Analysis Date2014-04-24 05:59:21
MD58a31b9827dbb32b11dd8bf62328b2399
SHA1c687319196e09b786936ea33d9a5671207f26bfd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 39b611fb70d28d425c4251f0832326cd sha1: 9f02ae35c5b9e11478d3fb13671b017de0c1469e size: 19176
Section.data md5: ad596f651bc2863b199c0ccf4f6b8a6c sha1: 4494ce08b72e13c99dd299a4c9b368cd61b2181c size: 170388
Section.rsrc md5: e1a197e0b8c1581a90ea9d0293dec702 sha1: 853d1cd0d340ba701e1f42d1a24b4b2523adf941 size: 1944
Section.idata2 md5: 48afb630ee1dfb5ee6d08110735d3f36 sha1: 9d5faa414b8eb41b6bcd9c90399bf17ee960d46e size: 2048
Timestamp2010-07-14 22:04:13
VersionLegalCopyright: (C) Microsoft Corporation. All rights reserved.
InternalName: ntkrpamp.exe
FileVersion: 5.2.3790.4566 (srv03_sp2_qfe.090805-1438)
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 5.2.3790.4566
FileDescription: NT Kernel & System
OriginalFilename: ntkrpamp.exe
PackerMicrosoft Visual C++ v6.0
PEhashe5c2ebfdc9624ef5a0d6f08cb11ca7338ba04e7b
IMPhash17cda6e0a78031ed6ec8f3b82410efaa
AVclamavTrojan.Spy-80656
AVaviraTR/PSW.Bjlog.lby.10
AVavgDropper.Generic2.AEOB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\ecgcmdyfut
Creates ProcessC:\malware.exe a -sc:\malware.exe

Process
↳ C:\malware.exe a -sc:\malware.exe

RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\hdydtgxcpu\DependOnService ➝
NULL
RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\hdydtgxcp\seRVicemAIN ➝
BuildTrusteeWithSidA\\x00
Creates Filec:\Documents and Settings\Administrator\Local Settings\temp\tcqopmjpum.dat
Creates Filehdydtgxcp
Creates FileC:\WINDOWS\system32\f5859b27.rdb
Deletes Filehdydtgxcp
Deletes Filec:\malware.exe
Starts ServiceHidServ

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePhysicalDrive0
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates Filexuuxqnycmu
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes Filec:\ecgcmdyfut
Deletes Filexuuxqnycmu
Creates Mutexeed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18
Creates MutexGlobal\b-259468936_2015j

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1184

Network Details:

DNShnsyvip.f3322.org
Type: A
120.209.136.240
DNSqup.qh-lb.com
Type: A
101.226.11.123
DNSqup.qh-lb.com
Type: A
101.226.11.125
DNSqup.qh-lb.com
Type: A
101.226.11.125
DNSqup.qh-lb.com
Type: A
101.226.11.123
DNSqurl.qh-lb.com
Type: A
220.181.131.232
DNSqurl.qh-lb.com
Type: A
218.30.116.223
DNSqurl.qh-lb.com
Type: A
218.30.116.223
DNSqurl.qh-lb.com
Type: A
220.181.131.232
DNSqurl.qh-lb.com
Type: A
220.181.131.232
DNSqurl.qh-lb.com
Type: A
218.30.116.223
DNSqup.qh-lb.com
Type: A
101.226.11.123
DNSqup.qh-lb.com
Type: A
101.226.11.125
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.197.36
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.164.252
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.164.127
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.198.49
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.196.156
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.199.75
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.198.244
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.199.248
DNSsdup.qh-lb.com
Type: A
119.188.70.18
DNSsdup.qh-lb.com
Type: A
119.188.70.19
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.164.55
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.198.49
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.196.156
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.196.228
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.199.183
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.198.244
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.164.29
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.164.127
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSg3-b.stat.360safe.com
