Analysis Date2014-09-29 13:37:48
MD54522883c5d5bd8c78023de49519ae75a
SHA1680dfa893c8b644116c0e68587e82f73d084ba39

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: f3a7e8ffcb42cee501a9dd8eaf42a1df sha1: 6e6c0c280034bda153240cfabf83f0738070dd62 size: 9216
Section.rsrc md5: 810e08c1e6cb66d0180460f30b5bec88 sha1: 14d413842facf7292fb030bfbed7856800d9085f size: 24576
Timestamp2010-01-10 02:52:49
VersionLegalCopyright: 版权所有(C) 2009
InternalName: Rund32
FileVersion: 2, 0, 0, 0
CompanyName: Microsoft Corporation
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Microsoft Corporation
SpecialBuild:
ProductVersion: 2, 0, 0, 0
FileDescription: install
OriginalFilename: install.exe
PackerUPX -> www.upx.sourceforge.net
PEhashc8a9c45a8885cbe31a64b1d6a2a584cfc61dfae3
IMPhash587543b11979ed8a9c1d66e2ed32572e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{nlyqcsav-6xsd-aren-gea2-j9mo5r7gygy4}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inuqbjvqf.exe
Creates FileC:\Windows\System32\inuqbjvqf.exe_lang.ini
Creates ProcessC:\Windows\System32\inuqbjvqf.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ \??\C:\WINDOWS\system32\winlogon.exe

Process
↳ C:\Windows\System32\inuqbjvqf.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{zemdnoqn-tixy-ycfe-sili-iajhsojsicyt}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inatwyxqd.exe
Creates FileC:\Windows\System32\inatwyxqd.exe_lang.ini
Creates ProcessC:\Windows\System32\inatwyxqd.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\inatwyxqd.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{mdnoqnbt-xyxy-feys-liri-jhsojsicytcd}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inpfzcyeq.exe
Creates FileC:\Windows\System32\inpfzcyeq.exe_lang.ini
Creates ProcessC:\Windows\System32\inpfzcyeq.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\inpfzcyeq.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{dnoqnbti-yxyc-eysi-iria-hsojsicytcdt}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\ineqbmfxl.exe
Creates FileC:\Windows\System32\ineqbmfxl.exe_lang.ini
Creates ProcessC:\Windows\System32\ineqbmfxl.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\ineqbmfxl.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{noqnbtix-xycf-ysil-riaj-sojsicytcdtz}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\incvdypdo.exe
Creates FileC:\Windows\System32\incvdypdo.exe_lang.ini
Creates ProcessC:\Windows\System32\incvdypdo.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\incvdypdo.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{btixyxyc-eysi-iria-hsoj-icytcdtzogpa}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inhnmoqun.exe_lang.ini
Creates FileC:\Windows\System32\inhnmoqun.exe
Creates ProcessC:\Windows\System32\inhnmoqun.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\inhnmoqun.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{xyxycfey-ilir-ajhs-jsic-tcdtzogpaesl}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inlubyhti.exe_lang.ini
Creates FileC:\Windows\System32\inlubyhti.exe
Creates ProcessC:\Windows\System32\inlubyhti.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\inlubyhti.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{lfezghon-vnbg-kkoj-iaae-hrtbgpedtljh}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\innuocedv.exe_lang.ini
Creates FileC:\Windows\System32\innuocedv.exe
Creates ProcessC:\Windows\System32\innuocedv.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\innuocedv.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{vuwirwkz-jikm-qudp-wdut-lcxbaxboewhe}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inpsutmlb.exe_lang.ini
Creates FileC:\Windows\System32\inpsutmlb.exe
