Analysis Date2015-07-29 15:16:33
MD5abda18b91a3025dac062b58fbcbae68d
SHA1bf47620797f9d87741c13a3275ec2b442faa48d5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 146a85996ec983140cace6b8e1c5e83f sha1: 1ce44091521a5e990427fa229336bf1560d7981c size: 19192
Section.data md5: 61e2864b5f89ec0f6c294c5c6717326e sha1: c8d7c088c06a61b01ebfe1551e24a2789c7b3516 size: 170384
Section.rsrc md5: 616d25b4d6b22b2bccf1a51a19bc7f51 sha1: 9e2842c7b606270acb13dddc699d4eff4e9bc5c2 size: 1952
Section.idata2 md5: de557d7c4177caf67c6461f82c4d050e sha1: acf7bf1a05bfeac8df16cde96282494c90192735 size: 2048
Timestamp2010-07-14 22:03:32
VersionLegalCopyright: (C) Microsoft Corporation. All rights reserved.
InternalName: SPUNINST.EXE
FileVersion: 6.3.0004.1 built by: dnsrv
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 6.3.0004.1
FileDescription: Windows Service Pack Uninstall
OriginalFilename: SPUNINST.EXE
PackerMicrosoft Visual C++ v6.0
PEhasha8ec5e4b89a39f53a29705d2a472f883fb5008c6
IMPhashc509dbcf0dade053e5588087a4d64742
AVCA (E-Trust Ino)Win32/Zegost.CJ
AVF-SecureBackdoor:W32/Bjlog.D
AVDr. WebBackDoor.Zegost.48
AVClamAVTrojan.Spy-76825
AVArcabit (arcavir)Backdoor.Generic.413692
AVBullGuardBackdoor.Generic.413692
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanPSW.Bjlog
AVCAT (quickheal)TrojanDropper.Zegost.C5
AVTrend MicroTROJ_BJ.7C63AE6E
AVKasperskyTrojan-PSW.Win32.Bjlog.dtwr
AVZillya!Trojan.Bjlog.Win32.11358
AVEmsisoftBackdoor.Generic.413692
AVIkarusTrojan-PWS.Win32.Bjlog
AVFrisk (f-prot)W32/Zegost.C.gen!Eldorado
AVAuthentiumW32/Zegost.C.gen!Eldorado
AVMalwareBytesBackdoor.Zegost
AVMicroWorld (escan)Backdoor.Generic.413692
AVMicrosoft Security EssentialsTrojanDropper:Win32/Zegost.B
AVK7Password-Stealer ( 001947491 )
AVBitDefenderBackdoor.Generic.413692
AVFortinetW32/Bjlog.LBY!tr.pws
AVSymantecTrojan Horse
AVGrisoft (avg)Dropper.Generic2.ABMZ
AVEset (nod32)Win32/Redosdru.GL
AVAlwil (avast)Zegost-D [Drp]:Zegost-E [Drp]
AVAd-AwareBackdoor.Generic.413692
AVTwisterTrojan.0620A8F6C2540BE5
AVAvira (antivir)TR/PSW.Bjlog.lfzb
AVMcafeeBackDoor-CEP.gen.cn
AVRisingBackdoor.Win32.GenFxj.c

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\embjprivmm
Creates ProcessC:\malware.exe a -sc:\malware.exe

Process
↳ C:\malware.exe a -sc:\malware.exe

RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\wwkqditue\seRVicemAIN ➝
NPGetResourceParent\\x00
RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\wwkqdituee\DependOnService ➝
NULL
Creates Filec:\Documents and Settings\Administrator\Local Settings\temp\lhinxgnrkh.dat
Creates Filewwkqditue
Creates FileC:\WINDOWS\system32\f5859b27.rdb
Deletes Filec:\malware.exe
Deletes Filewwkqditue
Starts ServiceHidServ

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates MutexGlobal\b405763378_8086j

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1912

Process
↳ Pid 1200

Network Details:

DNSyuan.7cb.org
Type: A
50.117.47.24
DNSqup.qh-lb.com
Type: A
106.120.167.25
DNSqup.qh-lb.com
Type: A
106.120.162.176
DNSqup.qh-lb.com
Type: A
106.120.162.176
DNSqup.qh-lb.com
Type: A
106.120.167.25
DNSqurl.qh-lb.com
Type: A
106.38.187.101
DNSqurl.qh-lb.com
Type: A
106.38.187.118
DNSqurl.qh-lb.com
Type: A
106.38.187.118
DNSqurl.qh-lb.com
Type: A
106.38.187.101
DNSqurl.qh-lb.com
Type: A
106.38.187.101
DNSqurl.qh-lb.com
Type: A
106.38.187.118
DNSqup.qh-lb.com
Type: A
106.120.167.25
DNSqup.qh-lb.com
Type: A
106.120.162.176
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.162.34