Type: A
106.38.184.105
DNSg3-b.stat.360safe.com
Type: A
106.120.168.104
DNSg3-b.stat.360safe.com
Type: A
106.120.168.105
DNSg3-b.stat.360safe.com
Type: A
106.120.168.106
DNSg3-b.stat.360safe.com
Type: A
106.38.184.104
DNSlocini.gslb.360safe.com
Type: A
220.181.158.122
DNSlocini.gslb.360safe.com
Type: A
101.226.161.214
DNSlocini.gslb.360safe.com
Type: A
220.181.159.91
DNSlocini.gslb.360safe.com
Type: A
220.181.150.161
DNSlocini.gslb.360safe.com
Type: A
220.181.150.162
DNSlocini.gslb.360safe.com
Type: A
220.181.158.139
DNSlocini.gslb.360safe.com
Type: A
220.181.150.219
DNSlocini.gslb.360safe.com
Type: A
220.181.158.119
DNSlocini.gslb.360safe.com
Type: A
220.181.158.120
DNSlocini.gslb.360safe.com
Type: A
220.181.158.121
DNStr-b.p.360.cn
Type: A
61.160.224.12
DNStr-b.p.360.cn
Type: A
61.160.224.13
DNStr-b.p.360.cn
Type: A
180.153.227.61
DNStr-b.p.360.cn
Type: A
180.153.227.168
DNStr-b.p.360.cn
Type: A
180.153.227.169
DNStr-b.p.360.cn
Type: A
180.153.227.62
DNStr-b.p.360.cn
Type: A
61.160.224.14
DNStr-b.p.360.cn
Type: A
61.160.224.11
DNSupdateh-b.360safe.com
Type: A
58.68.236.241
DNSwww-b.360.cn
Type: A
220.181.24.100
DNSg2-b.stat.360safe.com
Type: A
106.38.184.105
DNSg2-b.stat.360safe.com
Type: A
106.120.168.104
DNSg2-b.stat.360safe.com
Type: A
106.120.168.105
DNSg2-b.stat.360safe.com
Type: A
106.120.168.106
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSdl.qhcdn.com
Type: A
222.73.145.19
DNSdl.qhcdn.com
Type: A
116.211.125.26
DNSdl.qhcdn.com
Type: A
116.211.125.26
DNSdl.qhcdn.com
Type: A
222.73.145.19
DNSdl.qh-lb.com
Type: A
183.60.211.42
DNSdl.qh-lb.com
Type: A
220.181.156.77
DNSwww-b.360.cn
Type: A
220.181.24.100
DNSwww.360safe.com
Type: A
54.251.107.25
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.27
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.159
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.158
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.92
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.94
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.93
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.28
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.24
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.23
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.65
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.66
DNSantispy.db.kingsoft.com
Type: A
219.232.254.22
DNSbo.duba.net
Type: A
119.147.146.155
DNSwww.beike.cn
Type: A
114.112.68.174
DNSwww.duba.net
Type: A
114.112.68.197
DNSifr.duba.net
Type: A
127.0.0.1
DNSrdr.kingsoft.com
Type: A
219.239.93.145
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSf-signs.duba.net
Type: A
121.14.11.28
DNSf-signs.duba.net
Type: A
121.14.11.167
DNSapi.pc120.com
Type: A
119.147.146.126
DNS08911.xdwscache.glb0.lxdns.com
Type: A
120.39.183.29
DNS08911.xdwscache.glb0.lxdns.com
Type: A
38.125.163.141
DNS08911.xdwscache.glb0.lxdns.com
Type: A
125.78.240.189
DNS08911.xdwscache.glb0.lxdns.com
Type: A
38.125.163.139
DNS08911.xdwscache.glb0.lxdns.com
Type: A
220.162.97.165
DNSyd.ecoma.glb0.lxdns.com
Type: A
209.170.78.73
DNSyd.ecoma.glb0.lxdns.com
Type: A
209.170.78.77
DNSyd.ecoma.glb0.lxdns.com
Type: A
209.170.78.72
DNSz.rising.com.cn
Type: A
211.103.159.78
DNSz.rising.com.cn
Type: A
211.103.159.81
DNSz.rising.com.cn
Type: A
211.103.159.79
DNSz.rising.com.cn
Type: A
211.103.159.73
DNSz.rising.com.cn
Type: A
211.103.159.75
DNSz.rising.com.cn
Type: A
211.103.159.77
DNSz.rising.com.cn
Type: A
211.103.159.83
DNSz.rising.com.cn
Type: A
211.103.159.74
DNSz.rising.com.cn
Type: A
211.103.159.82
DNSz.rising.com.cn
Type: A
211.103.159.80
DNSz.rising.com.cn
Type: A
211.103.159.76
DNSxnop005.tlgslb.com
Type: A
125.78.248.21
DNSxnop005.tlgslb.com
Type: A
125.78.248.22