Creates ProcessC:\Windows\System32\inpsutmlb.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\inpsutmlb.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{irwkzdji-mjqu-pewd-tulc-baxboewhexne}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\invuwaxma.exe
Creates FileC:\Windows\System32\invuwaxma.exe_lang.ini
Creates ProcessC:\Windows\System32\invuwaxma.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\invuwaxma.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{bavcdkzj-vrjc-ggkf-leja-dxnp76lapchw}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\injyqkarh.exe
Creates FileC:\Windows\System32\injyqkarh.exe_lang.ini
Creates ProcessC:\Windows\System32\injyqkarh.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\injyqkarh.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f8qofu4s-qmez-b9vf-sgwl-ywmc6ik21g5k}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inetlfmxc.exe
Creates FileC:\Windows\System32\inetlfmxc.exe_lang.ini
Creates ProcessC:\Windows\System32\inetlfmxc.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\inetlfmxc.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{bqosfvdy-b9v4-6duh-214d-s618u71ms23a}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inxtemyti.exe_lang.ini
Creates FileC:\Windows\System32\inxtemyti.exe
Creates ProcessC:\Windows\System32\inxtemyti.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\inxtemyti.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{yxycfeys-liri-jhso-sicy-cdtzogpaesle}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\incvxxhec.exe_lang.ini
Creates FileC:\Windows\System32\incvxxhec.exe
Creates ProcessC:\Windows\System32\incvxxhec.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\incvxxhec.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{feysilir-ajhs-jsic-tcdt-ogpaeslefncn}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inyxynpgc.exe_lang.ini
Creates FileC:\Windows\System32\inyxynpgc.exe
Creates ProcessC:\Windows\System32\inyxynpgc.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\inyxynpgc.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4s1qmezb-9vfa-gwle-wmc6-k21g5kyraycn}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\infdqdofu.exe
Creates FileC:\Windows\System32\infdqdofu.exe_lang.ini
Creates ProcessC:\Windows\System32\infdqdofu.exe
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Process
↳ C:\Windows\System32\infdqdofu.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{dyub9v4g-duhq-14d5-618u-1ms23amb983m}\ ➝
\\xcf\\xb5\\xcd\\xb3\\xc9\\xe8\\xd6\\xc3\\x00
Creates FileC:\Windows\System32\inbqostfv.exe
Creates FileC:\Windows\System32\inbqostfv.exe_lang.ini
Creates MutexBKLANGrq6mva6msr2xsLK9rrC1qaevnw==
Creates MutexDBWinMutex

Network Details:


Raw Pcap

Strings

080404b0
2, 0, 0, 0
(C) 2009
Capture Filter
Comments
CompanyName
Copyright ? 2009
Device Protect Application
FileDescription
FileVersion
FriendlyName
Grabber
install
install.exe
InternalName
jjjj
jjjjj
jjjjjjjjh
LegalCopyright
LegalTrademarks
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
OriginalFilename
PrivateBuild
ProductName
ProductVersion
Rund32
Server.dll
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
 :-<+?.
???+???`???{???
???	???
&''))))))))))))))))))()(%%
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
								
																																			
~0;~,}
???*???0
0!000?0
0#00050
0!000K0[0`0i0t0
0$000L0X0t0
0 0>0V0]0c0l0v0
0	060G0]0
0)0W0a0q0
0"1'1D1I1
0123456789+/
[%02d/%02d/%d %02d:%02d:%02d] (%s)
: :$:(:,:0:4:8:<:@:D:H:L:
> >$>(>,>0>4>8><>@>D>H>L>P>f>k>
0A1H1N1w1
@0Cxxl+
0L0P0T0X0
?$?0?L?X?t?
;0W0j0
1 1$1(1,1r1
1'1,161;1E1J1T1Y1p1
1(1>1i1p1
1&1:1K1]1s1
1(1D1L1X1`1
1<1H1Y1_1
1!1M1Z1
1	2!292\2y2
.12q.14
171W1w1
=1><>[>a>f>k>s>{>
?"?(?1?<?A?m?s?}?
