Analysis Date2015-07-25 07:36:16
MD5624ebb5416da14b99daf3a9bd67c87f0
SHA13807bbc4df88f0d60aefbec5cd5e845ce3353653

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: f822eef1e327646d3e17be761b7161d0 sha1: 28f076c53a1813fdbcedcc6caf2ef36d6257253b size: 94208
SectionUPX1 md5: 29dbf136666cdb2a1640869ff620c685 sha1: 93767725abed849f1336ed5c2a37f2fe3f5c538c size: 114176
Section.rsrc md5: 43549e4b49968c36c95e67281df2f7cd sha1: 0ed08ac03000349b81cf53731b8c087b313e2126 size: 3072
Timestamp2010-07-14 21:49:33
VersionLegalCopyright: (C)360.cn Inc.All Rights Reserved.
InternalName: 360sdUpd
FileVersion: 1, 2, 0, 2023
CompanyName: 360.cn
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: 360杀毒
SpecialBuild:
ProductVersion: 1, 2, 0, 2023
FileDescription: 360杀毒升级程序
OriginalFilename: 360sdUpd.EXE
PackerMicrosoft Visual C++ v6.0
PEhash877a3b8be2dfcaf3bac9e0538674e136d31c3f2a
IMPhash8175c64c8fc743f8bf36097b64640918
AVRisingno_virus
AVMcafeePolyPatch-UPX
AVAvira (antivir)TR/Hijacker.Gen
AVTwisterTrojan.E1309D9BDFA6BCD2
AVAd-AwareGen:Variant.Graftor.28034
AVAlwil (avast)Zegost-D [Drp]:Zegost-E [Drp]
AVEset (nod32)Win32/Redosdru.GL
AVGrisoft (avg)PSW.Generic8.UEH
AVSymantecno_virus
AVFortinetW32/Bjlog.LBY!tr.pws
AVBitDefenderGen:Variant.Graftor.28034
AVK7Trojan ( 00386dc51 )
AVMicrosoft Security EssentialsTrojanDropper:Win32/Zegost.B
AVMicroWorld (escan)Gen:Variant.Graftor.28034
AVMalwareBytesno_virus
AVAuthentiumW32/Zegost.F.gen!Eldorado
AVFrisk (f-prot)W32/Zegost.F.gen!Eldorado
AVIkarusTrojan-PWS.Win32.Bjlog
AVEmsisoftGen:Variant.Graftor.28034
AVZillya!Trojan.Redosdru.Win32.2854
AVKasperskyTrojan-PSW.Win32.Bjlog.dtfz
AVTrend MicroTROJ_ZEGOST.SME
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)TrojanPSW.Bjlog
AVPadvishno_virus
AVBullGuardGen:Variant.Graftor.28034
AVArcabit (arcavir)Gen:Variant.Graftor.28034
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Ludo.27
AVF-SecureGen:Variant.Graftor.28034

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\ssmdekvkti\DependOnService ➝
NULL
RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\ssmdekvkt\seRVicemAIN ➝
npgETrESOURCEpARENT\\x00
Creates Filec:\Documents and Settings\Administrator\Local Settings\temp\ddwgmsgwxi.dat
Creates Filessmdekvkt
Creates Filec:\oxbmwwovkw
Creates FileC:\WINDOWS\system32\f5859b27.rdb
Creates Process
Starts ServiceHidServ

Process
↳ Pid 848

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePhysicalDrive0
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates Filesujyclntph
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes Filesujyclntph
Deletes FileC:\malware.exe
Creates Mutexeed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1168

Network Details:

DNSqup.qh-lb.com
Type: A
106.120.167.25
DNSqup.qh-lb.com
Type: A
106.120.162.175
DNSqup.qh-lb.com
Type: A
106.120.162.175
DNSqup.qh-lb.com
Type: A
106.120.167.25
DNSqurl.qh-lb.com
Type: A
101.199.109.151
DNSqurl.qh-lb.com
Type: A
101.199.109.144
DNSqurl.qh-lb.com
Type: A
101.199.109.144
DNSqurl.qh-lb.com
Type: A
101.199.109.151
DNSqurl.qh-lb.com
Type: A
101.199.109.151
DNSqurl.qh-lb.com
Type: A
101.199.109.144
DNSqup.qh-lb.com
Type: A
106.120.167.25
DNSqup.qh-lb.com
Type: A
106.120.162.175
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.142.20
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.142.49
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.142.75
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.142.124
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.142.135