DNSxnop005.tlgslb.com
Type: A
125.78.248.93
DNSxnop005.tlgslb.com
Type: A
183.166.167.134
DNSm.rising.com.cn
Type: A
211.103.159.167
DNSm.rising.com.cn
Type: A
211.103.159.168
DNSm.rising.com.cn
Type: A
211.103.159.169
DNSm.rising.com.cn
Type: A
211.103.159.158
DNSm.rising.com.cn
Type: A
211.103.159.159
DNSm.rising.com.cn
Type: A
211.103.159.170
DNSm.rising.com.cn
Type: A
211.103.159.157
DNSm.rising.com.cn
Type: A
211.103.159.86
DNSm.rising.com.cn
Type: A
211.103.159.161
DNSm.rising.com.cn
Type: A
211.103.159.162
DNSm.rising.com.cn
Type: A
211.103.159.163
DNSm.rising.com.cn
Type: A
211.103.159.166
DNSm.rising.com.cn
Type: A
211.103.159.155
DNSm.rising.com.cn
Type: A
211.103.159.165
DNSm.rising.com.cn
Type: A
211.103.159.152
DNSm.rising.com.cn
Type: A
211.103.159.164
DNSm.rising.com.cn
Type: A
211.103.159.154
DNSm.rising.com.cn
Type: A
211.103.159.153
DNSm.rising.com.cn
Type: A
211.103.159.151
DNSm.rising.com.cn
Type: A
211.103.159.160
DNSreportq.rising.com.cn
Type: A
211.103.159.109
DNSreportq.rising.com.cn
Type: A
211.103.159.107
DNSreportq.rising.com.cn
Type: A
211.103.159.97
DNSreportq.rising.com.cn
Type: A
211.103.159.100
DNSreportq.rising.com.cn
Type: A
211.103.159.101
DNSxnop005.tlgslb.com
Type: A
125.78.248.22
DNSxnop005.tlgslb.com
Type: A
125.78.248.93
DNSxnop005.tlgslb.com
Type: A
183.166.167.134
DNSxnop005.tlgslb.com
Type: A
125.78.248.21
DNSxnop007.tlgslb.com
Type: A
122.228.251.155
DNSxnop007.tlgslb.com
Type: A
122.228.251.154
DNSsupport.eset.com.cn
Type: A
42.120.44.60
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.147
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.136
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.177
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.208
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.185
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.145
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.194
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.169
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.168
DNSguru.avg.com
Type: A
212.96.161.239
DNSgtm-tnt.avg.com
Type: A
173.245.115.70
DNSgtm-self.avg.com
Type: A
212.96.161.253
DNSgtm-hkg.avg.com
Type: A
110.232.176.30
DNSmmi.explabs.net
Type: A
204.193.144.11
DNSa568.d.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.217
DNSa568.d.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.200
DNSa568.d.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.171
DNSa568.d.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.186
DNSa568.d.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.152
DNSa568.d.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.185
DNSconf.f.360.cn
Type: A
DNSqup.f.360.cn
Type: A
DNSu.qurl.f.360.cn
Type: A
DNSqurl.f.360.cn
Type: A
DNSsdup.360.cn
Type: A
DNSsdupm.360.cn
Type: A
DNSqd.code.360.cn
Type: A
DNSqd.code.qihoo.com
Type: A
DNSstat.360safe.com
Type: A
DNSstat-s.360safe.com
Type: A
DNSupdate.360safe.com
Type: A
DNSupdate-s.360safe.com
Type: A
DNStr.p.360.cn
Type: A
DNSupdateh.360safe.com
Type: A
DNSw.360.cn
Type: A
DNSstat.sd.360.cn
Type: A
DNSsdl.360safe.com
Type: A
DNSdl.360safe.com
Type: A
DNSwww.360.cn
Type: A
DNSsoftm.update.360safe.com
Type: A
DNSf-sq.beike.cn
Type: A
DNSvc01.beike.cn
Type: A
DNSpush.www.duba.net
Type: A
DNSvi.pc120.com
Type: A
DNShd.duba.net
Type: A
DNSwww.rising.com.cn
Type: A
DNSrsdownload.rising.com.cn
Type: A
DNSmsginfo.rising.com.cn
Type: A
DNSrsdownauto.rising.com.cn
Type: A
DNSkaspersky.fastcdn.com
Type: A
DNSupdate.nai.com
Type: A
DNSgtm-nyc.avg.com
Type: A
DNSliveupdate.symantecliveupdate.com
Type: A
DNSll002.avast.com
Type: A
DNSiau.trendmicro.com.cn
Type: A
Flows TCP192.168.1.1:1032 ➝ 120.209.136.240:2015

Raw Pcap
0x00000000 (00000)   63623173 743102                       cb1st1.