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1type_info@@UAE@XZ
??1'UAE@XZ
1.,)))()()))),.WXY
2.0.0.0
2 2(222c2
2222\`dh
22rrrXXXXX5
2.2Y2`2v2}2
???'???.???2???3???2???.???&???
/24`.14@.14
%-24s %-15s 
%-24s %-15s 0x%x(%d) 
%-24s %-15s %s 
2C3e3o3#4E4O4
>2>d>q>{>
2j2q2{2
2T2d2j2
2Y2f2r2
??2@YAPAXI@Z
#32770
32\s .exe -k d
3 3(30353T3
3'4,4F4
3 484L4\4`4p4
384>4N4h4
???3???	~aV
;3;:;?;f;
3O3h3r3{3
3X4a4j4u4~4
3y@79449BB1F
??3@YAXPAX@Z
{4_^]3
445Q5Y5{5
4!5.5x5
4?8K9?:
494Y4y4
4a4f4k4
4A5F5K5
4##c#8
4D4V4\4b4
>4>@>\>h>
4I4e4o4G5
>4>I>O>n>
<4<I<p<w<
=4=J=j=
4k435w5
+-.4(+,y(+-
526>6Q6a6g6
\?>550
5 5054585<5@5D5H5L5P5T5X5\5`5d5h5l5
5,585T5\5h5
565X5e5l5
5#6;6V6
595R5s5
=-=5=:=C=H=^=
<5=c=u=
5E748@:D:H:L:P:T:X:\:`:d:h:l:p:t:P<`<j<A>O>k?y?
<5<G<o<u<
>5>H>V>h>u>
???5???J???d???w???
5K5^5o5u5~5
=5>P>`>g>
5S5h5n5
???6???
6$606<6H6T6`6l6
6 646@6H6x6
6!6+666B6L6X6`6h6n6
6	666s6
6&6?6a6h6t6{6
6!737u7
6	7 7X7_7
6POVVh$k4
6q3t8xV^R
70C0K0b0u0
757m7v7}7
7 7$7(7,7074787<7@7D7H7L7w7
7 7<7H7d7p7
7 7$7r7
7"7/7z7
7netsvcs
7T8j8q8
!   !!!!8
808e8l8
879?9n9
8$8@8a8
8"8'8D8l8u8~8
8 8(8X8l8x8
8)8C8]8t8
8#8E8O8
8(8P8Y8
=,=8=F=R=o=
8!!!!!!Q!##x
:	;!;';8;S;h;o;
;,;8;T;`;|;
8X8k8}8
!!!!!!!!!9!!!!!!!!!!!!!!!!!!!
9$9,989T9\9h9
9&9:9E9f9k9
9)9I9`9i9}9
?%?9?D?w?~?
9F9f9n9
9, (,h
9/:::K:z:
=9=?=n=
='>->9>Q>
~(9~$u
9[:v:M;U;d<l<y<
>$>*>9>Y>|>
?ABCDEFGHIJKLMNOPQR
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Active 
ActiveX 
AddAccessAllowedAce
#AddrEbR/
_adjust_fdiv
AdjustTokenPrivileges
ADVAPI32.dll
AEEFEA
;a<j<x<
AllocateAndInitializeSid
AlrUnepOtenretnI
Application
Applications\iexplore.exe\shell\open\command
aram.o
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
<AtG<BtC
.?AVtype_info@@
???B???
bad Allocate
bad buffer
_beginthreadex
BitBlt
BKLANG
BKLANGrq6mva6msr2xsLK9rrC1qaevnw==
BlockInput
BNOONH
?&?;?B?O?s?
buffer error
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
CallNextHookEx
calloc
CancelIo
cddS^_S_
ChangeServiceConfigA
CharNextA
ClearEventLogA
CloseClipboard
CloseDesktop
CloseEventLog
CloseHandle
CloseServiceHandle
\cmd.exe
CoCreateInstance
CoInitialize
ControlService
CopyFileA
CoTaskMemFree
CoUninitialize
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
CreateDirectoryA
CreateEventA
CreateFileA
CreateFileMappingA
CreateMutexA
CreatePipe
CreateProcessA
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
:*;C;t;x;};
__CxxFrameHandler
_CxxThrowException
???d???'???	
