Analysis Date2015-07-24 07:42:28
MD5908edca5d834d03c630903790ac13f3b
SHA1a20551fe4cf9129de7cc3ddfebce67e6f7697eeb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 146a85996ec983140cace6b8e1c5e83f sha1: 1ce44091521a5e990427fa229336bf1560d7981c size: 19192
Section.data md5: 61e2864b5f89ec0f6c294c5c6717326e sha1: c8d7c088c06a61b01ebfe1551e24a2789c7b3516 size: 170384
Section.rsrc md5: 616d25b4d6b22b2bccf1a51a19bc7f51 sha1: 9e2842c7b606270acb13dddc699d4eff4e9bc5c2 size: 1952
Section.idata2 md5: de557d7c4177caf67c6461f82c4d050e sha1: acf7bf1a05bfeac8df16cde96282494c90192735 size: 2048
Timestamp2010-07-14 22:03:32
VersionLegalCopyright: (C) Microsoft Corporation. All rights reserved.
InternalName: SPUNINST.EXE
FileVersion: 6.3.0004.1 built by: dnsrv
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 6.3.0004.1
FileDescription: Windows Service Pack Uninstall
OriginalFilename: SPUNINST.EXE
PackerMicrosoft Visual C++ v6.0
PEhash4ff5f505dd36d1486dc7d482d5bde2e3ae1fcf5b
IMPhashc509dbcf0dade053e5588087a4d64742
AVRisingBackdoor.Win32.GenFxj.c
AVCA (E-Trust Ino)Win32/Zegost.CJ
AVF-SecureBackdoor:W32/Bjlog.D
AVDr. WebBackDoor.Zegost.48
AVClamAVTrojan.Spy-76825
AVArcabit (arcavir)Backdoor.Generic.413692
AVBullGuardBackdoor.Generic.413692
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanPSW.Bjlog
AVCAT (quickheal)TrojanDropper.Zegost.C5
AVTrend MicroTROJ_BJ.7C63AE6E
AVKasperskyTrojan-PSW.Win32.Bjlog.dtwr
AVZillya!Trojan.Bjlog.Win32.11358
AVEmsisoftBackdoor.Generic.413692
AVIkarusTrojan-PWS.Win32.Bjlog
AVFrisk (f-prot)W32/Zegost.C.gen!Eldorado
AVAuthentiumW32/Zegost.C.gen!Eldorado
AVMalwareBytesBackdoor.Zegost
AVMicroWorld (escan)Backdoor.Generic.413692
AVMicrosoft Security EssentialsTrojanDropper:Win32/Zegost.B
AVK7Password-Stealer ( 001947491 )
AVBitDefenderBackdoor.Generic.413692
AVFortinetW32/Bjlog.LBY!tr.pws
AVSymantecTrojan Horse
AVGrisoft (avg)Dropper.Generic2.ABMZ
AVEset (nod32)Win32/Redosdru.GL
AVAlwil (avast)Zegost-D [Drp]:Zegost-E [Drp]
AVAd-AwareBackdoor.Generic.413692
AVTwisterTrojan.0620A8F6C2540BE5
AVAvira (antivir)TR/PSW.Bjlog.lfzb
AVMcafeeBackDoor-CEP.gen.cn

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\ebbvyfyojn
Creates ProcessC:\malware.exe a -sc:\malware.exe

Process
↳ C:\malware.exe a -sc:\malware.exe

RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\fulmhfmpi\seRVicemAIN ➝
NPGetResourceParent\\x00
RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\fulmhfmpiu\DependOnService ➝
NULL
Creates Filefulmhfmpi
Creates Filec:\Documents and Settings\Administrator\Local Settings\temp\tsdmcobhrj.dat
Creates FileC:\WINDOWS\system32\f5859b27.rdb
Deletes Filefulmhfmpi
Deletes Filec:\malware.exe
Starts ServiceHidServ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Comhidserv70\Description ➝
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates Filekquapdbnuv
Creates FilePhysicalDrive0
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes Filekquapdbnuv
Deletes Filec:\ebbvyfyojn
Creates MutexGlobal\b405763378_8086j
Creates Mutexeed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1876

Process
↳ Pid 1176

Network Details:

