update.360safe.com
Type: A
220.181.141.34
DNSsoftm-b.update.360safe.com
Type: A
220.181.141.36
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.93
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.92
DNSantispy.db.kingsoft.com
Type: A
219.232.254.22
DNSbo.duba.net
Type: A
119.147.146.155
DNSwww.beike.cn
Type: A
114.112.68.174
DNSwww.duba.net
Type: A
114.112.68.197
DNSifr.duba.net
Type: A
127.0.0.1
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
219.239.93.145
DNSf-signs.duba.net
Type: A
121.14.11.28
DNSf-signs.duba.net
Type: A
121.14.11.167
DNSapi.pc120.com
Type: A
119.147.146.126
DNS08911.xdwscache.glb0.lxdns.com
Type: A
209.170.78.108
DNS08911.xdwscache.glb0.lxdns.com
Type: A
122.224.7.33
DNS08911.xdwscache.glb0.lxdns.com
Type: A
61.188.191.96
DNS08911.xdwscache.glb0.lxdns.com
Type: A
183.61.140.199
DNS08911.xdwscache.glb0.lxdns.com
Type: A
61.154.102.212
DNS08911.xdwscache.glb0.lxdns.com
Type: A
218.92.220.64
DNS08911.xdwscache.glb0.lxdns.com
Type: A
222.216.188.89
DNS08911.xdwscache.glb0.lxdns.com
Type: A
209.170.78.118
DNS08911.xdwscache.glb0.lxdns.com
Type: A
218.92.220.66
DNS08911.xdwscache.glb0.lxdns.com
Type: A
218.92.220.65
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.220.66
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.220.65
DNSyd.ecoma.glb0.lxdns.com
Type: A
122.227.101.151
DNSyd.ecoma.glb0.lxdns.com
Type: A
222.216.188.89
DNSyd.ecoma.glb0.lxdns.com
Type: A
183.61.140.199
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.220.64
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.188.191.96
DNSyd.ecoma.glb0.lxdns.com
Type: A
122.227.101.169
DNSyd.ecoma.glb0.lxdns.com
Type: A
122.224.7.33
DNSyd.ecoma.glb0.lxdns.com
Type: A
122.227.101.170
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.154.102.212
DNSz.rising.com.cn
Type: A
211.103.159.73
DNSz.rising.com.cn
Type: A
211.103.159.74
DNSz.rising.com.cn
Type: A
211.103.159.81
DNSz.rising.com.cn
Type: A
211.103.159.75
DNSz.rising.com.cn
Type: A
211.103.159.77
DNSz.rising.com.cn
Type: A
211.103.159.80
DNSz.rising.com.cn
Type: A
211.103.159.79
DNSz.rising.com.cn
Type: A
211.103.159.82
DNSz.rising.com.cn
Type: A
211.103.159.83
DNSz.rising.com.cn
Type: A
211.103.159.78
DNSz.rising.com.cn
Type: A
211.103.159.76
DNSxnop005.tlgslb.com
Type: A
125.78.248.93
DNSxnop005.tlgslb.com
Type: A
183.166.167.134
DNSxnop005.tlgslb.com
Type: A
61.136.166.230
DNSxnop005.tlgslb.com
Type: A
61.136.166.231
DNSxnop005.tlgslb.com
Type: A
125.78.248.21
DNSxnop005.tlgslb.com
Type: A
125.78.248.22
DNSm.rising.com.cn
Type: A
211.103.159.170
DNSm.rising.com.cn
Type: A
211.103.159.168
DNSm.rising.com.cn
Type: A
211.103.159.155
DNSm.rising.com.cn
Type: A
211.103.159.169
DNSm.rising.com.cn
Type: A
211.103.159.151
DNSm.rising.com.cn
Type: A
211.103.159.163
DNSm.rising.com.cn
Type: A
211.103.159.159
DNSm.rising.com.cn
Type: A
211.103.159.158
DNSm.rising.com.cn
Type: A
211.103.159.166
DNSm.rising.com.cn
Type: A
211.103.159.154
DNSm.rising.com.cn
Type: A
211.103.159.157