D$0RPh
<@D2###HLP
D$(8D*
DABlooplutVV
@.data
data error
%d.bak
%d.bak.dll
@DDDC?
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
DelALong 
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
DeleteService
Description
DestroyCursor
:D;H;L;P;T;X;\;`;d;h;
D$HUj@
DisableThreadLibraryCalls
DisconnectNamedPipe
DispatchMessageA
DisplayName
DLL_PROCESS_DETACH
D$lRPj
:(:D:L:X:t:|:
})dMP9Q
<(<D<P<l<x<
D$<PVhx
D$\PWVh
D$$RPU
=)>d>#???S?_?
;D$<s!
D$$SUV
D$TSUVW
???E???
?E?h?n?s?{?
EjssllllmVVV
eldnaHesolCtenretnI
eliFdaeRtenretnI
EM,Ph\
EmptyClipboard
empty distance tree with lengths
emRoot
 end DeleteService
EnterCriticalSection
EnumProcessModules
EnumServicesStatusA
EnumWindows
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
ErrorControl
_except_handler3
ExitProcess
ExitWindowsEx
???`_F9
>F?b?k?p?
Fdf+Fh
FFF6FFFdFFF
FFF7FFF
FFF8FFF
FFF9FFF
FFFdFFF
FFFdFFF&FFF	FFF
FFF@FFF
FFF	FFF
FFF*FFF4FFF;FFFAFFFEFFFGFFFGFFFFFFFCFFF>FFF6FFF-FFF!FFF
FFF FFF5FFFHFFFcFFFzFFF
FFF$FFFEFFF`FFFfFFFgFFFgFFFoR4)
FFF`FFF,FFF
FFF|FFF:FFF#FFF FFF FFF FFF
FFF FFF FFF FFF*S@9
FFF	FFF FFFFuqp
FFFHFFF#FFF
FFFjFFFPFFF<FFF'FFF
FFFkFFF
FFFtFFFAFFF%FFF
FFFtFFF-FFF
FFFXFFF'FFF
FFFyFFFiFFFgFFFgFFFfFFF`FFFEFFF,FFF
FFFzFFF1FFF
FhURUPQ
file error
FindClose
FindFirstFileA
FindNextFileA
FindWindowA
=!>@>F>K>Y>^>h>o>}>
?F?L?Q?Y?a?f?p?u?
: :::F:L:X:q:
FreeConsole
FreeLibrary
FreeSid
fVV`+*L/
fZek83@YA
;);F;Z;q;
GDI32.dll
GD]_[Y
GetActiveWindow
GetClientRect
GetClipboardData
GetCurrentProcess
GetCurrentThreadId
GetCursorInfo
GetCursorPos
GetDesktopWindow
GetDIBits
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesA
GetFileSize
GetKeyNameTextA
GetLastError
GetLengthSid
GetLocalTime
GetLogicalDriveStringsA
GetMessageA
GetModuleFileNameA
GetModuleFileNameExA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetSystemDirectoryA
GetSystemMetrics
GetThreadDesktop
GetTickCount
GetUserObjectInformationA
GetVersion
GetVersionExA
GetVolumeInformationA
GetWindowTextA
GetWindowThreadProcessId
gI'))a
GlobalAlloc
GlobalFree
Global\Lang %d
GlobalLock
GlobalMemoryStatus
GlobalSize
GlobalUnlock
=&=;=G=M=o=
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
g]====>]z
: :;:h:
HARDWARE\DESCRIPTION\System\CentralProcessor\0
hcccccca``aa
HeapAlloc
HeapFree
HFDR???