DNSyuan.7cb.org
Type: A
50.117.47.24
DNSqup.qh-lb.com
Type: A
106.120.167.10
DNSqup.qh-lb.com
Type: A
106.120.167.8
DNSqup.qh-lb.com
Type: A
106.120.167.8
DNSqup.qh-lb.com
Type: A
106.120.167.10
DNSqurl.qh-lb.com
Type: A
101.199.109.144
DNSqurl.qh-lb.com
Type: A
106.120.167.79
DNSqurl.qh-lb.com
Type: A
106.120.167.79
DNSqurl.qh-lb.com
Type: A
101.199.109.144
DNSqurl.qh-lb.com
Type: A
101.199.109.144
DNSqurl.qh-lb.com
Type: A
106.120.167.79
DNSqup.qh-lb.com
Type: A
106.120.167.10
DNSqup.qh-lb.com
Type: A
106.120.167.8
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.206.219
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.172.251
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.207.9
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.204.203
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.204.209
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.204.222
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.204.253
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.206.175
DNSsdup.qh-lb.com
Type: A
0.0.0.0
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.206.11
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.206.72
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.207.130
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.172.170
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.207.223
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.204.119
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.204.153
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.205.189
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSlocini.gslb.360safe.com
Type: A
101.226.161.214
DNSlocini.gslb.360safe.com
Type: A
220.181.150.161
DNSlocini.gslb.360safe.com
Type: A
220.181.150.162
DNSlocini.gslb.360safe.com
Type: A
220.181.150.219
DNSlocini.gslb.360safe.com
Type: A
220.181.159.91
DNStr-b.p.360.cn
Type: A
61.160.224.12
DNStr-b.p.360.cn
Type: A
61.160.224.13
DNStr-b.p.360.cn
Type: A
61.160.224.14
DNStr-b.p.360.cn
Type: A
180.153.227.61
DNStr-b.p.360.cn
Type: A
180.153.227.62
DNStr-b.p.360.cn
Type: A
180.153.227.168
DNStr-b.p.360.cn
Type: A
180.153.227.169
DNStr-b.p.360.cn
Type: A
61.160.224.11
DNSupdateh-b.360safe.com
Type: A
58.68.236.241
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSdl.qhcdn.com
Type: A
171.13.14.145
DNSdl.qhcdn.com
Type: A
171.13.14.169
DNSdl.qhcdn.com
Type: A
171.13.14.169
DNSdl.qhcdn.com
Type: A
171.13.14.145
DNSdl.qh-lb.com
Type: A
0.0.0.0
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSwww.360safe.com
Type: A
54.251.107.25
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.27
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.28
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.158
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.159
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.93
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.94
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.23
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.24
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.65
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.66