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.163.33
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.163.216
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.160.138
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.160.253
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.161.50
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.161.173
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.161.194
DNSsdup.qh-lb.com
Type: A
0.0.0.0
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.160.238
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.161.39
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.161.192
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.162.77
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.160.69
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.163.44
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.160.66
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.160.70
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSlocini.gslb.360safe.com
Type: A
101.226.161.214
DNSlocini.gslb.360safe.com
Type: A
220.181.150.161
DNSlocini.gslb.360safe.com
Type: A
220.181.150.162
DNSlocini.gslb.360safe.com
Type: A
220.181.150.219
DNSlocini.gslb.360safe.com
Type: A
220.181.159.91
DNStr-b.p.360.cn
Type: A
61.160.224.11
DNStr-b.p.360.cn
Type: A
61.160.224.12
DNStr-b.p.360.cn
Type: A
61.160.224.13
DNStr-b.p.360.cn
Type: A
61.160.224.14
DNStr-b.p.360.cn
Type: A
180.153.227.61
DNStr-b.p.360.cn
Type: A
180.153.227.62
DNStr-b.p.360.cn
Type: A
180.153.227.168
DNStr-b.p.360.cn
Type: A
180.153.227.169
DNSupdateh-b.360safe.com
Type: A
58.68.236.241
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSdl.qhcdn.com
Type: A
101.227.15.35
DNSdl.qhcdn.com
Type: A
101.227.15.3
DNSdl.qhcdn.com
Type: A
101.227.15.3
DNSdl.qhcdn.com
Type: A
101.227.15.35
DNSdl.qh-lb.com
Type: A
0.0.0.0
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSwww.360safe.com
Type: A
54.251.107.25
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.94
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.27
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.28
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.158
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.159
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.93
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.66
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.23
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.24
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.65
DNSantispy.db.kingsoft.com
Type: A
219.232.254.22
DNSbo.duba.net
Type: A
119.147.146.155
DNSwww.beike.cn
Type: A
114.112.68.174
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.239.17
DNSifr.duba.net
Type: A
127.0.0.1
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSf-signs.duba.net
Type: A
121.14.11.167
DNSf-signs.duba.net
Type: A
121.14.11.28
DNSapi.pc120.com
Type: A
119.147.146.126
DNShd.duba.net
Type: A
114.112.93.21
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.81
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.85
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.87
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.80
DNSz.rising.com.cn
Type: A
211.103.159.73
DNSz.rising.com.cn
Type: A
211.103.159.74
DNSz.rising.com.cn
Type: A
211.103.159.75
DNSz.rising.com.cn
Type: A
211.103.159.76
DNSz.rising.com.cn
Type: A
211.103.159.77
DNSz.rising.com.cn
Type: A
211.103.159.78
DNSz.rising.com.cn
