HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.107124 (B) (Emsisoft), Gen:Variant.Zusy.107124 (AdAware), HackTool.Win32.PassView.FD, GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan, Worm, HackTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5d47da40d4e4a040d32510670990f9e7
SHA1: 5a5463f546800b9b3bb53e315405c2646309dd40
SHA256: 1b209c635aec151bffe1c779405a8473373a546ab200967d2f87e12bbab2ae61
SSDeep: 24576:umJCoHYm3ynWF cd9oEt/e2q/fZ1vzZqvlJwvc2nnQrqwL49q9T:94UYO cu/fZ1vOlti6qwE
Size: 1883648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-07-29 09:54:09
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
vbc.exe:2488
The Trojan injects its code into the following process(es):
%original file name%.exe:2748
%original file name%.exe:3612
%original file name%.exe:3492
%original file name%.exe:3488
WRPIntegrity.exe:1728
Dnscache.exe:3568
Adobe.exe:4000
Adobe.exe:1984
Adobe.exe:1804
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Dnscache.exe (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Adobe.exe (13122 bytes)
The process %original file name%.exe:3612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\aspnet_state.exe (13122 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Dnscache.exe (0 bytes)
The process %original file name%.exe:3492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\WRPIntegrity.exe (15 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Adobe.exe (0 bytes)
The process %original file name%.exe:3488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe (13122 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holdermail.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (0 bytes)
The process vbc.exe:2488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)
The process Adobe.exe:1984 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Adobe.exe (0 bytes)
The process Adobe.exe:1804 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Adobe.exe (0 bytes)
Registry activity
The process %original file name%.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process %original file name%.exe:3492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process %original file name%.exe:3488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\5d47da40d4e4a040d32510670990f9e7_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\5d47da40d4e4a040d32510670990f9e7_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\5d47da40d4e4a040d32510670990f9e7_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\5d47da40d4e4a040d32510670990f9e7_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\5d47da40d4e4a040d32510670990f9e7_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\5d47da40d4e4a040d32510670990f9e7_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\5d47da40d4e4a040d32510670990f9e7_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"
[HKLM\SOFTWARE\Microsoft\Tracing\5d47da40d4e4a040d32510670990f9e7_RASAPI32]
"FileDirectory" = "%windir%\tracing"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"
The process WRPIntegrity.exe:1728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Network List Service" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\WRPIntegrity.exe"
The process Dnscache.exe:3568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Network List Service" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Dnscache.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 6b69a7ecad1761f731c23d4f3cd2edb9 | c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Dnscache.exe |