DNSantispy.db.kingsoft.com
Type: A
219.232.254.22
DNSbo.duba.net
Type: A
119.147.146.155
DNSwww.beike.cn
Type: A
114.112.68.174
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.21
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.22
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.20
DNSifr.duba.net
Type: A
127.0.0.1
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSf-signs.duba.net
Type: A
121.14.11.28
DNSf-signs.duba.net
Type: A
121.14.11.167
DNSapi.pc120.com
Type: A
119.147.146.126
DNShd.duba.net
Type: A
114.112.93.21
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.87
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.80
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.81
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.85
DNSz.rising.com.cn
Type: A
211.103.159.82
DNSz.rising.com.cn
Type: A
211.103.159.83
DNSz.rising.com.cn
Type: A
211.103.159.73
DNSz.rising.com.cn
Type: A
211.103.159.74
DNSz.rising.com.cn
Type: A
211.103.159.75
DNSz.rising.com.cn
Type: A
211.103.159.76
DNSz.rising.com.cn
Type: A
211.103.159.77
DNSz.rising.com.cn
Type: A
211.103.159.78
DNSz.rising.com.cn
Type: A
211.103.159.79
DNSz.rising.com.cn
Type: A
211.103.159.80
DNSz.rising.com.cn
Type: A
211.103.159.81
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSm.rising.com.cn
Type: A
211.103.159.158
DNSm.rising.com.cn
Type: A
211.103.159.159
DNSm.rising.com.cn
Type: A
211.103.159.160
DNSm.rising.com.cn
Type: A
211.103.159.161
DNSm.rising.com.cn
Type: A
211.103.159.162
DNSm.rising.com.cn
Type: A
211.103.159.163
DNSm.rising.com.cn
Type: A
211.103.159.164
DNSm.rising.com.cn
Type: A
211.103.159.165
DNSm.rising.com.cn
Type: A
211.103.159.166
DNSm.rising.com.cn
Type: A
211.103.159.167
DNSm.rising.com.cn
Type: A
211.103.159.168
DNSm.rising.com.cn
Type: A
211.103.159.169
DNSm.rising.com.cn
Type: A
211.103.159.170
DNSm.rising.com.cn
Type: A
211.103.159.86
DNSm.rising.com.cn
Type: A
211.103.159.151
DNSm.rising.com.cn
Type: A
211.103.159.152
DNSm.rising.com.cn
Type: A
211.103.159.153
DNSm.rising.com.cn
Type: A
211.103.159.154
DNSm.rising.com.cn
Type: A
211.103.159.155
DNSm.rising.com.cn
Type: A
211.103.159.157
DNSreportq.rising.com.cn
Type: A
211.103.159.101
DNSreportq.rising.com.cn
Type: A
211.103.159.107
DNSreportq.rising.com.cn
Type: A
211.103.159.109
DNSreportq.rising.com.cn
Type: A
211.103.159.97
DNSreportq.rising.com.cn
Type: A
211.103.159.100
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSxnop007.tlgslb.com
Type: A
117.42.74.147
DNSxnop007.tlgslb.com
Type: A
117.42.74.137
DNSsupport.eset.com.cn
Type: A
42.120.44.60
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.131
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.152
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.153
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.160
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.162
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.176
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.107
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.113
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.121