Type: A
211.103.159.79
DNSz.rising.com.cn
Type: A
211.103.159.80
DNSz.rising.com.cn
Type: A
211.103.159.81
DNSz.rising.com.cn
Type: A
211.103.159.82
DNSz.rising.com.cn
Type: A
211.103.159.83
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSm.rising.com.cn
Type: A
211.103.159.160
DNSm.rising.com.cn
Type: A
211.103.159.161
DNSm.rising.com.cn
Type: A
211.103.159.162
DNSm.rising.com.cn
Type: A
211.103.159.163
DNSm.rising.com.cn
Type: A
211.103.159.164
DNSm.rising.com.cn
Type: A
211.103.159.165
DNSm.rising.com.cn
Type: A
211.103.159.166
DNSm.rising.com.cn
Type: A
211.103.159.167
DNSm.rising.com.cn
Type: A
211.103.159.168
DNSm.rising.com.cn
Type: A
211.103.159.169
DNSm.rising.com.cn
Type: A
211.103.159.170
DNSm.rising.com.cn
Type: A
211.103.159.86
DNSm.rising.com.cn
Type: A
211.103.159.151
DNSm.rising.com.cn
Type: A
211.103.159.152
DNSm.rising.com.cn
Type: A
211.103.159.153
DNSm.rising.com.cn
Type: A
211.103.159.154
DNSm.rising.com.cn
Type: A
211.103.159.155
DNSm.rising.com.cn
Type: A
211.103.159.157
DNSm.rising.com.cn
Type: A
211.103.159.158
DNSm.rising.com.cn
Type: A
211.103.159.159
DNSreportq.rising.com.cn
Type: A
211.103.159.97
DNSreportq.rising.com.cn
Type: A
211.103.159.100
DNSreportq.rising.com.cn
Type: A
211.103.159.101
DNSreportq.rising.com.cn
Type: A
211.103.159.107
DNSreportq.rising.com.cn
Type: A
211.103.159.109
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSxnop007.tlgslb.com
Type: A
117.42.74.147
DNSxnop007.tlgslb.com
Type: A
117.42.74.137
DNSsupport.eset.com.cn
Type: A
42.120.44.60
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
184.26.142.19
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
184.26.142.50
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
184.26.142.67
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
184.26.142.75
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
184.26.142.88
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
184.26.142.99
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
184.26.142.11
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
184.26.142.17
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
184.26.142.18
DNSe1793.b.akamaiedge.net
Type: A
104.67.80.144
DNSconf.f.360.cn
Type: A
DNSqup.f.360.cn
Type: A
DNSu.qurl.f.360.cn
Type: A
DNSqurl.f.360.cn
Type: A
DNSsdup.360.cn
Type: A
DNSsdupm.360.cn
Type: A
DNSqd.code.360.cn
Type: A
DNSqd.code.qihoo.com
Type: A
DNSstat.360safe.com
Type: A
DNSstat-s.360safe.com
Type: A
DNSupdate.360safe.com
Type: A
DNSupdate-s.360safe.com
Type: A
DNStr.p.360.cn
Type: A
DNSupdateh.360safe.com
Type: A
DNSw.360.cn
Type: A
DNSstat.sd.360.cn
Type: A
DNSsdl.360safe.com
Type: A
DNSdl.360safe.com
Type: A
DNSwww.360.cn
Type: A
DNSsoftm.update.360safe.com
Type: A
DNSf-sq.beike.cn
Type: A
DNSvc01.beike.cn
Type: A
DNSpush.www.duba.net
Type: A
DNSwww.duba.net
Type: A
DNSvi.pc120.com
Type: A
DNSwww.rising.com.cn
Type: A
DNSrsdownload.rising.com.cn
Type: A
DNSmsginfo.rising.com.cn
Type: A
DNSrsdownauto.rising.com.cn
Type: A
DNSkaspersky.fastcdn.com
Type: A
DNSupdate.nai.com
Type: A
DNSguru.avg.com
Type: A
Flows TCP192.168.1.1:1032 ➝ 50.117.47.24:8086

Raw Pcap
0x00000000 (00000)   63623173 744602                       cb1stF.


Strings
i
U
\
\
R
Goba\ki
r
.X
s
f.F
d
.jz\cMd.eXE
.
i.
{
.
v..
g
.
s
@
`@.
.p..
.
.
\
[
cb1s
.
y
.|..
~x
u
.
t}
w
.{pe
hh
.
.
d
.
.
.
.
.
.
.
XI

080404B0
!1Aa
#+3;CScs
6.3.0004.1
6.3.0004.1 built by: dnsrv
(C) Microsoft Corporation. All rights reserved.