| 2258000adf3a0ea2981ee53c3d8ab18c | c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\WRPIntegrity.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
vbc.exe:2488
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Dnscache.exe (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Adobe.exe (13122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\aspnet_state.exe (13122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\WRPIntegrity.exe (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe (13122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Network List Service" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\WRPIntegrity.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Network List Service" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Dnscache.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: aee55 e55y ae5
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename: ehg54hy ea5yegert5asz e5ya3e5
Internal Name: drrh rdsghe ez5yyt er5e5ry5h
File Version:
File Description: Disk Memory Management
Comments:
Language: Language Neutral
Company Name: Product Name: aee55 e55y ae5 Product Version: Legal Copyright: Legal Trademarks: Original Filename: ehg54hy ea5yegert5asz e5ya3e5Internal Name: drrh rdsghe ez5yyt er5e5ry5hFile Version: File Description: Disk Memory ManagementComments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 1510564 | 1510912 | 5.54214 | 407b63d41df5b3885fef807156b57a25 |
| .rsrc | 1523712 | 371712 | 371712 | 2.56877 | 80c75c811f1af54b1ef8e43694f23687 |
| .reloc | 1900544 | 12 | 512 | 0.070639 | b577f7a4e89d93a42c926a158773130f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://whatismyipaddress.com/ | 2.17.166.81 |
| smtp.gmail.com | 173.194.221.108 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
Host: whatismyipaddress.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 59
Date: Sun, 11 Dec 2016 20:53:39 GMT
Connection: keep-alive
Access Denied (AK1). Contact support@whatismyipaddress.comHTTP/1.1 200 OK..Content-Type: text/html..Content-Length: 59..Date: Sun, 11 Dec 2016 20:53:39 GMT..Connection: keep-alive..Access Denied (AK1). Contact support@whatismyipaddress.com..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Adobe.exe_1984:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
M.kLP
M.kLP
h.YHD
h.YHD
b.}%F
b.}%F
eu%u5
eu%u5
j8%cQ
j8%cQ
g,.LY
g,.LY
.vbeJ~
.vbeJ~
.BDw`
.BDw`
F%e.sFe
F%e.sFe
JsQl
JsQl
WTCP
WTCP
D"G9.aN
D"G9.aN
gx.wt
gx.wt
-n.jL
-n.jL
Z[~%uPQ0_
Z[~%uPQ0_
.Wv/k(L
.Wv/k(L
%UzS,
%UzS,
4%sa~j^
4%sa~j^
ab;/%u
ab;/%u
*&w%u
*&w%u
S}.%S
S}.%S
%sVzT
%sVzT
.niy/
.niy/
.sO)U;
.sO)U;
|2.Pb,
|2.Pb,
7G%Xv0P
7G%Xv0P
_IM.FZ|
_IM.FZ|
SQ.Jp
SQ.Jp
\J ü
\J ü
m.oAU
m.oAU
z7-1bg}
z7-1bg}
F*%9u
F*%9u
.aJj\
.aJj\
D_O.vI
D_O.vI
.Zz}y
.Zz}y
%cx"H
%cx"H
i_.pv
i_.pv
I_.HD
I_.HD
B-%fiA
B-%fiA
\%XeM
\%XeM
IX[#%F
IX[#%F
m8c.vS;
m8c.vS;
?%FrI
?%FrI
'e<.cq>
'e<.cq>
:G.uf
:G.uf
!o.hT
!o.hT
y'.rG
y'.rG
'.Nl;
'.Nl;
TV.u.ug
TV.u.ug
-.Gp9>
-.Gp9>
#b.zo3
#b.zo3
.Gi9]
.Gi9]
Q:\jx
Q:\jx
_.lMJ{e;)b
_.lMJ{e;)b
;.gy0
;.gy0
n%5XM
n%5XM
H.KsQ
H.KsQ
3L%s"
3L%s"
'Y.ks
'Y.ks
-gB}_
-gB}_
@,.af
@,.af
7/Ì
7/Ì
^~.mw
^~.mw
h'k.buF
h'k.buF
"Q.Qv/
"Q.Qv/
%U-Z ?
%U-Z ?
.P;-%U
.P;-%U
%X[#2d8
%X[#2d8
^%sM!!
^%sM!!