DNSm.rising.com.cn
Type: A
211.103.159.160
DNSm.rising.com.cn
Type: A
211.103.159.164
DNSm.rising.com.cn
Type: A
211.103.159.165
DNSm.rising.com.cn
Type: A
211.103.159.162
DNSm.rising.com.cn
Type: A
211.103.159.167
DNSm.rising.com.cn
Type: A
211.103.159.161
DNSm.rising.com.cn
Type: A
211.103.159.86
DNSm.rising.com.cn
Type: A
211.103.159.153
DNSm.rising.com.cn
Type: A
211.103.159.152
DNSreportq.rising.com.cn
Type: A
211.103.159.107
DNSreportq.rising.com.cn
Type: A
211.103.159.101
DNSreportq.rising.com.cn
Type: A
211.103.159.109
DNSreportq.rising.com.cn
Type: A
211.103.159.100
DNSreportq.rising.com.cn
Type: A
211.103.159.97
DNSxnop005.tlgslb.com
Type: A
183.166.167.134
DNSxnop005.tlgslb.com
Type: A
61.136.166.230
DNSxnop005.tlgslb.com
Type: A
61.136.166.231
DNSxnop005.tlgslb.com
Type: A
125.78.248.21
DNSxnop005.tlgslb.com
Type: A
125.78.248.22
DNSxnop005.tlgslb.com
Type: A
125.78.248.93
DNSxnop007.tlgslb.com
Type: A
122.228.251.154
DNSxnop007.tlgslb.com
Type: A
122.228.251.155
DNSsupport.eset.com.cn
Type: A
42.120.44.60
DNSa2047.x.akamai.net
Type: A
62.253.3.211
DNSa2047.x.akamai.net
Type: A
62.253.3.152
DNSa2047.x.akamai.net
Type: A
62.253.3.200
DNSa2047.x.akamai.net
Type: A
62.253.3.209
DNSa2047.x.akamai.net
Type: A
62.253.3.160
DNSa2047.x.akamai.net
Type: A
62.253.3.161
DNSa2047.x.akamai.net
Type: A
62.253.3.171
DNSa2047.x.akamai.net
Type: A
62.253.3.176
DNSa2047.x.akamai.net
Type: A
62.253.3.155
DNSguru.avg.com
Type: A
212.96.161.234
DNSgtm-tnt.avg.com
Type: A
173.245.115.70
DNSgtm-self.avg.com
Type: A
212.96.161.253
DNSgtm-hkg.avg.com
Type: A
110.232.176.30
DNSmmi.explabs.net
Type: A
204.193.144.11
DNSa568.d.akamai.net
Type: A
62.253.3.200
DNSa568.d.akamai.net
Type: A
62.253.3.185
DNSa568.d.akamai.net
Type: A
62.253.3.186
DNSa568.d.akamai.net
Type: A
62.253.3.217
DNSa568.d.akamai.net
Type: A
62.253.3.152
DNSa568.d.akamai.net
Type: A
62.253.3.171
DNSdnl-01.geo.kaspersky.com
Type: A
195.122.169.18
DNSrsup1.rising.com.cn
Type: A
219.238.233.223
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
218.29.229.210
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
60.5.240.74
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
218.61.9.18
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
123.130.123.46
DNSrdr.kingsoft.com
Type: A
219.239.93.145
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSprd.geo.kaspersky.com
Type: A
195.122.169.15
DNSprd.geo.kaspersky.com
Type: A
195.122.169.18
DNSprd.geo.kaspersky.com
Type: A
212.73.221.199
DNSprd.geo.kaspersky.com
Type: A
80.239.174.44
DNSprd.geo.kaspersky.com
Type: A
212.73.221.202
DNS08update1.jiangmin.com
Type: A
60.212.17.9
DNSexpire.eset.com
Type: A
91.228.167.125
DNSdnl-02.geo.kaspersky.com
Type: A
212.73.221.199
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
60.5.240.74
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
218.61.9.18
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
123.130.123.46
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
218.29.229.210