DNSe1793.b.akamaiedge.net
Type: A
23.220.247.223
DNSgtm-tnt.avg.com
Type: A
173.245.115.70
DNSgtm-self.avg.com
Type: A
212.96.161.252
DNSmmi.explabs.net
Type: A
204.193.144.11
DNSa568.d.akamai.net
Type: A
23.3.98.25
DNSa568.d.akamai.net
Type: A
23.3.98.41
DNSa1639.g1.akamai.net.0.1.cn.akamaitech.net
Type: A
184.86.240.81
DNSa1639.g1.akamai.net.0.1.cn.akamaitech.net
Type: A
184.86.240.74
DNScm-p.activeupdate.trendmicro.cncssr.chinacache.net
Type: A
211.90.30.93
DNScm-p.activeupdate.trendmicro.cncssr.chinacache.net
Type: A
61.179.105.132
DNSdnl-01.geo.kaspersky.com
Type: A
4.28.136.42
DNSrsup1.rising.com.cn
Type: A
219.238.233.223
DNSconf.f.360.cn
Type: A
DNSqup.f.360.cn
Type: A
DNSu.qurl.f.360.cn
Type: A
DNSqurl.f.360.cn
Type: A
DNSsdup.360.cn
Type: A
DNSsdupm.360.cn
Type: A
DNSqd.code.360.cn
Type: A
DNSqd.code.qihoo.com
Type: A
DNSstat.360safe.com
Type: A
DNSstat-s.360safe.com
Type: A
DNSupdate.360safe.com
Type: A
DNSupdate-s.360safe.com
Type: A
DNStr.p.360.cn
Type: A
DNSupdateh.360safe.com
Type: A
DNSw.360.cn
Type: A
DNSstat.sd.360.cn
Type: A
DNSsdl.360safe.com
Type: A
DNSdl.360safe.com
Type: A
DNSwww.360.cn
Type: A
DNSsoftm.update.360safe.com
Type: A
DNSf-sq.beike.cn
Type: A
DNSvc01.beike.cn
Type: A
DNSpush.www.duba.net
Type: A
DNSwww.duba.net
Type: A
DNSvi.pc120.com
Type: A
DNSwww.rising.com.cn
Type: A
DNSrsdownload.rising.com.cn
Type: A
DNSmsginfo.rising.com.cn
Type: A
DNSrsdownauto.rising.com.cn
Type: A
DNSkaspersky.fastcdn.com
Type: A
DNSupdate.nai.com
Type: A
DNSguru.avg.com
Type: A
DNSgtm-nyc.avg.com
Type: A
DNSgtm-hkg.avg.com
Type: A
DNSliveupdate.symantecliveupdate.com
Type: A
DNSll002.avast.com
Type: A
DNSiau.trendmicro.com.cn
Type: A
DNScu001.www.duba.net
Type: A
Flows TCP192.168.1.1:1032 ➝ 50.117.47.24:8086

Raw Pcap
0x00000000 (00000)   63623173 744402                       cb1stD.


Strings
i
U
\
\
R
Goba\ki
r
.X
s
f.F
d
.jz\cMd.eXE
.
i.
{
.
v..
g
.
s
@
`@.
.p..
.
.
\
[
cb1s
.
y
.|..
~x
u
.
t}
w
.{pe
hh
.
.
d
.
.
.
.
.
.
.
XI

080404B0
!1Aa
#+3;CScs
6.3.0004.1
6.3.0004.1 built by: dnsrv
(C) Microsoft Corporation. All rights reserved.
CompanyName
FileDescription
FileVersion
InternalName
jjjj
jjjjj
LegalCopyright
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
OriginalFilename
ProductName
ProductVersion
SPUNINST.EXE
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows Service Pack Uninstall    
 (#!'-
'',)*+
"     "
&,?;,<*
###/  "
								
0,0`0k0
0'0=0O0w0~0
$0/0.181]1g1
&0[0b0
0;0h0q0
0:0P0X0^0j0
0"121W1
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvw
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 0123'567?9:;<=>?@ABCDEFG
;01;%>6>z
0'1i1}1
0`1l1s1
0'1M1u1
034567
040@0H0x0
=0=>=e=
0H0_0f0
;*<0<I<U<a<
;0<J<]<
.0J0Q0
>$>0>L>U>f>r>
@0T0i0
0U0[0`0m0
0V1\1`1d1h1l1p1t1x1|1
$0Y0_0d0
1 1<1H1d1l1x1
1!1=1n1x1
1-171?1E1h1y1
1!181O1[1g1s1
 1.2.3
1&232p2
1&2T2Z2g2m2s2x2
131:1?1E1K1Q1W1]1c1i1o1u1
 1317131?1317131/
+ 13!75,1d&*.>`,?<RS7&s3v=/9=s0:
$(17%+%";i9.8MNO9?$28<2w40.>.<2p
:*:1:7:J:g:l:
=1=7=l=r=
<<:)1*_@abc
<1<A<Q<i<
1C2R2W2^2d2j2r2{2
1H2L2P2T2X2\2`2d2h2l2p2
=%>1>K>P>l>x>
1O1Z1y1
1_St<ShH?
??1type_info@@UAE@XZ
%1:[$ u
>%?,?2?