3X.KT9k
3X.KT9k
c qDurl
c qDurl
.SMr
.SMr
WKK.Jm
WKK.Jm
.lML&
.lML&
:}.Je
:}.Je
.mQ^^
.mQ^^
%cn"1
%cn"1
3.Bo2
3.Bo2
@.iv]
@.iv]
.Swq2P
.Swq2P
j.ITI
j.ITI
,;.tf2
,;.tf2
kkÃ
kkÃ
.rgA`
.rgA`
.JU ,
.JU ,
WEB.'L
WEB.'L
Zs.vy
Zs.vy
%XI|1
%XI|1
.MtP4@gh'
.MtP4@gh'
j^Q.cC
j^Q.cC
$^?`.BD
$^?`.BD
.Pxy"
.Pxy"
:O%DQKS[Dm
:O%DQKS[Dm
*z%S-
*z%S-
.fiQF
.fiQF
.kj7%
.kj7%
.anz3
.anz3
:zSql
:zSql
'K.sC
'K.sC
h.nSIux
h.nSIux
h.npIGx
h.npIGx
v2.0.50727
v2.0.50727
kernel32.dll
kernel32.dll
user32.dll
user32.dll
1405940578
1405940578
System.Runtime.CompilerServices
System.Runtime.CompilerServices
.cctor
.cctor
.ctor
.ctor
mY5fR3skBo1fSpLE2eSHhj>BFM&kQ8tXKc2)om%6LIt_!_d$0s#kJvR2su!4%7u V4uFnjxF-LWyQ3ic-2j^?8dwlZhUMz)DwI>wfxgHVF Yz!cobnv#OPXN
mY5fR3skBo1fSpLE2eSHhj>BFM&kQ8tXKc2)om%6LIt_!_d$0s#kJvR2su!4%7u V4uFnjxF-LWyQ3ic-2j^?8dwlZhUMz)DwI>wfxgHVF Yz!cobnv#OPXN
QX#n1$Shji27xMWjL@_Q%fXKMTJ*47P&LJ^iUTF!MtEgx5Roqb=un7qB0-!8Btdct$m?pEpSEa3a!HuH2#gSy$jD@Lhk!
QX#n1$Shji27xMWjL@_Q%fXKMTJ*47P&LJ^iUTF!MtEgx5Roqb=un7qB0-!8Btdct$m?pEpSEa3a!HuH2#gSy$jD@Lhk!
System.Reflection
System.Reflection
HQ?L>MTypdm#ml*%CLku#PRT-?PETQhAyLisJzX56g=Mknp%I8Nt4=WRZCb0Wf^yW|3!3eDlOeolh4=totVK3N>HPqt7nW8RBhP=kO@ v_%QsAAU3HC jCv8Yl_CL?XS5x_ZeZ9zRsx!rGxe=y3&j^
HQ?L>MTypdm#ml*%CLku#PRT-?PETQhAyLisJzX56g=Mknp%I8Nt4=WRZCb0Wf^yW|3!3eDlOeolh4=totVK3N>HPqt7nW8RBhP=kO@ v_%QsAAU3HC jCv8Yl_CL?XS5x_ZeZ9zRsx!rGxe=y3&j^
System.Threading
System.Threading
System.Text
System.Text
System.Runtime.Serialization
System.Runtime.Serialization
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Collections.Generic
System.Collections.Generic
#jTf=)5&fvgK%r)O2%Obr?nOMo39bplHb%lgR-&v3v>asEvGX4>s82bPCA&6(q@7@BZI4f$M8D8LiBVpEvshbIvi51WOOWNf1*=-E|B
#jTf=)5&fvgK%r)O2%Obr?nOMo39bplHb%lgR-&v3v>asEvGX4>s82bPCA&6(q@7@BZI4f$M8D8LiBVpEvshbIvi51WOOWNf1*=-E|B
Ze!@E7jqdDu&Poe^i%vm^|2W(AtjgNi|q849f&$zNxHpp)*LKz&0zNsy>7(M@T^Qt9MrK^@qj@fT^2s$
Ze!@E7jqdDu&Poe^i%vm^|2W(AtjgNi|q849f&$zNxHpp)*LKz&0zNsy>7(M@T^Qt9MrK^@qj@fT^2s$
System.Diagnostics
System.Diagnostics
ProcessHandle
ProcessHandle
debugPort
debugPort
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
ÃŒC-
ÃŒC-
EnumWindows
EnumWindows
%original file name%.exe_3492:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
M.kLP
M.kLP
h.YHD
h.YHD
b.}%F
b.}%F
eu%u5
eu%u5
j8%cQ
j8%cQ
g,.LY
g,.LY
.vbeJ~
.vbeJ~
.BDw`
.BDw`
F%e.sFe
F%e.sFe
JsQl
JsQl
WTCP
WTCP
D"G9.aN
D"G9.aN
gx.wt
gx.wt
-n.jL
-n.jL
Z[~%uPQ0_
Z[~%uPQ0_
.Wv/k(L
.Wv/k(L
%UzS,
%UzS,
4%sa~j^
4%sa~j^
ab;/%u
ab;/%u
*&w%u
*&w%u
S}.%S
S}.%S
%sVzT
%sVzT
.niy/
.niy/
.sO)U;
.sO)U;
|2.Pb,
|2.Pb,
7G%Xv0P
7G%Xv0P
_IM.FZ|
_IM.FZ|
SQ.Jp
SQ.Jp
\J ü
\J ü
m.oAU
m.oAU
z7-1bg}
z7-1bg}
F*%9u
F*%9u
.aJj\
.aJj\
D_O.vI
D_O.vI
.Zz}y
.Zz}y
%cx"H
%cx"H
i_.pv
i_.pv
I_.HD
I_.HD
B-%fiA
B-%fiA
\%XeM
\%XeM
IX[#%F
IX[#%F
m8c.vS;
m8c.vS;
?%FrI
?%FrI
'e<.cq>
'e<.cq>
:G.uf
:G.uf
!o.hT
!o.hT
y'.rG
y'.rG
'.Nl;
'.Nl;
TV.u.ug
TV.u.ug
-.Gp9>
-.Gp9>
#b.zo3
#b.zo3
.Gi9]
.Gi9]
Q:\jx
Q:\jx
_.lMJ{e;)b
_.lMJ{e;)b
;.gy0
;.gy0
n%5XM
n%5XM
H.KsQ
H.KsQ
3L%s"
3L%s"
'Y.ks
'Y.ks
-gB}_
-gB}_
@,.af
@,.af
7/Ì
7/Ì
^~.mw
^~.mw
h'k.buF
h'k.buF
"Q.Qv/
"Q.Qv/
%U-Z ?
%U-Z ?
.P;-%U
.P;-%U
%X[#2d8
%X[#2d8
^%sM!!
^%sM!!
3X.KT9k
3X.KT9k
c qDurl
c qDurl
.SMr
.SMr
WKK.Jm
WKK.Jm
.lML&
.lML&
:}.Je
:}.Je
.mQ^^
.mQ^^
%cn"1
%cn"1
3.Bo2
3.Bo2
@.iv]
@.iv]
.Swq2P
.Swq2P
j.ITI
j.ITI
,;.tf2
,;.tf2
kkÃ
kkÃ
.rgA`
.rgA`
.JU ,
.JU ,
WEB.'L
WEB.'L
Zs.vy
Zs.vy
%XI|1
%XI|1
.MtP4@gh'
.MtP4@gh'
j^Q.cC
j^Q.cC
$^?`.BD
$^?`.BD
.Pxy"
.Pxy"
:O%DQKS[Dm
:O%DQKS[Dm
*z%S-
*z%S-
.fiQF
.fiQF
.kj7%
.kj7%
.anz3
.anz3
:zSql
:zSql
'K.sC
'K.sC
h.nSIux
h.nSIux
h.npIGx
h.npIGx
v2.0.50727
v2.0.50727
kernel32.dll
kernel32.dll
user32.dll
user32.dll
1405940578
1405940578
System.Runtime.CompilerServices
System.Runtime.CompilerServices
.cctor
.cctor
.ctor
.ctor
mY5fR3skBo1fSpLE2eSHhj>BFM&kQ8tXKc2)om%6LIt_!_d$0s#kJvR2su!4%7u V4uFnjxF-LWyQ3ic-2j^?8dwlZhUMz)DwI>wfxgHVF Yz!cobnv#OPXN
mY5fR3skBo1fSpLE2eSHhj>BFM&kQ8tXKc2)om%6LIt_!_d$0s#kJvR2su!4%7u V4uFnjxF-LWyQ3ic-2j^?8dwlZhUMz)DwI>wfxgHVF Yz!cobnv#OPXN
QX#n1$Shji27xMWjL@_Q%fXKMTJ*47P&LJ^iUTF!MtEgx5Roqb=un7qB0-!8Btdct$m?pEpSEa3a!HuH2#gSy$jD@Lhk!
QX#n1$Shji27xMWjL@_Q%fXKMTJ*47P&LJ^iUTF!MtEgx5Roqb=un7qB0-!8Btdct$m?pEpSEa3a!HuH2#gSy$jD@Lhk!
System.Reflection
System.Reflection
HQ?L>MTypdm#ml*%CLku#PRT-?PETQhAyLisJzX56g=Mknp%I8Nt4=WRZCb0Wf^yW|3!3eDlOeolh4=totVK3N>HPqt7nW8RBhP=kO@ v_%QsAAU3HC jCv8Yl_CL?XS5x_ZeZ9zRsx!rGxe=y3&j^
HQ?L>MTypdm#ml*%CLku#PRT-?PETQhAyLisJzX56g=Mknp%I8Nt4=WRZCb0Wf^yW|3!3eDlOeolh4=totVK3N>HPqt7nW8RBhP=kO@ v_%QsAAU3HC jCv8Yl_CL?XS5x_ZeZ9zRsx!rGxe=y3&j^
System.Threading
System.Threading
System.Text
System.Text
System.Runtime.Serialization
System.Runtime.Serialization
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Collections.Generic
System.Collections.Generic
#jTf=)5&fvgK%r)O2%Obr?nOMo39bplHb%lgR-&v3v>asEvGX4>s82bPCA&6(q@7@BZI4f$M8D8LiBVpEvshbIvi51WOOWNf1*=-E|B
#jTf=)5&fvgK%r)O2%Obr?nOMo39bplHb%lgR-&v3v>asEvGX4>s82bPCA&6(q@7@BZI4f$M8D8LiBVpEvshbIvi51WOOWNf1*=-E|B
Ze!@E7jqdDu&Poe^i%vm^|2W(AtjgNi|q849f&$zNxHpp)*LKz&0zNsy>7(M@T^Qt9MrK^@qj@fT^2s$
Ze!@E7jqdDu&Poe^i%vm^|2W(AtjgNi|q849f&$zNxHpp)*LKz&0zNsy>7(M@T^Qt9MrK^@qj@fT^2s$
System.Diagnostics
System.Diagnostics
ProcessHandle
ProcessHandle
debugPort
debugPort
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
ÃŒC-
ÃŒC-
EnumWindows
EnumWindows
Adobe.exe_4000:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
gHM%u[
gHM%u[
.ndmU
.ndmU
7%cRU
7%cRU
.Bk"0]
.Bk"0]
=k-v1}
=k-v1}
f)m4%d
f)m4%d
.en^p
.en^p
.GJ'?
.GJ'?
{.bD/
{.bD/
).rw(
).rw(
.OS8'j
.OS8'j
.Du7T
.Du7T
sQL%j
sQL%j
c.UY^
c.UY^
bk#u.HO
bk#u.HO
H.svp
H.svp
.SE5)
.SE5)
}/!"520_
}/!"520_
.Tl[3
.Tl[3
vX"8%C
vX"8%C
br%CJf
br%CJf
X .xa
X .xa
F%XK^
F%XK^
;%xJ[
;%xJ[
%U\CYC
%U\CYC
NÔq
NÔq
%-K}$
%-K}$
.l%fg1
.l%fg1
Qa`.aK
Qa`.aK
Gs
Gs
.RQvD
.RQvD
!~Y.uH
!~Y.uH
<.yz>
<.yz>
&w
&w
<.cq>
<.cq>
&
&
&kQ8tXKc2
&kQ8tXKc2
&LJ
&LJ
&j
&j
&fvgK&v3v&
&fvgK&v3v&
&Poe&&
&Poe&&
<.yz>
<.yz>
<.yz>
<.yz>
&Password &Password &HTML &HTML &eport &eport | |||||
|---|---|---|---|---|---|
|