CompanyName
FileDescription
FileVersion
InternalName
jjjj
jjjjj
LegalCopyright
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
OriginalFilename
ProductName
ProductVersion
SPUNINST.EXE
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows Service Pack Uninstall    
 (#!'-
'',)*+
"     "
&,?;,<*
###/  "
								
0,0`0k0
0'0=0O0w0~0
$0/0.181]1g1
&0[0b0
0;0h0q0
0:0P0X0^0j0
0"121W1
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvw
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 0123'567?9:;<=>?@ABCDEFG
;01;%>6>z
0'1i1}1
0`1l1s1
0'1M1u1
034567
040@0H0x0
=0=>=e=
0H0_0f0
;*<0<I<U<a<
;0<J<]<
.0J0Q0
>$>0>L>U>f>r>
@0T0i0
0U0[0`0m0
0V1\1`1d1h1l1p1t1x1|1
$0Y0_0d0
1 1<1H1d1l1x1
1!1=1n1x1
1-171?1E1h1y1
1!181O1[1g1s1
 1.2.3
1&232p2
1&2T2Z2g2m2s2x2
131:1?1E1K1Q1W1]1c1i1o1u1
 1317131?1317131/
+ 13!75,1d&*.>`,?<RS7&s3v=/9=s0:
$(17%+%";i9.8MNO9?$28<2w40.>.<2p
:*:1:7:J:g:l:
=1=7=l=r=
<<:)1*_@abc
<1<A<Q<i<
1C2R2W2^2d2j2r2{2
1H2L2P2T2X2\2`2d2h2l2p2
=%>1>K>P>l>x>
1O1Z1y1
1_St<ShH?
??1type_info@@UAE@XZ
%1:[$ u
>%?,?2?
2 2$2(2
2!2-292E2Q2]2i2x2
2&2:2g2}2
222J2P2\2c2l2w2
2*282T2l2s2
2+2G2[2
2<2N2c2n2u2
2	3%373C3H3k3
2)3d3k3x3
2^3p3v3{3
242@2\2h2
&2*8.233-_3
>$>2>A>
:2;=;D;
<2=>=I=
:2NWM!3\Yr]bY"5;Qq+##TZC
2R6X6^6d6j6p6v6|6
~2<S% &y)1w7>s=0
:$2;\%#t
??2@YAPAXI@Z
<	3)):0
#"32-,/.)(+*%$'&!F;{
3#3/3>3J3V3b3n3z3
3@3`3v3
3,343@3\3h3
3/3a3j3{3
3 3d3m5r5
3=3H3l3
3,434M4S4X4j4t4
3(444<4H4P4
3$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
<3=<=C=
<,=3=D=^=
3d3j3u3
?(?3?f?m?
?3?P?a?g?m?x?
-&4(;&,?
/!"#$%&'()*+4
424K4g4
445:5D5K5Q5V5[5a5
4%484H4Q4[4s4
4<4A4T4^4i4p4
4)4C4J4]4m4
4	5.5?5e5
4 5<5s5y5
4(5A5`5k5r5
4*5F5S5
>$>,>4>:>C>o>
4D5R5h5
4"-IJK
> >4>M>n>
4=swlh~n)d eyp|ty|x9{vw
:4:T:x:
515R5X5{5
 54!&$8LMNO
5(5 =$=
5&5\5{5
5-5:5N5S5]5l5{5
5 5(5X5l5x5
5'575C5T5h5p5
5:5J5Q5o5
5 6>6E6
5+6B6J6j6
595G5v5{5
=/=5=F=c=w=
:5;:;?;I;P;u;};
=5>=>L>W>a>
<[(5M<O
61qbb`(dgd
627H7Y7_7f7m7
63696C6N6|6
6/666K6Y6a6
666K6v6
6</+<,:<&,68
6:6B6I6
6(6D6P6l6t6|6
6 6P6s6
676J6[6l6w6
6$7=7H7Y7p8v8
6b7p7x7~7
/6bc47/17 $88?;,$8==tuvw17.$3+;-
6K6^6r6
?*?6?R?[?o?{?