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
219.239.93.145
DNSprd.geo.kaspersky.com
Type: A
195.122.169.18
DNSprd.geo.kaspersky.com
Type: A
212.73.221.199
DNSprd.geo.kaspersky.com
Type: A
80.239.174.44
DNSprd.geo.kaspersky.com
Type: A
212.73.221.202
DNSprd.geo.kaspersky.com
Type: A
195.122.169.15
DNSupdate2.jiangmin.com
Type: A
60.212.17.9
DNS08update1.jiangmin.com
Type: A
60.212.17.9
DNSexpire.eset.com
Type: A
91.228.167.125
DNSconf.f.360.cn
Type: A
DNSqup.f.360.cn
Type: A
DNSsdup.360.cn
Type: A
DNSsdupm.360.cn
Type: A
DNSqd.code.360.cn
Type: A
DNSqd.code.qihoo.com
Type: A
DNSstat.360safe.com
Type: A
DNSstat-s.360safe.com
Type: A
DNSupdate.360safe.com
Type: A
DNSupdate-s.360safe.com
Type: A
DNStr.p.360.cn
Type: A
DNSupdateh.360safe.com
Type: A
DNSw.360.cn
Type: A
DNSstat.sd.360.cn
Type: A
DNSsdl.360safe.com
Type: A
DNSdl.360safe.com
Type: A
DNSwww.360.cn
Type: A
DNSsoftm.update.360safe.com
Type: A
DNSf-sq.beike.cn
Type: A
DNSvc01.beike.cn
Type: A
DNSpush.www.duba.net
Type: A
DNSvi.pc120.com
Type: A
DNShd.duba.net
Type: A
DNSwww.rising.com.cn
Type: A
DNSrsdownload.rising.com.cn
Type: A
DNSmsginfo.rising.com.cn
Type: A
DNSrsdownauto.rising.com.cn
Type: A
DNSkaspersky.fastcdn.com
Type: A
DNSupdate.nai.com
Type: A
DNSgtm-nyc.avg.com
Type: A
DNSliveupdate.symantecliveupdate.com
Type: A
DNSll002.avast.com
Type: A
DNScu001.www.duba.net
Type: A
DNScs1.duba.net
Type: A
DNSdownloads1.kaspersky-labs.com
Type: A
DNSupdate1.jiangmin.com
Type: A
DNSexp01.eset.com
Type: A
DNSu1.eset.com.cn
Type: A
DNSrsup2.rising.com.cn
Type: A
DNScu002.www.duba.net
Type: A
DNScs2.duba.net
Type: A
DNSdownloads2.kaspersky-labs.com
Type: A
DNS08update2.jiangmin.com
Type: A
DNSexp02.eset.com
Type: A
DNSu2.eset.com.cn
Type: A
Flows TCP192.168.1.1:1032 ➝ 189.163.17.5:8088

Raw Pcap
0x00000000 (00000)   63623173 743a02                       cb1st:.


Strings
\
U
\
U
.6
.

040904B0
2.0.50727.42
2.0.50727.42 built by: RTM
Comments
CompanyName
DDBLD587
FileDescription
FileVersion
Flavor=Retail
InternalName
LegalCopyright
Microsoft Corporation
? Microsoft Corporation.  All rights reserved.
Microsoft? .NET Framework
MSBuild.exe
MSBuild.exe      
OriginalFilename
PrivateBuild
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
````/	
````$	
-.-,+*
""# _^
)=>=<;:
)*)('&
*<;%(/:
))%%05
0GC}|{z5<
19)c/$'IHGF"0.o/9
??1type_info@@UAE@XZ
2"";!9
<;& +&2,+-Bd3
??2@YAPAXI@Z
\2Z7X3V:T$R"PoN
3;3;/2y;?36?SR8>,!?>.)=h#'1%c!)%
35)642
3;:=7%06$"'!0&8?!n,>9+07%)0*'1>%
'4555h
=4#'='+QPON
  #)(> ')5
5/3-/'&%
57,%99
'5 "9?!+c<)!IHGF
^5GGGGE&
6'!%& 
6("55)-*"5!=<<qpon$"?5&>"4#(,5a`
66?432
67*+()./,-2301674S"b(!g/$d
}^=6789
6!9~wnxOlw
]\&<6>=c}`) 'J
6I)GpK
`=6qg	
6SXMe~s
7@9nP%a
-;!8>):*>&!=<<-#
+>8$8,
8]pJ	Fiv#
?>=<;:9876543210/.-,+*)('&%$#"! _^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@
9)IF"$P$8**_!
9,<swIHGF
9uzy=q
_\'a```\
\'a```
a{|2|qaw-`ndn|o&jv#fhsK_S_^
_acmdln
AddAccessAllowedAce
AddAce
_adjust_fdiv
AdjustTokenPrivileges
ADVAPI32.dll
a`:<-F^JA }v6'I78 UK]X3PLX_>odcb$!