2 2$2(2
2!2-292E2Q2]2i2x2
2&2:2g2}2
222J2P2\2c2l2w2
2*282T2l2s2
2+2G2[2
2<2N2c2n2u2
2	3%373C3H3k3
2)3d3k3x3
2^3p3v3{3
242@2\2h2
&2*8.233-_3
>$>2>A>
:2;=;D;
<2=>=I=
:2NWM!3\Yr]bY"5;Qq+##TZC
2R6X6^6d6j6p6v6|6
~2<S% &y)1w7>s=0
:$2;\%#t
??2@YAPAXI@Z
<	3)):0
#"32-,/.)(+*%$'&!F;{
3#3/3>3J3V3b3n3z3
3@3`3v3
3,343@3\3h3
3/3a3j3{3
3 3d3m5r5
3=3H3l3
3,434M4S4X4j4t4
3(444<4H4P4
3$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
<3=<=C=
<,=3=D=^=
3d3j3u3
?(?3?f?m?
?3?P?a?g?m?x?
-&4(;&,?
/!"#$%&'()*+4
424K4g4
445:5D5K5Q5V5[5a5
4%484H4Q4[4s4
4<4A4T4^4i4p4
4)4C4J4]4m4
4	5.5?5e5
4 5<5s5y5
4(5A5`5k5r5
4*5F5S5
>$>,>4>:>C>o>
4D5R5h5
4"-IJK
> >4>M>n>
4=swlh~n)d eyp|ty|x9{vw
:4:T:x:
515R5X5{5
 54!&$8LMNO
5(5 =$=
5&5\5{5
5-5:5N5S5]5l5{5
5 5(5X5l5x5
5'575C5T5h5p5
5:5J5Q5o5
5 6>6E6
5+6B6J6j6
595G5v5{5
=/=5=F=c=w=
:5;:;?;I;P;u;};
=5>=>L>W>a>
<[(5M<O
61qbb`(dgd
627H7Y7_7f7m7
63696C6N6|6
6/666K6Y6a6
666K6v6
6</+<,:<&,68
6:6B6I6
6(6D6P6l6t6|6
6 6P6s6
676J6[6l6w6
6$7=7H7Y7p8v8
6b7p7x7~7
/6bc47/17 $88?;,$8==tuvw17.$3+;-
6K6^6r6
?*?6?R?[?o?{?
7#7)707E7P7]7c7q7
7$777A7h7
7 7<7D7P7l7x7
7:7@7v7
7*787<7@7D7H7L7P7T7
<7@7D7H7X7\7`7d7h7x7
7>7H7O7k7~7
7>7N7W7l7
7;7T7Z7c7y7
7.848v8
7#8?8E8Z8d8
7%8^8k8w8
<%=7=U=
+;'> 8
80868L8
>?<812 <99x
83!&bc 
>$8&<456TUVW
.84<iir923`
8 82888>8D8J8P8V8\8b8h8n8t8z8
8%838C8T8`8k8
8*868Z8l8y8
8-878L8^8
8%8+828<8A8G8M8R8W8^8y8
8 8$8(8,80848H8X8\8`8d8h8
8)8g8o8u8
8 8T8Z8n8
898P8d8{8
8/9E9d9
89:;wWYQ
8A9e9{9
8E9L9_9u9
919S9j9
939>9E9M9S9c9j9z9
9):4:@:P:^:{:
=,=9=6>S>u>
996<9/520,<
9*979P9Z9
9!9(989P9
9 9$9(9
9&9J9Y9z9
9A:I:Q:`:
9D9Y9|9
9D:J:[:w:
9G9a9|9
9P9T9X9\9`9d9h9l9p9
~(9~$u
`abc-)*"/(&4%#=;"$1'=:8w9+(:%"<0
_`abcdefghijklmnopqrstuvwxyz{|}~
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFG89:;<=>?JABC ,0?