7#7)707E7P7]7c7q7
7$777A7h7
7 7<7D7P7l7x7
7:7@7v7
7*787<7@7D7H7L7P7T7
<7@7D7H7X7\7`7d7h7x7
7>7H7O7k7~7
7>7N7W7l7
7;7T7Z7c7y7
7.848v8
7#8?8E8Z8d8
7%8^8k8w8
<%=7=U=
+;'> 8
80868L8
>?<812 <99x
83!&bc 
>$8&<456TUVW
.84<iir923`
8 82888>8D8J8P8V8\8b8h8n8t8z8
8%838C8T8`8k8
8*868Z8l8y8
8-878L8^8
8%8+828<8A8G8M8R8W8^8y8
8 8$8(8,80848H8X8\8`8d8h8
8)8g8o8u8
8 8T8Z8n8
898P8d8{8
8/9E9d9
89:;wWYQ
8A9e9{9
8E9L9_9u9
919S9j9
939>9E9M9S9c9j9z9
9):4:@:P:^:{:
=,=9=6>S>u>
996<9/520,<
9*979P9Z9
9!9(989P9
9 9$9(9
9&9J9Y9z9
9A:I:Q:`:
9D9Y9|9
9D:J:[:w:
9G9a9|9
9P9T9X9\9`9d9h9l9p9
~(9~$u
`abc-)*"/(&4%#=;"$1'=:8w9+(:%"<0
_`abcdefghijklmnopqrstuvwxyz{|}~
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFG89:;<=>?JABC ,0?
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFGHIJKLMNO0123456789:;<=>? !"#$%&'()*+,-./
_acmdln
AddAccessAllowedAce
AddAce
_adjust_fdiv
AdjustTokenPrivileges
Advapi32
ADVAPI32.dll
AecivreSnepO
AemaNyalpsiDecivreSteG
AemaNyeKecivreSteG
;';A;J;
AllocateAndInitializeSid
>#>A>M>
<AtG<BtC
.?AVtype_info@@
b`}09:WQYZ
#/BC )h6 d&)b.!"PQRS09xdni)::8p<
}bdpfa8stu
_beginthreadex
bh{}?gcptbr6*,+o|xz
:-;B;I;a;s;
*!"#bIG@[
BKD)J2^.
BlockInput
BMN$%&'_^]
bRJTi^NKW\%adc* 2vh<9.>m):5"&s{423x
Btimzj--
=B=_=w=
C4u	^]
CallNextHookEx
cba9jpirrz0|OL
cc|efg
ChangeServiceConfig2A
ChangeServiceConfigA
CloseClipboard
CloseHandle
CloseServiceHandle
closesocket
<%<c<n<
_controlfp
ControlService
CopyFileA
CreateCompatibleBitmap
CreateDirectoryA
CreateEventA
CreateFileA
CreateProcessA
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
c@TD^V>5672z[WP
@"!C !"#t@HCAGMmEAK}U_S^QzFRJXNRSSM
__CxxFrameHandler
D$ _^][
D$0UVP
D$0WPj
D$4_^][
D$4PSSSSSU
D$(8D*
D$8jdPV
D$8j$Pj
D$8RPj
`.data
DD]A]Z\BZF
_^defg
 deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly 
DeleteCriticalSection
DeleteFileA
DeleteService
Description
D$(_^]f
D$.f;C4t#f=
D$ GBf;
D$@hHD
D$@j0PQ
D$,jdPV
D$,j.P
: :D:K:h:n:
D$LRPV
D$,PUUWQ
:#:D:Q:\:
D$ Qhp
D$,RPj
D$,RPQ
drprov.dll
D$$SPhdivxhvidc
DSpQPj
D$$SUV
D$ UPj
D$ UPQ
eEQZ;DE#%8SO[T5do3"H6=%LRHM"AYMF'
;-<E<L<
eludom
EnumWindows
>E?O?a?z?
:E:o:u:
eQpjrljbol
EqualSid
ES6&OP-
es"`vf&jazgjxnf
<E<U<q<
ewh/?y
_except_handler3
ExitProcess
ExitThread
ExpandEnvironmentStringsA
eyroegu)fl~
f9s4tG
fegConnectRegistryA
F{fpws
FlashWindow
Flf+Fp
FLvidc
;.<f<n<
f;n4}N
fODL\WiSRJ
;;?=>?Fr@CVvDGHIJKT
FreeLibrary
FreeSid
FTj RP
:$;F;W;
fXDAYN@X
GDI32.dll
GetAce
GetAclInformation
GetActiveWindow
GetCommandLineA
GetConsoleTitleA
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileAttributesA
GetFileSecurityA
GetFileSize
GetLastError
GetLengthSid
GetLocalTime
GetLogicalDriveStringsA
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProfilesDirectoryA
getprotobynumber
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemMetrics
GetTempPathA
GetTickCount
GetUserProfileDirectoryA
GetVolumeInformationA
GetWindowTextA
g@HSZHF{^BMJCB]Ah
GK&'[M_[A
;.<G<Q<Z<
>G?V?d?