HFDRw]S
HII!266
|$HPWS
HrCg@b	g(
http://
https://
ImagePath
IMM32.dll
ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
_initterm
InstallModule
insufficient memory
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
InternetOpenA
InternetReadFile
invalid bit length repeat
invalid block type
invalid distance code
invalid literal/length code
invalid stored block lengths
invalid window size
isdigit
IsWindowVisible
Iu	_^[
iVVVVUU
JGEXhTI
JGEXYH?
jjjjj??????:<
j!!!Q!R
|$`j/W
_kaspersky
KERNEL32.dll
KERNEL32.DLL
keybd_event
%%!(KKSHGY
< <.<K<T<[<b<|<
L$0QRRRRRU
L$4QRRRRRU
L$(_^][d
L$\_^][d
LeaveCriticalSection
LHHGh##
L$hj,QU
lld.TENINIW
L$LQVS
LoadCursorA
LoadLib|
LoadLibraryA
LocalAlloc
LocalFree
LocalReAlloc
LocalSize
LocalSystem
LockServiceDatabase
LookupPrivilegeValueA
L$,QWV
L$$RQSW
L$ RUPj
lstrcAA
lstrcatA
lstrcmpiA
lstrcpyA
lstrlenA
LSZLSZ2vYA8fzw/AXzv+MC9fYAAr/a/v3+BALxnw==|K38xgSlaK39ZUE9hUDErbVZ3LicxQVRTNTwna09hVncuJ2RqNTyf
l$(VW3
???m???<???
malloc
manbne
MapViewOfFile
MapVirtualKeyA
mayr2w
memmove
mouse_event
MoveFileA
MoveFileExA
Mozilla/4.0 (compatible)
!$!!mQJJI~!!
MSVCP60.dll
MSVCRT.dll
:.;M;V;];k;
NDSUPQ
need dictionary
:N;^;h;
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
NPRPUSj
nrBKkcmdy*
NtQuerySystemInformation
ObjectName
ole32.dll
OLEAUT32.dll
<om]dccccccu
OpenClipboard
OpenDesktopA
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenServiceA
OpenWindowStationA
osoft\Windows NT\CurrentVersion\
OutputDebugStringA
oV+}}{
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
p32SnapshoM
Parameters
<==>pcccqqqck
PCRatStact
PCRat Update
= =P=d=p=x=
PeekNamedPipe
\$,Ph<s
PostMessageA
|ppklll
 !!  !p!!!!!##!#Q
Process32First
Process32Next
ProcessorNameString
Progman
PSAPI.DLL
pt"0CM
=p?t?x?|?
;	<$<P<v<
 !  !!!!!!!#!Q##
{qklv1ddz-09vs-vem0-ekqa-zcv4favkynwj}
#QQQRSSe
;QQRS[z{
QRPPPPPPVP
QRUUUUUUPU
!#!Q#"SSRy~
QSSSSSSSSj
QueryServiceConfigA
QueryServiceStatus
R#C%%%#cb#
`.rdata
ReadFile
realloc
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
REG_BINARY
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
REG_DWORD
RegEnumKeyExA
RegEnumValueA
REG_EXPAND_SZ
RegisterServiceCtrlHandlerA
REG_MULTI_SZ
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueA
RegQueryValueExA
RegQueryValueEx(Type)
RegSetValueExA
RegSetValueEx(start)
REG_SZ
ReleaseDC
ReleaseMutex
@.reloc
Remark
RemoveDirectoryA
RemoveService(LPCTSTR lpServiceName)
RemoveService(m_strServiceName);
rename
ResetEvent
ResumeThread
:R^gz|zfaaaaaa`_S
RROR_SUCCESS != rc
r*#"U,@@C
Rundll32.exe
rundll32.exe %s,UninstallServer %s