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.142.150
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.142.176
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.142.7
DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSsdup.qh-lb.com
Type: A
0.0.0.0
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.142.235
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.142.236
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.142.17
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.142.29
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.142.105
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.142.136
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.142.165
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.142.230
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSlocini.gslb.360safe.com
Type: A
101.226.161.214
DNSlocini.gslb.360safe.com
Type: A
220.181.150.161
DNSlocini.gslb.360safe.com
Type: A
220.181.150.162
DNSlocini.gslb.360safe.com
Type: A
220.181.150.219
DNSlocini.gslb.360safe.com
Type: A
220.181.159.91
DNStr-b.p.360.cn
Type: A
61.160.224.13
DNStr-b.p.360.cn
Type: A
61.160.224.14
DNStr-b.p.360.cn
Type: A
180.153.227.61
DNStr-b.p.360.cn
Type: A
180.153.227.62
DNStr-b.p.360.cn
Type: A
180.153.227.168
DNStr-b.p.360.cn
Type: A
180.153.227.169
DNStr-b.p.360.cn
Type: A
61.160.224.11
DNStr-b.p.360.cn
Type: A
61.160.224.12
DNSupdateh-b.360safe.com
Type: A
58.68.236.241
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSdl.qhcdn.com
Type: A
171.13.14.165
DNSdl.qhcdn.com
Type: A
171.13.14.131
DNSdl.qhcdn.com
Type: A
171.13.14.131
DNSdl.qhcdn.com
Type: A
171.13.14.165
DNSdl.qh-lb.com
Type: A
0.0.0.0
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSwww.360safe.com
Type: A
54.251.107.25
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.28
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.158
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.159
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.93
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.94
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.27
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.24
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.65
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.66
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.23
DNSantispy.db.kingsoft.com
Type: A
219.232.254.22
DNSbo.duba.net
Type: A
119.147.146.155
DNSwww.beike.cn
Type: A
114.112.68.174
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.20
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.21
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.22
DNSifr.duba.net
Type: A
127.0.0.1
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSf-signs.duba.net
Type: A
121.14.11.28
DNSf-signs.duba.net
Type: A
121.14.11.167
DNSapi.pc120.com
Type: A
119.147.146.126
DNShd.duba.net
Type: A
114.112.93.21
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.80
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.81
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.85
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.87
DNSz.rising.com.cn
Type: A
211.103.159.81
DNSz.rising.com.cn
Type: A
211.103.159.82
DNSz.rising.com.cn
Type: A
211.103.159.83
DNSz.rising.com.cn
Type: A
211.103.159.73
DNSz.rising.com.cn
Type: A
211.103.159.74
DNSz.rising.com.cn
Type: A
211.103.159.75
DNSz.rising.com.cn
Type: A
211.103.159.76
DNSz.rising.com.cn
Type: A
211.103.159.77
DNSz.rising.com.cn