GX]_[Y
@~`gZ`{u}k
H*0"ZOW
hdivxhvidc
>(?<?H?d?p?
@H@HDY
:':H:h:l:p:t:x:|:
_hLnszgcDg
HLRBZHF
>H?W?_?
:H:W:~;
@HXO[L\JLUW@WG_GLPUU@NglTDO
hxvidhvidc
i}4xsy{1
ICGetInfo
@.idata2
Idvkirtrx0oBJ"#
IiGM>nw
ImagePath
IMM32.dll
ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext
imz~TD
  inflate 1.2.3 Copyright 1995-2005 Mark Adler 
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
_initterm
InterlockedExchange
iogw*ajk
iphlpapi.dll
{is2SDNE
IsBadReadPtr
IsBadWritePtr
IsWow64Process
<I<U<`<
=I=x=7?
JAZPTT\\FXW[GVJ^N\P[ !"#mkpfd`ntdl`k|t23}{`vtp~dxtmo
JC\123
JEF,-./WE_
=jfy}ttvNtrGEQC
@J%&'@M
?'?J?p?
`j|" =pyz
@JwqsUCWMJHTt{n{
jX[\]^_H
>J>Y>x>
>.>K>^>{>
K[,3((Y[
kernel32
kerNEl32
kernel32.dll
KERNEL32.dll
k- exe.tsoh
kpdateCrc
KtQ5Zb
kyc"xzu=ucq9{vw
L$ _^]
L$0PQh
L$0RWPj
L$4QRPVShx#
L$4Vhx
l!;b	F
L$ C_^f
L$d_^][d
L$D_^][d
LeaveCriticalSection
L$(@Ef;
leNyo_`
L$@EPQUh
,#l +(FG;-?;b~x
lfJk|9
l$,f;n4
:):L:i:
L$$j0QR
L$ jdQU
L![#j%G'E)O+,-./
lJKfcdO
L$,j Q
L\Lf9t\L
llX%ik\labolGs%s%
[-&LMb#{'
 LMNO~n
;<=>?lNEJGDJ
LoadLibraryA
LocalAlloc
LocalSystem
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
L$$PQj
L$@PQUh
LsaFreeMemory
L$ SQj
lstrcmpA
lstrcmpi
lstrcmpiA
L$\t8;
L$T9)t	@
L$tjdQV
l$(tmWU
L$TPQj
L($./wwh#$%J
M@]123PZAYTV[_O
:M263u
malloc
M}~cyrsg}zx
M,-./e
memcpy
memmove
memset
MessageBoxA
Mij}uba345Peyt
mixerOpen
mj>zjZ
mkpfd`n+hd}{q
MK!")yNEFG
 MNO~244TUVW<
MoveFileA
msCDY_TYMSTR
msvcrt.dll
MSVCRT.dll
MSVFW32.dll
|$$MZu'
=>?n3&!DEFGEC
NbRbhusx}i{PBKG@P%&'F]NG@
netsvcs
Netsvcs
Nfoeyalzf
Niamecivres
NIAmeciVRes
NPAddConnection
NPAddConnection3
NPCancelConnection
NPCloseEnum
NPEnumResource
NPGetCaps
NPGetConnection
NPGetResourceInformation
NPGetResourceParent
?*?N?U?
Nxf+Fd
o#(!'18*4
<%<:<O<d<
 ODMKel~`QWTBF]iDBY\@\bWGhfSENPY^Oa
Oh?PCy26
ole32.dll
OLEAUT32.dll
+o-O/@1F3A5D7]9
OOFFNGBB
OOsQRSIfTW
OpenClipboard
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenProcessToken
OpenSCManagerA
OpenServiceA
OT]+/:,>&cc|789V
:O:Z:k:
OZw3(?