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFGHIJKLMNO0123456789:;<=>? !"#$%&'()*+,-./
_acmdln
AddAccessAllowedAce
AddAce
_adjust_fdiv
AdjustTokenPrivileges
Advapi32
ADVAPI32.dll
AecivreSnepO
AemaNyalpsiDecivreSteG
AemaNyeKecivreSteG
;';A;J;
AllocateAndInitializeSid
>#>A>M>
<AtG<BtC
.?AVtype_info@@
b`}09:WQYZ
#/BC )h6 d&)b.!"PQRS09xdni)::8p<
}bdpfa8stu
_beginthreadex
bh{}?gcptbr6*,+o|xz
:-;B;I;a;s;
*!"#bIG@[
BKD)J2^.
BlockInput
BMN$%&'_^]
bRJTi^NKW\%adc* 2vh<9.>m):5"&s{423x
Btimzj--
=B=_=w=
C4u	^]
CallNextHookEx
cba9jpirrz0|OL
cc|efg
ChangeServiceConfig2A
ChangeServiceConfigA
CloseClipboard
CloseHandle
CloseServiceHandle
closesocket
<%<c<n<
_controlfp
ControlService
CopyFileA
CreateCompatibleBitmap
CreateDirectoryA
CreateEventA
CreateFileA
CreateProcessA
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
c@TD^V>5672z[WP
@"!C !"#t@HCAGMmEAK}U_S^QzFRJXNRSSM
__CxxFrameHandler
D$ _^][
D$0UVP
D$0WPj
D$4_^][
D$4PSSSSSU
D$(8D*
D$8jdPV
D$8j$Pj
D$8RPj
`.data
DD]A]Z\BZF
_^defg
 deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly 
DeleteCriticalSection
DeleteFileA
DeleteService
Description
D$(_^]f
D$.f;C4t#f=
D$ GBf;
D$@hHD
D$@j0PQ
D$,jdPV
D$,j.P
: :D:K:h:n:
D$LRPV
D$,PUUWQ
:#:D:Q:\:
D$ Qhp
D$,RPj
D$,RPQ
drprov.dll
D$$SPhdivxhvidc
DSpQPj
D$$SUV
D$ UPj
D$ UPQ
eEQZ;DE#%8SO[T5do3"H6=%LRHM"AYMF'
;-<E<L<
eludom
EnumWindows
>E?O?a?z?
:E:o:u:
eQpjrljbol
EqualSid
ES6&OP-
es"`vf&jazgjxnf
<E<U<q<
ewh/?y
_except_handler3
ExitProcess
ExitThread
ExpandEnvironmentStringsA
eyroegu)fl~
f9s4tG
fegConnectRegistryA
F{fpws
FlashWindow
Flf+Fp
FLvidc
;.<f<n<
f;n4}N
fODL\WiSRJ
;;?=>?Fr@CVvDGHIJKT
FreeLibrary
FreeSid
FTj RP
:$;F;W;
fXDAYN@X
GDI32.dll
GetAce
GetAclInformation
GetActiveWindow
GetCommandLineA
GetConsoleTitleA
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileAttributesA
GetFileSecurityA
GetFileSize
GetLastError
GetLengthSid
GetLocalTime
GetLogicalDriveStringsA
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProfilesDirectoryA
getprotobynumber
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemMetrics
GetTempPathA
GetTickCount
GetUserProfileDirectoryA
GetVolumeInformationA
GetWindowTextA
g@HSZHF{^BMJCB]Ah
GK&'[M_[A
;.<G<Q<Z<
>G?V?d?
GX]_[Y
@~`gZ`{u}k
H*0"ZOW
hdivxhvidc
>(?<?H?d?p?
@H@HDY
:':H:h:l:p:t:x:|:
_hLnszgcDg
HLRBZHF
>H?W?_?