Type: A
211.103.159.78
DNSz.rising.com.cn
Type: A
211.103.159.79
DNSz.rising.com.cn
Type: A
211.103.159.80
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSm.rising.com.cn
Type: A
211.103.159.161
DNSm.rising.com.cn
Type: A
211.103.159.162
DNSm.rising.com.cn
Type: A
211.103.159.163
DNSm.rising.com.cn
Type: A
211.103.159.164
DNSm.rising.com.cn
Type: A
211.103.159.165
DNSm.rising.com.cn
Type: A
211.103.159.166
DNSm.rising.com.cn
Type: A
211.103.159.167
DNSm.rising.com.cn
Type: A
211.103.159.168
DNSm.rising.com.cn
Type: A
211.103.159.169
DNSm.rising.com.cn
Type: A
211.103.159.170
DNSm.rising.com.cn
Type: A
211.103.159.86
DNSm.rising.com.cn
Type: A
211.103.159.151
DNSm.rising.com.cn
Type: A
211.103.159.152
DNSm.rising.com.cn
Type: A
211.103.159.153
DNSm.rising.com.cn
Type: A
211.103.159.154
DNSm.rising.com.cn
Type: A
211.103.159.155
DNSm.rising.com.cn
Type: A
211.103.159.157
DNSm.rising.com.cn
Type: A
211.103.159.158
DNSm.rising.com.cn
Type: A
211.103.159.159
DNSm.rising.com.cn
Type: A
211.103.159.160
DNSreportq.rising.com.cn
Type: A
211.103.159.97
DNSreportq.rising.com.cn
Type: A
211.103.159.100
DNSreportq.rising.com.cn
Type: A
211.103.159.101
DNSreportq.rising.com.cn
Type: A
211.103.159.107
DNSreportq.rising.com.cn
Type: A
211.103.159.109
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSxnop007.tlgslb.com
Type: A
117.42.74.137
DNSxnop007.tlgslb.com
Type: A
117.42.74.147
DNSconf.f.360.cn
Type: A
DNSshineok.3322.org
Type: A
DNSwww.baidu.com
Type: A
DNSqup.f.360.cn
Type: A
DNSu.qurl.f.360.cn
Type: A
DNSqurl.f.360.cn
Type: A
DNSsdup.360.cn
Type: A
DNSsdupm.360.cn
Type: A
DNSqd.code.360.cn
Type: A
DNSqd.code.qihoo.com
Type: A
DNSstat.360safe.com
Type: A
DNSstat-s.360safe.com
Type: A
DNSupdate.360safe.com
Type: A
DNSupdate-s.360safe.com
Type: A
DNStr.p.360.cn
Type: A
DNSupdateh.360safe.com
Type: A
DNSw.360.cn
Type: A
DNSstat.sd.360.cn
Type: A
DNSsdl.360safe.com
Type: A
DNSdl.360safe.com
Type: A
DNSwww.360.cn
Type: A
DNSsoftm.update.360safe.com
Type: A
DNSf-sq.beike.cn
Type: A
DNSvc01.beike.cn
Type: A
DNSpush.www.duba.net
Type: A
DNSwww.duba.net
Type: A
DNSvi.pc120.com
Type: A
DNSwww.rising.com.cn
Type: A
DNSrsdownload.rising.com.cn
Type: A
DNSmsginfo.rising.com.cn
Type: A
DNSrsdownauto.rising.com.cn
Type: A
DNSkaspersky.fastcdn.com
Type: A
DNSsupport.eset.com.cn
Type: A

Raw Pcap

Strings
U
\S
Goba\ki
\
R
r
.X
s
f.F
d
.jz\cMd.eXE
.
i.
{
.
v..
g
.
s
@
`@.
.p..
.
.
\
[
cb1s
.
y
.|..
~x
u
.
t}
w
.{pe
hh
.
.
d
.
.
.
.
.
.
.
XI
..
080404b0
1, 2, 0, 2023
!1Aa
360.cn
360sdUpd
360sdUpd.EXE
#+3;CScs
(C)360.cn Inc.All Rights Reserved.
Comments
CompanyName
FileDescription
FileVersion
InternalName
jjjj
jjjjj
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
 """ (
 (#!'-
.%(.%?
'',)*+
&,?;,<*
%%%%%%%%
								
0,0`0k0
0'0=0O0w0~0
0'0=0Os~0
$0/0.181]1g1
&0[0b0
0;0h0q0
[0`0m0
0:0P0X0^0j0
0"121W1
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvw
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 0123'567?9:;<=>?@ABCDEFG
;01;%>6>z
0'1i1}1
0`1l1s1
0'1M1u1
034567
040@0H0x0
=0=>=e=
0H0_0f0
;*<0<I<U<a<
;0<J<]<
.0J0Q0
>$>0>L>U>f>r>
@0T0i0
0U0[0`0m0
0V1\1`1d1h1l1p1t1x1|1
$0Y0_0d0
1 1<1H
1 1<1H1d1l1x1
1!1=1n1x1
1-171?1E1h1y1
1!181O1[1g1s1
 1.2.3
1&232p2
1&2T2Z2g2m2s2x2
131:1?1E1K1Q1W1]1c1i1o1u1
 1317131?1317131/
+ 13!75,1d&*.>`,?<RS7&s3v=/9=s0:
$(17%+%";i9.8MNO9?$28<2w40.>.<2p
:*:1:7:J:g:l:
:*:1:7:Jq
=1=7=l=r=
<<:)1*_@abc
<1<A<Q<i<
1C2R2W2^
1C2R2W2^2d2j2r2{2
1H2L2P2T2X2\2`2d2h2l2p2
=%>1>K>P>l>x>
1O1Z1y1
1_St<ShH?