%s\*.*
S1h#tw%Sy
 SAVbO
%s.dll
%s\dllcache\%s
Security
SeDebugPrivilege
SelectObject
SendCPUAndMemoryThread
SendCPUAndMemoryThread End
SendMessageA
Server.dll
ServiceDll
ServiceMain
ServiceMain2
SeShutdownPrivilege
SetCapture
SetClipboardData
SetCursorPos
SetErrorMode
SetEvent
SetFilePointer
SetLastError
SetProcessWindowStation
SetRect
SetSecurityDescriptorDacl
SetServiceStatus
SetThreadDesktop
SetUnhandledExceptionFilter
SetWindowsHookExA
sfc.dll
sfc_os.dll
;S<g<m<r<
SHELL32.dll
Shell_TrayWnd
SHGetFileInfoA
ShowWindow
%s_lang.ini
SOFTWARE\Micr
Software\Microsoft\Active Setup\Installed Components\
SOFTWARE\Microsoft\Active Setup\Installed Components\
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
sprintf
sp*tf>cD
%s%s*.*
s\%sdX
s%\secivreS\tESlortnoCtnerruC\METSYS
ssecorPetanimreT
%s\shell\open\command
ssqsccca
ssrstsd
%s%s%s
StartServiceA
strchr
stream end
stream error
_strlwr
strncat
strncmp
strncpy
_strnicmp
strrchr
_strrev
strstr
strtoul
stubpath
SUVWh`
$SUVWj
SVvueDll
=;=S=Y=m=
\syslog.dat
System
SYSTEM\CurrentControlSEt\Services\
SYSTEM\CurrentControlSet\Services\%s
SystemParametersInfoA
:);/;T;
! !  ! !!!!#T
???T???*???
???t???>???0???,???"???
T+3x%A
&tA=`<
???t???a???G???2???
T$DPVS
TempPYhA&
TerminateThread
T$ Fj:V
T$(Fj:V
!This program cannot be run in DOS mode.
T$Hj Rj
T$hQRP
t&HuCj
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
T$ jBVR
tJ<\u8
|$<.tK
T$LPQR
T$LRWS
too many length or distance symbols
toulisd
T$,PQh
T$(PQR
T$PQRVVVP
T$ QRj
T$ QRVVVP
TranslateMessage
T$,RWV
tSQRR_766
tupVV(Y
t$ WSPVR
Type7YSTEM
tZ9H tU9H$tP
???u???&???
UnhookWindowsHookEx
UninstallServer
UnInstallService()
unknown compression method
UnlockServiceDatabase
UnmapViewOfFile
up\InAa
!    ! ! !!!#UQ#Q#Q
us0lit
USER32.dll
VDPQRUSP
VirtualAlloc
VirtualFree
VirtualProtect
V@j QR
VSLANG
[VSLANG
VSLANGrq6mva6msr2xsLK9rrC1qaevnw==
W(9W$u
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectFre
waveInAddBuffer
waveInClose
waveInGetNumDevs
waveInOpen
waveInPrepareHeader
waveInReset
waveInStart
waveInStop
waveInUnprepareHeader
waveOutClose
waveOutGetNumDevs
waveOutOpen
waveOutPrepareHeader
waveOutReset
waveOutUnprepareHeader
waveOutWrite
wb#rbcMbugP
wcstombs
WideCharToMultiByte
WindowFromPoint
WININET.dll
Winlogon
winlogon.exe
WINMM.dll
winsta0
WinSta0\Default
?>?W?^?n?
WriteFile
WritePrivateProfileStringA
WS2_32.dll
WSAIoctl
wsprintfA
WTSAPI32.dll
|$ WUSV
WWW00WWWnn
XPTPSW
?_Xran@std@@YAXXZ
xtS!!QQSSb7666bssrqqsv
???y???(???
yg;Ke1
???)ywv
yy}~~~}zz
YZabcdefghijklmnopqr
???-???ZUUU
ZVJaN1BgKERUdp8=
ZY`crPVR