]P-ABC"h5./'9e(8,.~?7'TUVW.0t+?lloN
\parameters
PathFileExistsA
__p__commode
__p__fmode
 Phvidc
P~k{ea<vlpi
pqrsQDvwZ\K{Y
pqrstuvwxyz{|}~
PQRUSP
P[QS7QWLZPTZ
Process32First
Process32Next
PSAPI.DLL
pubzyxdjdbj
Q]4567K]OK
Qkkbal
QRSj j
qrs)uvwusz{#
QSSSSSSSSj
QSUVWj
QSVW`d
Qubf|lIyo
QueryServiceConfigA
QueryServiceStatus
qv4vys}
{r(">"
RaiseException
rameters
`.rdata
ReadConsoleOutputA
realloc
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegRestoreKeyA
RegSaveKeyA
RegSetKeySecurity
RegSetValueExA
.reloc
rEmOtErEgastRY
Rhvidc
Rich);7
RPQhT!
 RQhH?
rs',%#=4&8	
_RS?'5/n0+2i)?-e/"#O7$ &z4 0v:56\]^_
 r"'wr"w
^RY]_I
S,_^]3
%s a -s
Sdavvlr~
SeBackupPrivilege
SeRestorePrivilege
SESSIONNAME
%SESSIONNAME%
%SESSIONNAME%\
__set_app_type
SetClipboardData
SetConsoleCtrlHandler
SetConsoleOutputCP
SetConsoleScreenBufferSize
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetFileSecurityA
SetFileTime
SetProcessWindowStation
SetSecurityDescriptorDacl
SetUnhandledExceptionFilter
__setusermatherr
SetWindowsHookExA
SHCopyKeyA
SHDeleteKeyA
SHELL32.dll
SHGetValueA
SHLWAPI.dll
SleepEx
sOFtwaRe\
SOFtWaRe\
SOFTWARE\mIcRoSoFt\wINDoWS nt\currentVerSioN\sVChoST
%sot%%\System32\svc%s %s%s%s
SSSSh ]
SSSShl
 SSSVhP:
SSVhP=
StartServiceA
strcmp
strcpy
strncmp
_strupr
SUVWh0
SUVWj0PQ
SUVWjFhHD
 SUVWP
SUVWPh
SUVWPhH
s]VfvhUbz
SYSTEM\CurrentControlSet\seRviCes\
%SystemRo
>:>S>Z>s>
><>T>|>
T$0j-R
T$0Rh?
;T$0sP;t$4sJ
T$4PRPP
T$4Qh?
T$4@QR
T$4RSS
T$4RVVVUP
T$9UUf
+;[TD>3
\temp\
^TF3UE_
T$,f;V4u
!This program cannot be run in DOS mode.
tJ<\u8
tKWWWWWWWWh
T$LQRP
~+tn{`dl"nab>r|
tolower
T$(PPRh4
T$@Qh?
T$<@QR
T$(QRU
T$<QRV
T$,Rh4
T$,RPQSUhx#
T$,RUQWP
=>=T=s=
ts9_ tn9_$ti
t\Shdivxhvidc
T$$SRh
tvmqoYEhfgohxdaacMbq
t$ WV2
u\]^_&
u5PPPPPP
u&9}$u!
*`ua`7{p2w}ih?fxnm
ua(dgmo%}df`
\U~I_lebTO
UPdatecXc
u&Ph\ 
USER32.dll
USERENV.dll
ush~LHF
VCS()*+ECM@BCWP@
 VKMIH
vppppppppppppp
VW<7	:
V_:X1:
^VZ#*BC-+0&$ .k;$ +?&r =/3W-7153*0
W(9W$u
WaitForSingleObject
waveInGetDevCapsA
waveInOpen
waveOutOpen
waveOutReset
wcstombs
WdkwdlMymoljb
WININET.dll
WINMM.dll
Wj2WQj
w+OQvr
WPSVh`
WriteFile
WS2_32.dll
wsprintfA
WTSAPI32.dll
|$ WUSV
ww|yz{\I|
WZ[7ONM
_XcptFilter
{xIOVKV@GCMQ*+{D@C_V]]4567|WIiY^QM$
xvidumj
xyz{|}~
>$?:?Y?
 _^][Y
y}{bx7p|{
y~k}##<wxy
Ylopqrs
yM_0123q[WUT\yTR^KM2$,7
yo>yL@EP
yS-=WC
yz{,}~
;!<Z<e<
)\ZEo^m/
ZvSvaw
;z=W?,A6C!E4GHIJK