??1type_info@@UAE@XZ
%1:[$ u
>%?,?2?
|}{_!2
2 2$2(2
2!2-292E2Q2]2i2x2
2&2:2g2}2
222J2P2\2c2l2w2
2*282T2l2s2
2+2G2[2
2<2N2c2n2u2
2	3%373C3H3k3
2)3d3k3x3
2^3p3v3{3
242@2\2h2
242@2\2h7tC7u
|}{_!28
&2*8.233-_3
28<8AC
>$>2>A>
:2;=;D;
<2=>=I=
:2NWM!3\Yr]bY"5;Qq+##TZC
2R6X6^6d6j6p6v6|6
~2<S% &y)1w7>s=0
:$2;\%#t
??2@YAPAXI@Z
<	3)):0
#"32-,/.)(+*%$'&!F;{
33333333
3#3/3>3J3V3b3n3z3
3333www73(
3@3`3v3
3,343@3\3h
3,343@3\3h3
3/3a3j3{3
3 3d3m5r5
3=3H3l3
3,434M4S4X4j4t4
3(444<4H4P4
3$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
/3au{3
<3=<=C=
<,=3=D=^=
3d3j3u3
?(?3?f?m?
?3?P?a?g?m?x?
-&4(;&,?
/!"#$%&'()*+4
424K4g4
445:5D5K5Q5V5[5a5
4%484H4Q4[4s4
4<4A4T4^4i4p4
4)4C4J4]4m4
44FXj|
4	5.5?5e5
4 5<5s5y5
4(5A5`5k5r5
4*5F5S5
484H4Q4[4s4
<4A4T4^4i4p4
>$>,>4>:>C>o>
4D5R5h5
4"-IJK
> >4>M>n>
4=swlh~n)d eyp|ty|x9{vw
:4:T:x:
515R5X5{5
 54!&$8LMNO
5(5 =$=
5&5\5{5
5-5:5N5S5]5l5{5
5 5(5X5l5x5
5'575C5T5h5p5
5'575C5Tw
5:5J5Q5o5
5 5(-l5x5
5 6>6E6
5+6B6J6j6
595G5v5{5
=/=5=F=c=w=
:5;:;?;I;P;u;};
=5>=>L>W>a>
<[(5M<O
61qbb`(dgd
627H7Y7_7f7m7
63696C6N6|6
6/666K6Y6a6
666K6v6
6</+<,:<&,68
6:6B6I6
6(6D6P6l6t6|6
6(6DSl6t6|m
6 6P6s
6 6P6s6
676J6[6l6w6
6$7=7H7Y7p8v8
6b7p7x
6b7p7x7~7
/6bc47/17 $88?;,$8==tuvw17.$3+;-
6K6^6r6
?*?6?R?[?o?{?
*?6?R?[?o?{?
7#7)707E7P7]
7#7)707E7P7]7c7q7
7$777A7h7
7 7<7D7P7l7x7
7 7<7D_l7|C
7:7@7v7
7*787<7@7D7H7L7P7T7
<7@7D7H7X7\7`7d7h7x7
7>7H7O7k7~7
7>7N7W7l7
7;7T7Z7c7y7
:7@7v7
7.848v8
7#8?8E8Z8d8
7%8^8k8w8
_7f7m{
<%=7=U=
+;'> 8
80868L8
>?<812 <99x
83!&bc 
>$8&<456TUVW
.84<iir923`
8 82888>8D8J8P8V8\8b8h8n8t8z8
8%838C8T8`8k8
8*868Z8l8y8
8-878L8^8
$8(8,80
8%8+828<8A8G8M8R8W8^8y8
8 8$8(8,80848H8X8\8`8d8h8
8)8g8o8u8
8 8T8Z8n8
892888>8D8J8
898P8d8{8
8/9E9d9
89:;wWYQ
8A9e9{9
8E9L9_9u9
919S9j9
939>9E9M9S9c9j9z9
9):4:@:P:^:{:
=,=9=6>S>u>
.*9".=.8k?#.k8.9"*'k%>&).9k$-k*%2KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
9$,9*&
996<9/520,<
9*979P9Z9
9!9(989P9
9 9$9(9
9&9J9Y9z9
9A:I:Q:`:
9D9Y9|9
9D:J:[:w:
9G9a9|9
>&).9k
.9"*'k
.9="(.KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
9=KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
9P9T9X9\9`9d9h9l9p9
~(9~$u
`abc-)*"/(&4%#=;"$1'=:8w9+(:%"<0
_`abcdefghijklmnopqrstuvwxyz{|}~
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFG89:;<=>?JABC ,0?