Strings
U
\
\
i
R
Goba\ki
r
.X
s
......
..q
6...^.
080404B0
5.2.3790.4566
5.2.3790.4566 (srv03_sp2_qfe.090805-1438)
(C) Microsoft Corporation. All rights reserved.
CompanyName
FileDescription
FileVersion
InternalName
jjjjj
LegalCopyright
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
NT Kernel & System
ntkrpamp.exe
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
'"# !>
)#."&.
;!0';0!u
<'0"499z
:;;06!<:;u
"0=+828f`}4=
0[k9aR
142mlg~U--e`dm{ffgg{:'2UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUErUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU418<;bbmmllUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
1+)#%9%(*8+5'1!/:
1j+f6Z
??1type_info@@UAE@XZ
<;1:"&u
&2C@A^
+&'$%"3
3%"<16pwN
-3>?(+6$
3Ktqq}%
3n2E|/
3Zpqq}%7
3Zpqq}%I
=4'<;2u}
4./;< ))d&-'%{~zle
,4	!)QQN%2
5=/KHIFb EBc@A^
!+61!-
-<!6"4,u
660,09///,3-/
6~r_\Ip
6%$$$y
$,715..)9-9%TUR
72301N
72@XT"#
!:'8	 %14!0	UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
 >8?$20	
82>QE/?$e
./,-*+()&'$%"# !>?<=:;8967452301NOLMJKHIFGDEBC@A^_\]Z[XYVWTURSPQnolmjkhifgdebc`a~
896^ZV]ABT-;l!/%/=.g'-' +A^62>5)*<5#t13'1q
8Ha>*-
8;!wSPQnJ8(';Mifjn>GSR
%%9<64!<:;u
<:9896
-?)9-?8:&`SPQn?	
997  !5?
9l?A`m
_acmdln
AddAccessAllowedAce
AddAce
_adjust_fdiv
AdjustTokenPrivileges
Advapi32
ADVAPI32.dll
AecivreSnepO
AemaNyalpsiDecivreSteG
AemaNyeKecivreSteG
ahW3o2
AllocateAndInitializeSid
ALM!>LS[NV
.?AVtype_info@@
AYB'!+c)$%g%)DEB+$o:*><t5=-V6$<|#3`\_B
aZaV8[
BBBBBBBBBBBBBB
BBBBBBBBBBBBq
BC@A^3
'BI\tob
bK~d|n-m
bot\{tE
bz9f<f`uO[I
!'*(#*,C@A^
c`a~u|}z=
ceoZocE
Cf_>qq
ChangeServiceConfig2A
ChangeServiceConfigA
CloseHandle
CloseServiceHandle
closesocket
CNOECEM	
_controlfp
ControlService
CopyFileA
CreateDirectoryA
CreateEventA
CreateFileA
CreateProcessA
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
__CxxFrameHandler
`.data
dbg`a~
DeleteFileA
DeleteService
Description
DkkqlldIvryul[uwdg
dURb`aX]^mj7
- ((dx~yh$*EB0$4.2rnlkv:8WTUR 4$
|E2ne^
Ef]Dpq
Efm%qq
~<-+/e+&+GDEB476pljm):><x4;8R$'&@\Z]D
:,eg[XYV
ELUAPJXH]TVA
eludom
eqq6pqqq
EqualSid
eqx}eubK]ZDIN()&{TDPBMDJZNN:nH]WCQv@P01N
[Euroib
_except_handler3
exgor[J`vtosuC_rtu}zb~{{aO`sEs^LY[@FHB
ExitProcess
ExitThread
ExpandEnvironmentStringsA
ey&{P@OS !>eKyOKTPUV@P}QZT-;LMJ%<-*+j!./@A^z
+$}$F&
]f1sqqq
]f1wqqq
f66pqx
f$6pq.
f6tpqx
@fa|qqe
fatEWzm
.FB^_MN@ENAKV
f	bqqyV
f&Dqqx
fegConnectRegistryA
@fe#qqI
Ffb*qq
ffUqqx
FlashWindow
fmrqqe
fo(f}^iMP
@fORqq
@f*Ppqe&
@fp:qq
@f#;qq
f |qq3
fq qqg
FreeLibrary
FreeSid
fvvpqx
f!Wqq.
g7uqqBBB
gaa`$ode
gak#ide'ei
gbwqqBBBBBB
.g&Cqq6
gdeb?,
gdebc`a~u|}z,x
gesqqBBBBB
GetAce
GetAclInformation
GetActiveWindow
GetCommandLineA
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentThreadId
GetExitCodeThread
g||etf|bgy~
GetFileAttributesA
GetFileSecurityA
GetLastError
GetLengthSid
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
getprotobynumber
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetStartupInfoA
GetSystemDirectoryA
GetTempPathA
GetTickCount
gkuqqBBBBBBBBBBBBBBB
Gq| y_
g_rqqBBBBBBBBBBB
g?rqqBBBBBBBBBBB
grwqqBBBBBB6
g'sqqBBB
g||t$oj'mnjbqlfu0|sp
g}tqqBBBBBBBBBBBBB
g:tqqBBBBBBBBBBBBBB
GU\~/,-*
g*uqqBBBBBBBBBBBBBB
g<wqqBBBBBBBBBBBB
gzrqqBBBBBBBBBBBBBB
gZsqqBBBBBBBBBBBBBB
gZtqqBBBBBBBBBBBBBB
gzvqqBBBBBBBBBBBBBB
H}Ksd`z`v@cGYEAOLM)&tAgC@KTNoNTLRT\QR452P]U`*4(jd+i("0tb04 ,+|	?)5
hlxb9'#"`qwK
ho\B;Bw
H{vwtur
~`i3'&q<vctZ
iaqqucr
@.idata2
i{d-xnxlgs
Ig@[J^TcENFTJEQKLNuVMY\^;896k
ih}ppsL1[^
IIC1-9>_
}i{|~j9sefz`
ImagePath
InitializeAcl
InitializeSecurityDescriptor
_initterm
InterlockedExchange
IsBadReadPtr
IsBadWritePtr
IsWow64Process
Jg&Bqq6
jK 6sP
J_*uzX]
kernel32
kerNEl32
kernel32.dll
KERNEL32.dll
k- exe.tsoh
kol`1+2-:3{v{gua{q|t
kpdateCrc
K\_R\BGEGSMJL
kurt;\xbvHX{pb~]@JYveM]QHVN~`OOPZ_ISTVJjGV^nAQB>'##/e8+-GDEB
LFSUAW
LJCHIF(tGB
llX%ik\labolGs%s%
LNOZLUT
LoadLibraryA
LocalAlloc
LocalSystem
LookupAccountNameA
LookupPrivilegeValueA
lSRQPWVUT[ZYX_^;D
lstrcmpi
lstrcmpiA
LYq);^A
M6pqqq
malloc
MBBBBBBBBBBBBBB
~-m(bw`v-cns1
MDSPND:_YMW
memcpy
memmove
memset
MEU>XHP
~]M^Idfgcdplmms
MoveFileA
msvcrt.dll
MSVCRT.dll
m'u~idlwebrvjxok|xbr:v}~
mzWE";
N}+*7}
ND+()&]
netsvcs
Netsvcs
Niamecivres
NIAmeciVRes
NM6pqqqM
N!&N?2
NOLavd-/
NPBK({
NPYJFFV
]NX[PHV_Y@
OBG+()&
OBG+()&V@
OB)&JWSAQT
'$%"odMdtENOwn\P7452
\ojkhif
OpenProcessToken
OpenSCManagerA
OpenServiceA
ou.(5|uz
.<,-*P
P6fobp9#
p.A,I*+()&t]VVFM!>lY^OIQMO7452r@A"&/,>"''Fb79 ")+71	
\parameters
PathFileExistsA
__p__commode
pC^_\]Z
__p__fmode
p}hi1Lsp
P_\N(8 g8-% i%3%m#.3_\]Z<,4{9-6|2&6@
P_\N:<)+?-l/i.,#-',71r>56XYV3;"<??0
pqqBBBBBBBBBBBBBB
PRGAU[
Process32First
Process32Next
PRYWQZ][
Pxzpr|ML
q6CBBByl
Q7wwa0
;qg33|
QG@\B1N<8?/*%i#56*0C@A^951?{=+$8&UR $#