:H:W:~;
@HXO[L\JLUW@WG_GLPUU@NglTDO
hxvidhvidc
i}4xsy{1
ICGetInfo
@.idata2
Idvkirtrx0oBJ"#
IiGM>nw
ImagePath
IMM32.dll
ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext
imz~TD
  inflate 1.2.3 Copyright 1995-2005 Mark Adler 
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
_initterm
InterlockedExchange
iogw*ajk
iphlpapi.dll
{is2SDNE
IsBadReadPtr
IsBadWritePtr
IsWow64Process
<I<U<`<
=I=x=7?
JAZPTT\\FXW[GVJ^N\P[ !"#mkpfd`ntdl`k|t23}{`vtp~dxtmo
JC\123
JEF,-./WE_
=jfy}ttvNtrGEQC
@J%&'@M
?'?J?p?
`j|" =pyz
@JwqsUCWMJHTt{n{
jX[\]^_H
>J>Y>x>
>.>K>^>{>
K[,3((Y[
kernel32
kerNEl32
kernel32.dll
KERNEL32.dll
k- exe.tsoh
kpdateCrc
KtQ5Zb
kyc"xzu=ucq9{vw
L$ _^]
L$0PQh
L$0RWPj
L$4QRPVShx#
L$4Vhx
l!;b	F
L$ C_^f
L$d_^][d
L$D_^][d
LeaveCriticalSection
L$(@Ef;
leNyo_`
L$@EPQUh
,#l +(FG;-?;b~x
lfJk|9
l$,f;n4
:):L:i:
L$$j0QR
L$ jdQU
L![#j%G'E)O+,-./
lJKfcdO
L$,j Q
L\Lf9t\L
llX%ik\labolGs%s%
[-&LMb#{'
 LMNO~n
;<=>?lNEJGDJ
LoadLibraryA
LocalAlloc
LocalSystem
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
L$$PQj
L$@PQUh
LsaFreeMemory
L$ SQj
lstrcmpA
lstrcmpi
lstrcmpiA
L$\t8;
L$T9)t	@
L$tjdQV
l$(tmWU
L$TPQj
L($./wwh#$%J
M@]123PZAYTV[_O
:M263u
malloc
M}~cyrsg}zx
M,-./e
memcpy
memmove
memset
MessageBoxA
Mij}uba345Peyt
mixerOpen
mj>zjZ
mkpfd`n+hd}{q
MK!")yNEFG
 MNO~244TUVW<
MoveFileA
msCDY_TYMSTR
msvcrt.dll
MSVCRT.dll
MSVFW32.dll
|$$MZu'
=>?n3&!DEFGEC
NbRbhusx}i{PBKG@P%&'F]NG@
netsvcs
Netsvcs
Nfoeyalzf
Niamecivres
NIAmeciVRes
NPAddConnection
NPAddConnection3
NPCancelConnection
NPCloseEnum
NPEnumResource
NPGetCaps
NPGetConnection
NPGetResourceInformation
NPGetResourceParent
?*?N?U?
Nxf+Fd
o#(!'18*4
<%<:<O<d<
 ODMKel~`QWTBF]iDBY\@\bWGhfSENPY^Oa
Oh?PCy26
ole32.dll
OLEAUT32.dll
+o-O/@1F3A5D7]9
OOFFNGBB
OOsQRSIfTW
OpenClipboard
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenProcessToken
OpenSCManagerA
OpenServiceA
OT]+/:,>&cc|789V
:O:Z:k:
OZw3(?
]P-ABC"h5./'9e(8,.~?7'TUVW.0t+?lloN
\parameters
PathFileExistsA
__p__commode
__p__fmode
 Phvidc
P~k{ea<vlpi
pqrsQDvwZ\K{Y
pqrstuvwxyz{|}~
PQRUSP
P[QS7QWLZPTZ
Process32First
Process32Next
PSAPI.DLL
pubzyxdjdbj
Q]4567K]OK
Qkkbal
QRSj j
qrs)uvwusz{#
QSSSSSSSSj
QSUVWj
QSVW`d
Qubf|lIyo
QueryServiceConfigA
QueryServiceStatus
qv4vys}
{r(">"
RaiseException
rameters
`.rdata
ReadConsoleOutputA
realloc
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegRestoreKeyA
RegSaveKeyA
RegSetKeySecurity
RegSetValueExA
.reloc
rEmOtErEgastRY
Rhvidc
Rich);7
RPQhT!