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFGHIJKLMNO0123456789:;<=>? !"#$%&'()*+,-./
_acmdln
AddAccessAllowedAce
AddAce
_adjust_fdiv
AdjustTokenPrivileges
Advapi32
ADVAPI32.dll
AecivreSnepO
AemaNyalpsiDecivreSteG
AemaNyeKecivreSteG
aitForSingleObjec
;';A;J;
AllocateAndInitializeSid
>#>A>M>
.aspack
<AtG<BtC
.?AVtype_info@@
.?AVtype_info@@M
b`}09:WQYZ
B73Lo 
#/BC )h6 d&)b.!"PQRS09xdni)::8p<
}bdpfa8stu
_beginthreadex
bh{}?gcptbr6*,+o|xz
:-;B;I;a;s;
*!"#bIG@[
BKD)J2^.
BlockInput
BMN$%&'_^]
bRJTi^NKW\%adc* 2vh<9.>m):5"&s{423x
Btimzj--
=B=_=w=
C4u	^]
CallNextHookEx
cba9jpirrz0|OL
cc|efg
ChangeServiceConfig2A
ChangeServiceConfigA
CloseClipboard
CloseHandle
CloseServiceHandle
<%<c<n<
Code.*~
_controlf
_controlfp
ControlService
CopyFileA
CreateCompatibleBitmap
CreateDirectoryA
CreateEventA
CreateFileA
CreateProcessA
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
c@TD^V>5672z[WP
@"!C !"#t@HCAGMmEAK}U_S^QzFRJXNRSSM
__CxxFrameHandler
D$ _^][
D$0UVP
D$0WPj
D$4_^][
D$4PSSSSSU
D$(8D*
D$8jdPV
D$8j$Pj
D$8RPj
`.data
DD]A]Z\BZF
_^defg
 deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly 
DeleteCriticalSection
DeleteFileA
DeleteService
Description
D$(_^]f
D$.f;C4t#f=
D$ GBf;
Dgetmainargs+acmdl
D$@hHD
D$@j0PQ
D$,jdPV
D$,j.P
: :D:K:h:n:
D$LRPV
D$,PUUWQ
:#:D:Q:\:
D$ Qhp
D$,RPj
D$,RPQ
DRPROV.DLL
D$$SPhdivxhvidc
DSpQPj
D$$SUV
D$ UPj
D$ UPQ
d{}z<3
eEQZ;DE#%8SO[T5do3"H6=%LRHM"AYMF'
;-<E<L<
eludom
EnumWindows
EnvironmentS
>E?O?a?z?
:E:o:u:
eQpjrljbol
EqualSid
ES6&OP-
es"`vf&jazgjxnf
<E<U<q<
ewh/?y
_except_handler3
Excepto
ExitProcess
ExitThread
ExpandEnvironmentStringsA
eyroegu)fl~
f9s4tG
fegConnectRegistryA
F{fpws
FlashWindow
Flf+Fp
FLvidc
;.<f<n<
f;n4}N
fODL\WiSRJ
;;?=>?Fr@CVvDGHIJKT
FreeLibrary
FreeSid
FTj RP
:$;F;W;
fXDAYN@X
GDI32.dll
GetAce
GetAclInformation
GetActiveWindow
GetCommandLineA
GetConsoleTitleA
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileAttributesA
GetFileSecurityA
GetFileSize
GetLastError
GetLengthSid
GetLocalTime
GetLogicalDriveStringsA
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProfilesDirectoryA
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemMetrics
GetTempPathA
GetTickCount
GetUserProfileDirectoryA
GetVolumeInformationA
GetWindowTextA
g@HSZHF{^BMJCB]Ah
GK&'[M_[A
Global\ki
;.<G<Q<Z<
>G?V?d?
GX]_[Y
@~`gZ`{u}k
H*0"ZOW
}H7O7k
hdivxhvidc
>(?<?H?d?p?
?H?d?p
 her__
@H@HDY
:':H:h:l:p:t:x:|:
_hLnszgcDg
HLRBZHF
>H?W?_?