"+a``l4&
AllocateAndInitializeSid
alyx ]ba
aTR-;3(
"a``v.a``&
	a`'Wz
b}}aeq?
b``SSSSSS
b``SSSSSSSSSS'o|
b``SSSSSSSSSSS
b``SSSSSSSSSSSS
B{tkK*
Bu}xdon
c`````
C03]\[Zi`"&15'7t9a$$-%-$!)h&+.B40
ca``l4
ChangeServiceConfig2A
ChangeServiceConfigA
CharNextA
c``hD^|
CI_*N\J
CloseHandle
CloseServiceHandle
_controlfp
ControlService
CreateDirectoryA
CreateEventA
CreateFileA
CreateServiceA
c>R<K:\8Y6i4P2^0B.@,J*G(C&%$#"rY,*81[Z
c``SSS
c``SSSSSSSSSSSSSS
c````w
c````w%
C````X
__CxxFrameHandler
D-b~2]U
DeleteFileA
DeleteService
DF@uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu"
d\iDv9
d``SSSSS
d``SSSSSS
d``SSSSSS'
d``SSSSSS'Gx
d``SSSSSSSSSSSSSS
d``SSSSSSSSSSSSSS'
D$VI3#f
DwBI``
edcbO_
EqualSid
eqyyryq32x~yoaeoumatvjwjvho
e``SSS
e``SSSSSSSSSSSSSS
e``SSSSSSSSSSSSSSS
_except_handler3
ExitProcess
ExpandEnvironmentStringsA
,+*@FDIWVFAU
@&ffp!
fiPNE\WR^uBFXH	O*dG]OIHB
FlashWindow
FreeLibrary
FreeSid
f``SSSSSS
f``SSSSSSSSSSS
f``SSSSSSSSSSSSS
f``SSSSSSSSSSSSSS
F[UFFQ]KQAbi{gticp_Uhn[QJO
FW@[UY\E
/'_FX4*E\w\c\',"Dd:26ACZ4?V>RC
gb``l4
gb``m1hN
g|CEC~
]G^EEM
GetAce
GetAclInformation
GetActiveWindow
GetCommandLineA
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetFileAttributesA
GetFileSecurityA
GetFileTime
GetLastError
GetLengthSid
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetShortPathNameA
GetStartupInfoA
GetSystemDirectoryA
GetTempPathA
GetTickCount
GM"VW(p/5(37?y5:9}1?PON%(e.<*&h+!7B 0
g``SSSSSS
G~Y?Vp
]H`8*OP
HFLFT7-}/>.YXWV<:%3=9+n>8$8,,g$)+ )a,
hHGF(75!34Q
HL_[M]
hnLK[ZRYP]YB
hrBA\FMLXBEG
hwg	wA '6 4>9`) 'JXI
I ,fYv
InitializeAcl
InitializeSecurityDescriptor
_initterm
InterlockedExchange
_ionvv
IsBadWritePtr
JAZTZX@2X^YOAEO
j`b~511
J`dhhd[ml!pnm
JII<w>N
jj\hgf
jlvb8g=!' |oki%ife
J}SswatBcyygailo	
juuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
!Jz(pC
"Ka``l4&
"Ka``l4X
KERNEL32.dll
|kFT3*
#/>?KJ
}Kng,B
````l4
lhswaq=ah}n`yihf`~bsu`bvd.\QP<;:TU^
L;J-H&F1D&Ba@,~
_l:;&l
{llnr+`on
LMKnK}
LoadLibraryA
LocalAlloc
LookupAccountNameA
LookupPrivilegeValueA
Lw b```
Lw f```
?lxl~{m
M4o4H6
MBA+*ZGARH
mEFEDCBA
memmove
memset
@ML _^,8u96<2xfbc|2>ON>(>:$ftpuj ,A@
mlkj%,
MMMuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
MOF[^Cs
MoveFileA
MSVCRT.dll
MZ29294
n878(okUTSR
[N;dkIL
'nL2>Aq~
NNOLKJ
no~ifjxya432y{jwr`dihdxkdgkkoe_^
nw~9wlOx\A
nwGea`i
nwgv``i
N[YHXN
````o	
````O	
O/+7HX
'ocNMXa
od``vJ
oe~fkid`-phsVPZ
oHC-1.3=.
Oh``vJP``'
ojxnhSw~x
*o(N&I$W"D -^]\[Z
onmlkjihgfedcba`
OpenProcessToken
OpenSCManagerA
OpenServiceA
o~u?47)9#?786{QPON3
ov'	a`'
ovG	a`
ovgma`'Wy
p0ouhsw
^>P<^:9876
P'9L9)Y&:
__p__commode
__p__fmode
pKpG)J
PLC^PR\
%Pn9s@
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
(}.Pq|
psQ}ntzp
pyF"~#
&&&$#"Q
qP.}F:
qpon1ST6ihgf5
[Q<?<SIF\
QSROJWF@CUAZRYXO[
\qsr~ymqxxfHcpzL}o~|cegm)vgo
QueryServiceConfigA
QueryServiceStatus
qUVUTSR
Qw};``
Qw8Ja`
Qwfg``
Qw"N``
QwOp``
QwZMa`
RaiseException
`.rdata
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
RegRestoreKeyA
RegSaveKeyA
RegSetKeySecurity
RegSetValueExA
rnqy\hxzusg
|rosjhn8qv=yx~h}bj
rqponmlkjC}
RRUPON
`'RSSSh}
//////s/
/////s/
s1c5!;m
SA.HT[
seihh~+o{zht
s~eMjeT
__set_app_type
SetFileAttributesA
SetFileSecurityA
SetFileTime
SetSecurityDescriptorDacl
SetUnhandledExceptionFilter
__setusermatherr
SHCopyKeyA
SHDeleteKeyA
SHGetValueA
SHLWAPI.dll
s{=j~hjqxx
SleepEx
s///////s
s/////////s/
/////sss
///ss///s/
s////////ss
s/////////ss
s/////////ss/
s////////ss/
ss/////////s/
/ss//////ss
SSSSSS
SSSSSSSS
SSSSSSSSSS
SSSSSSSSSS`
\SSSSSSSSSSSSSS
\SSSSX
StartServiceA
_strlwr
T0fDejb	`pRP5432kyfYLG
t``'a```
T^b~XJB
_TCIQQ]]C]NBRC[O[IIB
!This program cannot be run in DOS mode.
tmdtCGFV\EfJ\^EDDu{QEMKPV! _^39/)/;$Vx?sR
tolower
tsr#5(1/%%+;1gf@IQV
Tw3D``
Tw3h``&
Tw,b``
Twi^``
Tw_k``
Tw$ua`
TX5432K
uhoj#78
UIwvim`cuiPP
$Ul{oliu
USER32.dll
utsrqponmlkj	agf
UT)ZVgpk$d
uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu"
uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu3MDEDG@uuuuuuuuuuuuuuuP499 &0'&%':3<90P)4
)uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuDEE@DGuu)
v7f``SSSSSSSSSSSSSS
v7g``SSSSSSSSSSSSSS
@V8p>36Z>,:{&1?4
VaPjtt[QJRkHPN^ZPSV2
vbd``SSS
v*b``SSSSSSSSSSS
v:c``SSSSSSSSSSS
v?d``SSSSSS
v/d``SSSSSS'
vJb``SSSSSSSSSSS
vjf``SSSSSSSSSSS'
vkevl-L
*`v""m
V`m1hN
vog``SSSSSS'
vpbv/3	
?v'P``''u
=VQ]TY>!:: [> :
VREA+;somj*913{7<?QPON:;<dz~w5$"&l"/
vWc``SSSSSSSSSSSSSS
vwd``SSSSSSSSSSSSSS
vWg``SSSSSSSSSSSSSS
vwIwa`
vzc``SSSSSSSSSSS
vZd``SSSSSSSSSSS'
w1S``t
WA$4]B,
WA$4]B?
WaitForSingleObject
````wb
````wc
w|c``t
\we```
WEB}hx?;
````wi
wJ5``t
 {:w'K
````wN
wpeTFk|
Wqrqponm
WriteFile
WS2_32.dll
wsprintfA
````wV
WwdY``t
````wY
````x_
[X[5432@T
X`b~5ZT
_XcptFilter
X|sdpg`210I|lan*)('&IkdkbaS
X{wg}u
xylaab] JO
xZNXdz_VF\A^V[rcI_]FZLzfKMLDC+722(
yd-$+F
YI>!::KI"
YJJ]I_EU~ug{`}wdSYdboe~{'HQX@wsrZPIj^HJQXXicZ\]_HAC,+*bMBVwepaNN1;>(257+WVdTSR?$+"!LKJ
y~MS*Sf
)Yp/;<
YV_^BV.IM_K	MUTJV#"RT-;<1{?+*8$UTSR79#+m)98&:GF601' -_
]^!yYZYXWV
{Z1'bA
:z8V6E4G2D0].H,
"Ze``l4
ZmuplgfFml?>alZHXURBPF@2bDN\Y,+*zqtr`i
zYQA_W;0/.'oJFE
~}|{zyxwvutsrqponmlkjihgfedcba`
~}|{zyxwvutsrqpONMLKJIHGFEDCBA@_^]\[ZYXWVUTSRQP/.-,+*)('&%$#"! ?>=<;:9876543210
zzzxwv