 RQhH?
rs',%#=4&8	
_RS?'5/n0+2i)?-e/"#O7$ &z4 0v:56\]^_
 r"'wr"w
^RY]_I
S,_^]3
%s a -s
Sdavvlr~
SeBackupPrivilege
SeRestorePrivilege
SESSIONNAME
%SESSIONNAME%
%SESSIONNAME%\
__set_app_type
SetClipboardData
SetConsoleCtrlHandler
SetConsoleOutputCP
SetConsoleScreenBufferSize
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetFileSecurityA
SetFileTime
SetProcessWindowStation
SetSecurityDescriptorDacl
SetUnhandledExceptionFilter
__setusermatherr
SetWindowsHookExA
SHCopyKeyA
SHDeleteKeyA
SHELL32.dll
SHGetValueA
SHLWAPI.dll
SleepEx
sOFtwaRe\
SOFtWaRe\
SOFTWARE\mIcRoSoFt\wINDoWS nt\currentVerSioN\sVChoST
%sot%%\System32\svc%s %s%s%s
SSSSh ]
SSSShl
 SSSVhP:
SSVhP=
StartServiceA
strcmp
strcpy
strncmp
_strupr
SUVWh0
SUVWj0PQ
SUVWjFhHD
 SUVWP
SUVWPh
SUVWPhH
s]VfvhUbz
SYSTEM\CurrentControlSet\seRviCes\
%SystemRo
>:>S>Z>s>
><>T>|>
T$0j-R
T$0Rh?
;T$0sP;t$4sJ
T$4PRPP
T$4Qh?
T$4@QR
T$4RSS
T$4RVVVUP
T$9UUf
+;[TD>3
\temp\
^TF3UE_
T$,f;V4u
!This program cannot be run in DOS mode.
tJ<\u8
tKWWWWWWWWh
T$LQRP
~+tn{`dl"nab>r|
tolower
T$(PPRh4
T$@Qh?
T$<@QR
T$(QRU
T$<QRV
T$,Rh4
T$,RPQSUhx#
T$,RUQWP
=>=T=s=
ts9_ tn9_$ti
t\Shdivxhvidc
T$$SRh
tvmqoYEhfgohxdaacMbq
t$ WV2
u\]^_&
u5PPPPPP
u&9}$u!
*`ua`7{p2w}ih?fxnm
ua(dgmo%}df`
\U~I_lebTO
UPdatecXc
u&Ph\ 
USER32.dll
USERENV.dll
ush~LHF
VCS()*+ECM@BCWP@
 VKMIH
vppppppppppppp
VW<7	:
V_:X1:
^VZ#*BC-+0&$ .k;$ +?&r =/3W-7153*0
W(9W$u
WaitForSingleObject
waveInGetDevCapsA
waveInOpen
waveOutOpen
waveOutReset
wcstombs
WdkwdlMymoljb
WININET.dll
WINMM.dll
Wj2WQj
w+OQvr
WPSVh`
WriteFile
WS2_32.dll
wsprintfA
WTSAPI32.dll
|$ WUSV
ww|yz{\I|
WZ[7ONM
_XcptFilter
{xIOVKV@GCMQ*+{D@C_V]]4567|WIiY^QM$
xvidumj
xyz{|}~
>$?:?Y?
 _^][Y
y}{bx7p|{
y~k}##<wxy
Ylopqrs
yM_0123q[WUT\yTR^KM2$,7
yo>yL@EP
yS-=WC
yz{,}~
;!<Z<e<
)\ZEo^m/
ZvSvaw
;z=W?,A6C!E4GHIJK