:H:W:~;
@HXO[L\JLUW@WG_GLPUU@NglTDO
hxvidhvidc
i}4xsy{1
ICGetInfo
Idvkirtrx0oBJ"#
IiGM>nw
ImagePath
IMM32.dll
ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext
imz~TD
  inflate 1.2.3 Copyright 1995-2005 Mark Adler 
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
_initterm
InterlockedExchange
iogw*ajk
iphlpapi.dll
{is2SDNE
IsBadReadPtr
IsBadWritePtr
IsWow64Process
<I<U<`<
=I=x=7?
j2r2{2
JAZPTT\\FXW[GVJ^N\P[ !"#mkpfd`ntdl`k|t23}{`vtp~dxtmo
JC\123
JEF,-./WE_
=jfy}ttvNtrGEQC
@J%&'@M
?'?J?p?
`j|" =pyz
@JwqsUCWMJHTt{n{
jX[\]^_H
>J>Y>x>
$/?*)'.k
>.>K>^>{>
K[,3((Y[
K6^6r6
kernel32
KeRNel32
KERNEL32.dll
KERNEL32.dll 
KERNEL32.DLL
k- exe.tsoh
khae] 
khae] %
kjmb{z<3
kjmb{z]b*8
KKKKKKKKKKKKKKJKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKz{{}yyKK
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK8#"%."%,KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
kpdateCrc
KtQ5Zb
kyc"xzu=ucq9{vw
L$ _^]
L$0PQh
L$0RWPj
L$4QRPVShx#
L$4Vhx
LastErro
l!;b	F
L$ C_^f
L$d_^][d
L$D_^][d
LeaveCriticalSection
L$(@Ef;
leNyo_`
L$@EPQUh
,#l +(FG;-?;b~x
lfJk|9
l$,f;n4
:):L:i:
:):L:i1
L$$j0QR
L$ jdQU
L![#j%G'E)O+,-./
lJKfcdO
L$,j Q
L\Lf9t\L
[-&LMb#{'
 LMNO~n
;<=>?lNEJGDJ
LoadLibraryA
LocalAlloc
LocalSystem
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
[LordPE]
L$$PQj
L$@PQUh
l:p:t	|:
LsaFreeMemory
L$ SQj
lstrcmpA
lstrcmpiA
L$\t8;
L$T9)t	@
L$tjdQV
l$(tmWU
L$TPQj
LUn#dl-6
L($./wwh#$%J
M@]123PZAYTV[_O
:M263u
M4S4X4j4t4
malloc
M}~cyrsg}zx
M,-./e
memcpy
memmove
memset
MessageBoxA
Mij}uba345Peyt
mixerOpen
mj>zjZ
mkpfd`n+hd}{q
MK!")yNEFG
 MNO~244TUVW<
MoveFileA
msCDY_TYMSTR
msvcrt.
msvcrt.dll
MSVCRT.dll
MSVFW32.dll
MU^3pY{3
Mu7eH8X
|$$MZu'
=>?n3&!DEFGEC
Name"GetX
NbRbhusx}i{PBKG@P%&'F]NG@
n_CxxFr
netsvcs
Netsvcs
Nfoeyalzf
Niamecivres
NIAmeciVRes
npaDDcONNECTION
npaDDcONNECTION3
npcANCELcONNECTION
npcLOSEeNUM
npeNUMrESOURCE
npgETcAPS
npgETcONNECTION
npgETrESOURCEiNFORMATION
npgETrESOURCEpARENT
?*?N?U?
Nxf+Fd
o#(!'18*4
o;7T7Z7c7y7
o'CommandLin$
<%<:<O<d<
 ODMKel~`QWTBF]iDBY\@\bWGhfSENPY^Oa
Oh?PCy26
ole32.dll
OLEAUT32.dll
+o-O/@1F3A5D7]9
OOFFNGBB
OOsQRSIfTW
OpenClipboard
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenProcessToken
OpenSCManagerA
OpenServiceA
OT]+/:,>&cc|789V
:O:Z:k:
OZw3(?
P8V8\8b8hIt8z8
]P-ABC"h5./'9e(8,.~?7'TUVW.0t+?lloN
\parameters
PathFileExistsA
__p__commode
Pfa^<3
Pfa^<3^
__p__fm
__p__fmode
Pga]!%
 Phvidc
P~k{ea<vlpi
Pointer
ppppppppppppp
pqrsQDvwZ\K{Y
pqrstuvwxyz{|}~
PQRUSP
P[QS7QWLZPTZ
p'rfb" /
Process32Firs
Process32First
Process32Next
PSAPI.DLL
pubzyxdjdbj
Q]4567K]OK
Qkkbal
QRSj j
qrs)uvwusz{#
QSSSSSSSSj
QSUVWj
QSVW`d
qUAE@XZ
Qubf|lIyo
QueryServiceConfigA
QueryServiceStatus
qv4vys}
RaiseException
rameters
ReadConsoleOutputA
realloc
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegRestoreKeyA
RegSaveKeyA
RegSetKeySecurity
RegSetValueExA
REmoTereGIBtRy
Rhvidc
~|r{}~KKKKKKKKKKKKKKKn
RPQhT!