qpqq]n
qqg4~pq
qqg[Bqq
qqgKpqq
qqgrpqq
qqqq}%
qqqqf/
qqqqf%
qqqqf8
qqqqfB
qqqqfd
qqqqfx
qseqhrquz|7d~g||t>rAB
QueryServiceConfigA
QueryServiceStatus
qXfutpq
qXgNtqqq
Q\XLI@WJNBGN
R6*n[g
RaiseException
rameters
	Rdyvoi
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
RegRestoreKeyA
RegSaveKeyA
RegSetKeySecurity
RegSetValueExA
rEmOtErEgastRY
Rich);7
rpqq}%
rqqBBBBBBBBBBB
rqqqqf
Rqqqqg
rqqqqq
rqqyUOm
R@R@YN
%s a -s
SeBackupPrivilege
SeRestorePrivilege
SESSIONNAME
%SESSIONNAME%
%SESSIONNAME%\
__set_app_type
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetFileSecurityA
SetSecurityDescriptorDacl
SetUnhandledExceptionFilter
__setusermatherr
SHCopyKeyA
SHDeleteKeyA
SHGetValueA
SHLWAPI.dll
SjezZ;
SleepEx
sOFtwaRe\
SOFtWaRe\
SOFTWARE\mIcRoSoFt\wINDoWS nt\currentVerSioN\sVChoST
%sot%%\System32\svc%s %s%s%s
sqqBBBBBB
sqqBBBBBB6
sqqBBBBBBBBBBB
sqqBBBBBBBBBBB6^k
sqqBBBBBBBBBBBBBB
StartServiceA
strcmp
strcpy
strncmp
SYSTEM\CurrentControlSet\seRviCes\
%SystemRo
\T (8%9k;,2GDEB*.7?359z(,6$20u0??2
TEHROE
\temp\
TEP|ks}klm)&ceqcwyq{`qtiztpqyyp|g01Nj|u
!This program cannot be run in DOS mode.
T]H@LLR>VRK[WQ]
T+Nppppppppppppp
tolower
tqqBBBBBB
tqqBBBBBB6vd
tqqBBBBBBBBBBBBBB
tqqBBBBBBBBBBBBBB6.d
tqqBBBBBBBBBBBBBB6fg
U5GX"2w
/,-*Uea\'$%"kaszh}o
U\Eqfb{kgamyht`pbthqq<=:}tmi~zpjrse
U@H !>
uMxUg(
UPdatecXc
uqqBBBBBB
uqqBBBBBBBBBBB
uqqBBBBBBBBBBBBBB
uqq| y_
USER32.dll
@uUKMYJzYA_OKABG# !>lYnRNL]Y@Ze@ZFX"*+(JafcF%%,(*.
UUUUUUUUUUUUUUTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUebggUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU-6#&U&UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUp
|{UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
>:,<vr'UR
VRYVw{
vsqq}%
vsqq| y_
[W6@CB
WaitForSingleObject
wB;BnY
WKPIOY
won>r}sc;t|xp`}2|b1JF_YKEKL
wqqBBB
wqqBBBBBB
wqqBBBBBBBBBB6
wqqBBBBBBBBBBB6.b
WriteFile
WS2_32.dll
wsprintfA
{}*\WTUR|
X1=wHg
'X8VaZ
_XcptFilter
	XHyv%
]x]%Jq_
|xl~&{'514vcee/}pq
x|%]TUR
XVTTUR
[XX-f/_
{xyv0t
;=)?[XYVuqdRv#
Y B0!q
^>:&YI
YM]_X^J
yn`A?lW+
^yqqgKCqq6
|}z26/7;=1-;1?
~\]Z8*<7#1u
zfnao+~lttmjl
ZJAQI~z{cipFmmtsqsOxnGK|da}vw`LEK]A~OY^@EB$%"sOSJqIPX^J96kc\\`DP:&##9
ZSP=:dZ\Q^ZAZAUP**4MJ
|}z{xyvwturspq
|}z{xyvwturspqnolmjk()&'
_\]Z[XYVWTURSPQNOLMJKHIFGDEBC@A>?<=:;8967452301./,-*+()&'$%"# !
|}z{xyvwturspqnolmjkhifgdebc`a^_\]Z[XYVWTURSPQNOLMJKHIFGDEBC@A>?<=:;8967452301./,-*+()&'$%"# !
ZYZ452BT