 RQhH?
rs',%#=4&8	
_RS?'5/n0+2i)?-e/"#O7$ &z4 0v:56\]^_
^RY]_I
S,_^]3
s3333x
`sade.
%s a -s
Sdavvlr~
SeBackupPrivilege
SeRestorePrivilege
SESSIONNAME
%SESSIONNAME%
%SESSIONNAME%\
set_app_
__set_app_type
SetClipboardData
SetConsoleCtrlHandler
SetConsoleOutputCP
SetConsoleScreenBufferSize
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetFileSecurityA
SetFileTime
SetProcessWindowStation
SetSecurityDescriptorDacl
SetUnhandledExceptionFilter
__setusermatherr
SetWindowsHookExA
SHCopyKeyA
SHDeleteKeyA
SHELL32.dll
SHGetValueA
SHLWAPI.dll
SleepEx
sOFtwaRe\
SOFtWaRe\
SOFTWARE\mIcRoSoFt\wINDoWS nt\currentVerSioN\sVChoST
%sot%%\System32\svc%s %s%s%s
/*,sry`K8#"%.$ exxyye$9,KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
SSSSh ]
SSSShl
 SSSVhP:
SSVhP=
StartServiceA
Startup
strcmp
strcpy
strncm
strncmp
_strupr
SUVWh0
SUVWj0PQ
SUVWjFhHD
 SUVWP
SUVWPh
SUVWPhH
s]VfvhUbz
SYSTEM\CurrentControlSet\seRviCes\
%SystemRo
>:>S>Z>s>
><>T>|>
T$0j-R
T$0Rh?
;T$0sP;t$4sJ
_T2Z2g2m
T$4PRPP
T$4Qh?
T$4@QR
T$4RSS
T$4RVVVUP
T$9UUf
+;[TD>3
\temp\
^TF3UE_
T$,f;V4u
!tHIS PROGRAM CANNOT BE RUN IN dos MODE.
!This program cannot be run in DOS mode.
TickC*
tJ<\u8
tKWWWWWWWWh
T$LQRP
~+tn{`dl"nab>r|
tolower
T$(PPRh4
T$@Qh?
T$<@QR
T$(QRU
T$<QRV
T$,Rh4
T$,RPQSUhx#
?trrrUR
T$,RUQWP
=>=T=s=
ts9_ tn9_$ti
t\Shdivxhvidc
T$$SRh
tvmqoYEhfgohxdaacMbq
t$ WV2
u\]^_&
u5PPPPPP
u&9}$u!
*`ua`7{p2w}ih?fxnm
ua(dgmo%}df`
\U~I_lebTO
UPdatecXc
u&Ph\ 
USER32.dll
USERENV.dll
ush~LHF
ust_fdiv
V1\1`1d1h
,Variab
VCS()*+ECM@BCWP@
VirtualProtect
 VKMIH
VW<7	:
V_:X1:
^VZ#*BC-+0&$ .k;$ +?&r =/3W-7153*0
W(9W$u
WaitForSingleObject
waveInGetDevCapsA
waveInOpen
waveOutOpen
waveOutReset
wcstombs
WdkwdlMymoljb
WININET.dll
WINMM.dll
Wj2WQj
w+OQvr
WPSVh`
WriteFile
WS2_32.dll
ws6XYW
wsprintfA
wsprintfW
wtKXYW
WTSAPI32.dll
|$ WUSV
ww|yz{\I|
WZ[7ONM
X7\7`7d7h
_XcptFilter
{xIOVKV@GCMQ*+{D@C_V]]4567|WIiY^QM$
XPTPSW
xvidumj
xvuTUVw
xyz{|}~
>$?:?Y
>$?:?Y?
 _^][Y
y}{bx7p|{
y~k}##<wxy
Ylopqrs
yM_0123q[WUT\yTR^KM2$,7
yo>yL@EP
yrUTTR
yS-=WC
yz{,}~
;!<Z<e<
)\ZEo^m/
ZvSvaw
;z=W?,A6C!E4GHIJK
 zzfy{KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK